# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#-----------------------
# FILE-MULTIMEDIA RULES
#-----------------------
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes Playlist Overflow Attempt"; flow:to_client,established; flowbits:isset,file.pls; file_data; content:"[playlist]"; depth:10; nocase; isdataat:1000; content:"File"; distance:0; pcre:"/^\d+\x3Dhttps?\x3a\x2f\x2f[^\n\r]{1000}/Ri"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2005-0043; classtype:attempted-user; sid:26724; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple iTunes playlist overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u|file.pls; file_data; content:"http"; offset:7; nocase; content:"://"; within:4; isdataat:550,relative; content:!"|0D|"; within:1000; content:!"|0A|"; within:1000; metadata:policy max-detect-ips drop, service smtp; reference:cve,2005-0043; classtype:attempted-user; sid:26667; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime Movie file clipping region handling heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"clip"; content:"crgn"; within:4; distance:4; byte_jump:4,-8,relative,big; content:!"|7F FF 7F FF|"; within:4; distance:-8; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35167; reference:cve,2009-0954; reference:url,support.apple.com/kb/HT3591; classtype:attempted-user; sid:26564; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pct; file_data; content:"|00 11 02 FF 0C 00|"; depth:6; offset:522; pcre:"/\x00[\x70-\x77]\x00[\x00-\x09]/R"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:26472; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Cool Player Plus M3U buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u; file_data; content:"|8A 1D F3 77|"; offset:220; metadata:service smtp; reference:url,1337day.com/exploit/20242; classtype:attempted-user; sid:26318; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Cool Player Plus M3U buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"|8A 1D F3 77|"; offset:220; metadata:service ftp-data, service http, service imap, service pop3; reference:url,1337day.com/exploit/20242; classtype:attempted-user; sid:26317; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA CCMPlayer m3u buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u; file_data; content:"C|3A 5C|"; depth:3; isdataat:1024,relative; content:!"|0D 0A|"; within:1024; content:!".mp3|0D 0A|"; within:1024; metadata:service smtp; reference:bugtraq,50859; reference:cve,2011-5170; classtype:attempted-admin; sid:26243; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA CCMPlayer m3u buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"C|3A 5C|"; depth:3; isdataat:1024,relative; content:!"|0D 0A|"; within:1024; content:!".mp3|0D 0A|"; within:1024; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,50859; reference:cve,2011-5170; classtype:attempted-admin; sid:26242; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime Obji Atom parsing stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"obji"; byte_test:4,<,20,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,28583; reference:cve,2008-1022; classtype:attempted-user; sid:26109; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player XSPF memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xspf; file_data; content:""; nocase; content:""; within:1000; nocase; content:""; within:200; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-4558; classtype:attempted-user; sid:25797; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows DirectShow MPEG heap overflow attempt"; flow:to_server,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01 B3|AAAAAA|BA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0077; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-011; classtype:attempted-user; sid:25796; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectShow MPEG heap overflow attempt"; flow:to_client,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01 B3|AAAAAA|BA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0077; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-011; classtype:attempted-user; sid:25795; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft GDI EMF malformed file buffer overflow attempt"; flow:to_client,established; file_data; content:" EMF"; depth:4; offset:40; content:"|46 00 00 00|"; byte_extract:4,4,size,relative,little; content:"EMF+"; within:4; content:"|00 00 C0 FF|"; within:size; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-3012; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-052; classtype:attempted-user; sid:25502; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Mozilla products Ogg Vorbis decoding memory corruption attempt"; flow:to_server,established; flowbits:isset,file.ogg; file_data; content:"|0A 42 64 86 A8 CA 34 3C 04 87 07 97 00 11 71 15|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,51753; reference:cve,2012-0444; classtype:attempted-user; sid:25298; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA AVI file chunk length integer overflow attempt"; flow:to_server,established; flowbits:isset,file.avi.video; file_data; content:"AVI LIST"; depth:8; offset:8; content:"hdrlavih"; within:8; distance:4; content:"INFO"; distance:0; byte_extract:4,4,chunk_size,relative,little; isdataat:!chunk_size; metadata:service smtp; reference:cve,2011-3834; reference:url,forums.winamp.com/showthread.php?t=332010; classtype:attempted-user; sid:24955; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime text track descriptors heap buffer overflow attempt"; flow:to_server,established; file_data; content:"{QTtext}"; depth:8; pcre:"/\x7b[^\x3a\x7d]+?\x3a[^\x7d]{1023}/"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0664; classtype:attempted-user; sid:24699; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 sequence parameter set parsing overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime&file.swf; file_data; content:"moov"; content:"vide"; distance:0; content:"stsd"; distance:0; content:"avc"; distance:0; content:"|FF E1|"; within:128; byte_test:2,>,256,0,relative; byte_test:2,>,256,21,relative; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-2140; reference:url,adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:24672; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime movie buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.mp4|file.m4v; content:"moov"; nocase; content:"trak"; distance:0; nocase; content:"mdia"; distance:0; nocase; content:"minf"; distance:0; nocase; content:"stbl"; distance:0; nocase; content:"stsd"; distance:0; nocase; content:"avc1"; distance:0; nocase; content:"avcC"; distance:0; nocase; content:"|FF E1|"; within:2; distance:4; byte_test:2,>=,0x8000,0,relative,big; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-4381; reference:url,support.apple.com/kb/TA24355; classtype:attempted-user; sid:24641; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime MOV Atom length buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"hspa"; content:"vrsg"; distance:0; byte_test:2,>,0x7000,14,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0667; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:24550; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA VideoLAN VLC webm memory corruption attempt"; flow:to_server,established; flowbits:isset,file.webm; file_data; content:"|1A 45 DF A3|"; depth:4; content:"webm"; within:4; distance:27; nocase; content:"|15 49 A9 66 01 00 00 00|"; distance:0; byte_test:4,>,1024,0,relative; metadata:service smtp; reference:bugtraq,46060; reference:cve,2011-0531; reference:url,videolan.org/security/sa1102.html; classtype:attempted-user; sid:24283; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime streaming debug error logging buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.smil; file_data; content:" $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Visual Basic 6.0 malformed AVI buffer overflow attempt"; flow:to_client,established; content:"RIFF"; depth:100; content:"AVI "; within:4; distance:4; content:"strf"; byte_test:4,>,1088,0,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:23943; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime VR Track Header Atom heap corruption attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"trak"; content:"tkhd|00 00 00 0F|"; within:8; distance:4; fast_pattern; isdataat:40,relative; pcre:"/trak.{4}tkhd.{40}(?=.{20})(?!\x00\x01\x00\x00.{12}\x00\x01\x00\x00)/s"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,33384; reference:cve,2009-0002; reference:url,support.apple.com/kb/HT3403; classtype:attempted-user; sid:23623; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u; file_data; content:"#EXTINF"; depth:7; pcre:"/^\x23EXTINF.{5}[^\x0d\x0a]{512}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53933; reference:cve,2012-0677; classtype:attempted-user; sid:23588; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u; file_data; content:"#EXTM3U"; depth:7; pcre:"/^\x23EXTM3U.{5}[^\x0d\x0a]{512}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53933; reference:cve,2012-0677; classtype:attempted-user; sid:23587; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01|"; byte_test:1,>,0xBF,0,relative; byte_test:1,<,0xF0,0,relative; byte_jump:2,1,relative,post_offset -4; content:"|FF FF FF FF|"; within:4; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-0659; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:23581; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media encryption sample ID header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"|06 AF E1 00 EC 7B D1 11 A5 82 00 C0 4F C2 9C FB|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23576; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media encryption sample ID header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"N|B8 98|f|FA 0A|0C|AE B2 1C 0A 98 D7 A4|M"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23575; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media pixel aspect ratio header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"T|E5 1E 1B EA F9 C8|K|82 1A|7kt|E4 C4 B8|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23574; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media content type header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:" |DC 90 D5 BC 07|lC|9C F7 F3 BB FB F1 A4 DC|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23573; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media file name header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"|0E EC|e|E1 ED 19 D7|E|B4 A7|%|CB D1 E2 8E 9B|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23572; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media Timecode header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"|EC 95 95|9g|86|-N|8F DB 98 81|L|E7|l|1E|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23571; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media sample duration header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"P|94 BD C6 7F 86 07|I|83 A3 C7|y!|B7|3|AD|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23570; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows AVIFile truncated media file processing memory corruption attempt"; flow:to_server,established,only_stream; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI LIST"; within:8; distance:4; content:"hdrlavih8|00 00 00|"; within:12; distance:4; isdataat:!56,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-038; classtype:attempted-user; sid:23569; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows AVIFile media file processing memory corruption attempt"; flow:to_server,established; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI LIST"; within:8; distance:4; content:"hdrlavih"; within:8; distance:4; byte_test:4,!=,56,0,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-038; classtype:attempted-user; sid:23568; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows AVI Header insufficient data corruption attempt"; flow:to_server,established; flowbits:isset,file.avi; file_data; content:"RIFF"; fast_pattern; content:"AVI "; within:4; distance:4; content:"avih"; distance:0; byte_extract:4,0,chunk_size,little,relative; isdataat:!chunk_size,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35967; reference:cve,2009-1545; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-038; classtype:attempted-user; sid:23567; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows AVI DirectShow QuickTime parsing overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"vide"; distance:0; content:"stsd"; distance:0; fast_pattern; byte_test:1,>,31,58,relative,big; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35139; reference:cve,2009-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-028; classtype:attempted-user; sid:23565; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Oracle Java MixerSequencer RMF MIDI structure handling exploit attempt"; flow:established,to_client; flowbits:isset,file.rmf; file_data; content:"IREZ"; depth:4; fast_pattern; content:"MThd"; distance:0; content:"MTrk"; distance:0; content:"|00 B0|"; within:6; distance:4; content:"|00|"; within:1; distance:1; metadata:service http; reference:bugtraq,39077; reference:cve,2010-0842; reference:cve,2011-3545; classtype:attempted-user; sid:23490; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"#EXTINF"; depth:7; pcre:"/^\x23EXTINF.{5}[^\x0d\x0a]{512}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53933; reference:cve,2012-0677; classtype:attempted-user; sid:23272; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA HT-MP3Player file parsing boundary buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.ht3; content:"|E9 EF EF FF FF 6C 40 00|"; depth:8; offset:4108; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,43811; reference:cve,2009-2485; classtype:attempted-user; sid:21805; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"str"; nocase; pcre:"/^[ndfhl]/smiR"; byte_test:4,>,4294967286,0,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:21775; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"JUNK"; byte_test:4,>,4294967286,0,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:21774; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"LIST"; byte_test:4,>,4294967286,0,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:21773; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"hdr1"; nocase; byte_test:4,>,4294967286,0,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:21772; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"avih"; nocase; byte_test:4,>,4294967286,0,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:21771; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"movi"; nocase; byte_test:4,>,4294967286,0,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:21770; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA MicroP mppl stack buffer overflow"; flow:to_client,established; flowbits:isset,file.mppl; file_data; isdataat:1276; content:"|B5 45 01 10|"; depth:1280; metadata:service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:21397; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Magix Musik Maker 16 buffer overflow attempt"; flow:to_client,established; file_data; content:"|5D C6 9F 2E C2 53 02 20 04 80 FA 1F 12 3A FF 1F FF FF FF FF|"; fast_pattern; content:"|33 C0 64 8B 40 30 83 C0 48 83 C0 48 8B 10 83 C2 4C 83 C2 4C 8B 12|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:21393; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA AVI file chunk length integer overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"AVI LIST"; depth:8; offset:8; content:"hdrlavih"; within:8; distance:4; content:"INFO"; distance:0; byte_extract:4,4,chunk_size,relative,little; isdataat:!chunk_size; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-3834; reference:url,forums.winamp.com/showthread.php?t=332010; classtype:attempted-user; sid:21168; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA MJM Quickplayer s3m buffer overflow"; flow:to_client,established; flowbits:isset,file.s3m; file_data; content:"|42 42 42 42 42 42 42 42 41 41 41 41 41 41 41 41|"; depth:16; isdataat:1091,relative; content:"|6F 15 00 10|"; within:4; distance:1092; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:21107; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA A-PDF Wav to mp3 converter buffer overfow"; flow:to_client,established; flowbits:isset,file.wav; file_data; isdataat:4136; content:"|5C 26 47 00|"; depth:8; offset:4132; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:21093; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp player mp4 memory corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stco"; nocase; content:"|00 00 5A 44 43 42 41 41 41 41 41 41 31 C9 83 E9 B8 D9 EE D9 74 24 F4 5B 81 73 13 90 FA 88 B7 83|"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,23723; reference:cve,2007-2498; classtype:attempted-user; sid:21091; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp player mp4 memory corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stco"; nocase; content:"|00 00 5A 44 43 42 41 41 41 41 41 41 31 C9 83 E9 DD D9 EE D9 74 24 F4 5B 81 73 13 D8 19 25 C7 83|"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,23723; reference:cve,2007-2498; classtype:attempted-user; sid:21090; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectShow GraphEdt closed captioning memory corruption"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|52 49 46 46 F8 C1 4E 0E 41 56 49 20 4C 49 53 54 90 7C 01 00 68 64 72 6C 61 76 69 68 38 00 00 00 56 82 00 00 5D FA 4C 01 00 02 00 00 10 08 00 00|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0004; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-004; classtype:attempted-user; sid:21078; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-MULTIMEDIA invalid VLC media player SMB URI download attempt"; flow:to_client,established; flowbits:isset,file.xspf; file_data; content:"|3C|location|3E|"; nocase; pcre:"/smb\x3A\x2F\x2F[^\x2F]*\x2f[^\x2e\x3c]{12,}[\x2f\x3c\s]/Ri"; reference:url,www.exploit-db.com/exploits/10333/; classtype:misc-attack; sid:20673; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player ASX file ref href buffer overflow attempt"; flow:to_server,established; file_data; content:"[ $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp MIDI file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mid; file_data; content:"CTMF"; depth:4; byte_test:2,>,0x400,8,little; metadata:service ftp-data, service http, service imap, service pop3; reference:url,forums.winamp.com/showthread.php?t=332010; classtype:attempted-user; sid:20559; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Un4seen Developments XMPlay crafted ASX file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"#EXTM3U"; nocase; content:"#EXTINF|3A|0|2C|"; distance:0; nocase; content:"|0D 0A|"; distance:0; content:"|3A 5C|"; within:2; distance:1; nocase; isdataat:501,relative; pcre:"/^\S{501}/R"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,21206; reference:cve,2006-6063; classtype:attempted-user; sid:20553; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA MultiMedia Jukebox playlist file handling heap overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u|file.pls; file_data; content:"http|3A 2F 2F|"; isdataat:262,relative; content:!"|0A|"; within:262; content:!" "; within:259; distance:3; metadata:service smtp; reference:bugtraq,46926; reference:cve,2009-2650; classtype:attempted-user; sid:20237; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC webm memory corruption attempt"; flow:to_client,established; flowbits:isset,file.webm; file_data; content:"|1A 45 DF A3|"; depth:4; content:"webm"; within:4; distance:27; nocase; content:"|15 49 A9 66 01 00 00 00|"; distance:0; byte_test:4,>,1024,0,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,46060; reference:cve,2011-0531; reference:url,videolan.org/security/sa1102.html; classtype:attempted-user; sid:20227; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA MPlayer SMI file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.smi; file_data; content:"|3C|SAMI|3E|"; content:"Start|3D|"; distance:0; nocase; isdataat:500,relative; content:!"Start|3D|"; within:500; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,49149; classtype:attempted-user; sid:20224; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player libdirectx_plugin.dll AMV parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"RIFF"; depth:4; content:"|00 00 00 02 00 00 00 00 00 10 00 A0 A0 00 00 78 00 00 00 10|"; fast_pattern:only; metadata:service http; reference:cve,2010-3275; classtype:attempted-user; sid:19883; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA MultiMedia Soft Components AdjMmsEng.dll PLS file processing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pls; content:"Accept-Ranges: bytes|0D 0A|"; fast_pattern:only; file_data; isdataat:1024; content:!"|0A|"; depth:1024; metadata:service http; reference:bugtraq,33589; reference:cve,2009-0476; reference:cve,2009-4656; reference:cve,2009-5109; classtype:attempted-user; sid:19621; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes PLS file parsing buffer overflow attempt"; flow:to_client,established; content:"|0D 0A 0D 0A|[playlist]"; nocase; content:"File"; distance:0; nocase; pcre:"/^File\d+\s*\x3D\s*[^\x2E\r\n]+\x2E[^\r\n]{32}/mi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,36478; reference:cve,2009-2817; classtype:attempted-user; sid:19560; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN vlc player subtitle buffer overflow attempt"; flow:to_client,established; file_data; content:"[Script Info]"; nocase; content:"[Events]"; distance:0; nocase; content:"Dialogue|3A|"; within:11; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; metadata:service http; reference:bugtraq,27015; reference:cve,2007-6681; classtype:attempted-admin; sid:18744; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes Playlist Overflow Attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"|23|EXTM3U"; depth:7; nocase; isdataat:1000; pcre:"/https?\x3a\x2f\x2f[^\n\r]{1000}/Ri"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2005-0043; classtype:attempted-user; sid:18484; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player Firefox plugin memory corruption attempt"; flow:to_client,established; flowbits:isset,file.wmv; file_data; content:"setTimeout|28 27|location|2E|reload|28 29 27 2C| 1000"; content:"autostart|3D|1 src=|22|invalid|2E|wmv|22|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2745; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-083; classtype:attempted-user; sid:17773; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer AVI parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"strf"; content:"|08 00|"; within:2; distance:18; byte_test:4,>,0x100,16,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13530; reference:cve,2005-2052; classtype:attempted-user; sid:17272; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"smb|3A 2F 2F|"; pcre:"/smb\x3A\x2F\x2F[^\s\x0D\x0A\x3C]{251}/mi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35500; reference:cve,2009-2484; classtype:attempted-user; sid:16751; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Worldweaver DX Studio Player plug-in command injection attempt"; flow:to_client,established; file_data; content:" $HOME_NET any (msg:"FILE-MULTIMEDIA Multiple audio players playlist file handling heap overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u|file.pls; file_data; content:"http|3A 2F 2F|"; isdataat:262,relative; content:!"|0A|"; within:262; content:!" "; within:259; distance:3; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,46926; reference:bugtraq,62926; reference:cve,2009-2650; reference:cve,2013-7409; reference:url,exploit-db.com/exploits/36022/; classtype:attempted-user; sid:16739; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Xenorate Media Player XPL file handling overflow attempt - 2"; flow:to_client,established; file_data; content:"AAAAAAAA|EB 06 90 90 4B 3F 01 11 90 90 90 90|"; fast_pattern:only; metadata:service http; classtype:attempted-user; sid:16738; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Xenorate Media Player XPL file handling overflow attempt - 1"; flow:to_client,established; file_data; isdataat:92; content:!"|00|"; depth:92; content:"|FD A4 00 10|"; depth:4; offset:92; metadata:service http; classtype:attempted-user; sid:16737; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA PLF playlist name buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.plf; content:"Content-Type:"; nocase; http_header; content:"application/octet-stream"; within:50; nocase; http_header; file_data; isdataat:256,relative; content:!"|20|"; depth:256; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,21337; reference:cve,2006-6199; classtype:attempted-user; sid:16692; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes invalid tref box exploit attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"tref"; byte_test:4,>,19,-8,relative; pcre:"/^(\x00{4}|[\x80-\xff])/R"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-0531; reference:url,support.apple.com/kb/HT4105; classtype:attempted-dos; sid:16224; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes DAAP protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"daap|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)daap\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15706; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes PCAST protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"pcast|3A|//"; nocase; pcre:"/(\x22|\x27)pcast\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15705; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes ITMSS protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"itmss|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itmss\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15704; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes ITMS protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"itms|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itms\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15703; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime SMIL qtnext redirect file execution attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"qt|3A|next"; fast_pattern:only; pcre:"/qt\x3anext\s*\x3d\s*\x22\s*file\x3a\x2f{3}/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,29650; reference:cve,2008-1585; classtype:attempted-user; sid:15487; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime movie record invalid version number exploit attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"mvhd|FF|"; within:5; distance:4; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-0956; reference:url,support.apple.com/kb/HT3591; classtype:attempted-user; sid:15480; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA CyberLink PowerDVD playlist file handling stack overflow attempt"; flow:to_client,established; flowbits:isset,file.pls; content:"Content-Length"; nocase; http_header; pcre:"/Content-Length\x3a\s*(\d{7}|[5-9]\d{5})/iH"; metadata:service http; reference:bugtraq,30341; classtype:attempted-user; sid:14020; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA CyberLink PowerDVD playlist file handling stack overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; content:"Content-Length"; nocase; http_header; pcre:"/Content-Length\x3a\s*(\d{7}|[5-9]\d{5})/iH"; metadata:service http; reference:bugtraq,30341; classtype:attempted-user; sid:14019; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"tmci"; byte_test:1,>=,251,24,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15306; reference:cve,2005-2753; classtype:attempted-user; sid:13918; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX malformed mjpeg arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"strf"; content:"MJPG"; distance:0; byte_test:4,>,0x80000000,12,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-033; classtype:attempted-user; sid:13824; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX SAMI file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.smi; file_data; content:"(\x22|\x27|))text\x2Fcss(?P=q)[^\x3E]*\x3E.*^\s*\S+\s*\x7b[^\x7d]{500}/smiO"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-1444; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-033; classtype:attempted-user; sid:13823; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA 3ivx MP4 file parsing cpy buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mp4|file.avi; file_data; content:"|A9|cpy"; fast_pattern; content:"data"; within:4; distance:4; byte_test:4,>,512,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; reference:cve,2007-6402; classtype:attempted-user; sid:13320; rev:18;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA 3ivx MP4 file parsing des buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mp4|file.avi; file_data; content:"|A9|des"; fast_pattern; content:"data"; within:4; distance:4; byte_test:4,>,512,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; reference:cve,2007-6402; classtype:attempted-user; sid:13319; rev:18;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA 3ivx MP4 file parsing cmt buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.avi|file.mp4; file_data; content:"|A9|cmt"; fast_pattern; content:"data"; within:4; distance:4; byte_test:4,>,512,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; reference:cve,2007-6402; classtype:attempted-user; sid:13318; rev:18;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA 3ivx MP4 file parsing ART buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mp4|file.avi; file_data; content:"|A9|ART"; fast_pattern; content:"data"; within:4; distance:4; byte_test:4,>,512,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; reference:cve,2007-6402; classtype:attempted-user; sid:13316; rev:18;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Media Player asf streaming audio spread error correction data length integer overflow attempt"; flow:to_client,established; file_data; content:"BFC3CD50-618F-11CF-8BB2-00AA00B4E220"; byte_test:4, >, 65522, 12, relative; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-068; classtype:attempted-user; sid:13160; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Media Player asf streaming format audio error masking integer overflow attempt"; flow:to_client,established; file_data; content:"49F1A440-4ECE-11d0-A3AC-00A0C90348F6"; byte_jump:4, 8, relative; byte_test:2, >, 65527, 14, relative; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-068; classtype:attempted-user; sid:13159; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Media Player asf streaming format interchange data integer overflow attempt"; flow:to_client,established; file_data; content:"35907DE0-E415-11CF-A917-00805F5C442B"; byte_test:2, >, 65476, 52, relative; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-068; classtype:attempted-user; sid:13158; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VLC Media Player udp URI format string attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"|23|EXTM3U"; content:"udp|3A|//"; distance:0; nocase; content:"%"; distance:0; pcre:"/\x23EXTM3U.*?udp\x3A\x2F\x2F[^\r\n]*%/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,21852; reference:cve,2007-0017; reference:url,projects.info-pull.com/moab/MOAB-02-01-2007.html; classtype:attempted-user; sid:9844; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player or Explorer Malformed MIDI File DOS attempt"; flow:to_client,established; file_data; content:"MThd"; depth:4; content:"|00 00 00 00 00 00|"; within:6; distance:4; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,21612; reference:cve,2006-6601; reference:cve,2007-0562; classtype:denial-of-service; sid:9801; rev:17;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime Movie link scripting security bypass attempt"; flow:to_client,established; file_data; content:"]*javascript/smi"; metadata:service http; reference:bugtraq,20138; reference:cve,2006-4965; classtype:attempted-user; sid:9429; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime movie file component name integer overflow attempt"; flow:to_client,established; content:"video/quicktime"; nocase; http_header; pcre:"/^Content-Type\x3A\s*video\x2Fquicktime/smiH"; file_data; content:"hdlr"; nocase; byte_test:1,>,250,24,relative; metadata:service http; reference:bugtraq,15308; reference:cve,2005-2754; reference:url,docs.info.apple.com/article.html?artnum=302772; classtype:attempted-user; sid:4680; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime movie file component name integer overflow multipacket attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"hdlr"; nocase; byte_test:1,>,250,24,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,15308; reference:cve,2005-2754; reference:url,docs.info.apple.com/article.html?artnum=302772; classtype:attempted-user; sid:4679; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer VIDORV30 header length buffer overflow"; flow:to_client,established; file_data; content:".RMF"; nocase; content:"VIDORV30"; distance:0; byte_test:4,>,1000000,-16,relative; metadata:service http; reference:bugtraq,11309; reference:cve,2004-1481; reference:url,www.eeye.com/html/research/advisories/AD20041001.html; classtype:attempted-admin; sid:3470; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt"; flow:to_client,established; file_data; content:".cda"; nocase; pcre:"/(\x5c[^\x5c]{16,}|\x2f[^\x2f]{16,})\.cda$/smi"; metadata:ruleset community, service http; reference:bugtraq,11730; reference:cve,2004-1119; reference:nessus,15817; classtype:attempted-user; sid:3088; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer arbitrary javascript command attempt"; flow:to_client,established; content:"application/smi"; fast_pattern; nocase; http_header; file_data; content:"file|3A|javascript|3A|"; pcre:"/ $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime enof atom parsing heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"tapt"; byte_extract:4,-8,track_aperture_atom_siz,relative; content:"enof"; within:track_aperture_atom_siz; byte_test:4,<,0x14,-8,relative; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60099; reference:cve,2013-0986; reference:url,support.apple.com/kb/HT5770; classtype:attempted-user; sid:27103; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime enof atom parsing heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"tapt"; byte_extract:4,-8,track_aperture_atom_siz,relative; content:"enof"; within:track_aperture_atom_siz; byte_test:4,<,0x14,-8,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60099; reference:cve,2013-0986; reference:url,support.apple.com/kb/HT5770; classtype:attempted-user; sid:27102; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA MultiMedia Soft Components AdjMmsEng.dll PLS file processing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pls; content:"Accept-Ranges: bytes|0D 0A|"; fast_pattern:only; file_data; content:"|5B|playlist|5D|"; depth:15; isdataat:1024,relative; content:!"|0A|"; within:1024; distance:2; metadata:service http; reference:bugtraq,33589; reference:cve,2009-0476; reference:cve,2009-4656; reference:cve,2009-5109; classtype:attempted-user; sid:28392; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"tmci"; byte_test:1,>=,251,24,relative; metadata:policy max-detect-ips drop, service pop3, service smtp; reference:bugtraq,15306; reference:cve,2005-2753; classtype:attempted-user; sid:28443; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"hdlr"; byte_test:1,>=,251,24,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15306; reference:cve,2005-2753; classtype:attempted-user; sid:28442; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"text|00 00 00 00 00 00|"; content:"|00 00 00 00 00 00|"; within:6; distance:16; byte_test:1,>=,251,13,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15306; reference:cve,2005-2753; classtype:attempted-user; sid:28441; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt"; flow:to_client,established; file_data; content:"stageDom|00|http"; content:"System|00|security|00|allowDomain|00|AdSetupVersion|00|cID|00|aID|00|creativeID|00|"; within:62; distance:26; content:"|96 04 00 08 33 05 00 1D 96 02 00 08 26 1C 96 02 00 08|"; distance:0; content:"|06 00 09 21 01 09 22 01 1D 96 02 00 08 2D 1C 96 02 00 08 BC 49 12 9D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64201; reference:cve,2013-5332; reference:url,helpx.adobe.com/security/products/flash-player/apsb13-28.html; classtype:attempted-user; sid:29061; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pct; file_data; content:"|11 01|"; depth:2; offset:522; pcre:"/\x00[\x70-\x77]\x00[\x00-\x09]/R"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:29436; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; content:"|11 01|"; depth:2; offset:522; pcre:"/\x00[\x70-\x77]\x00[\x00-\x09]/R"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:29435; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_server,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|02 00|"; within:2; distance:6; content:"|02 00|"; within:2; distance:8; content:"|10 00|"; within:2; metadata:policy security-ips drop, service smtp; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29546; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_server,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|02 00|"; within:2; distance:6; content:"|01 00|"; within:2; distance:8; content:"|10 00|"; within:2; metadata:policy security-ips drop, service smtp; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29545; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_server,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|02 00|"; within:2; distance:6; content:"|01 00|"; within:2; distance:8; content:"|08 00|"; within:2; metadata:policy security-ips drop, service smtp; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29544; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_server,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|01 00|"; within:2; distance:6; content:"|01 00|"; within:2; distance:8; content:"|10 00|"; within:2; metadata:policy security-ips drop, service smtp; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29543; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_client,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|02 00|"; within:2; distance:6; content:"|02 00|"; within:2; distance:8; content:"|10 00|"; within:2; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29542; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_client,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|02 00|"; within:2; distance:6; content:"|01 00|"; within:2; distance:8; content:"|10 00|"; within:2; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29541; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_client,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|02 00|"; within:2; distance:6; content:"|01 00|"; within:2; distance:8; content:"|08 00|"; within:2; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29540; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_client,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|01 00|"; within:2; distance:6; content:"|01 00|"; within:2; distance:8; content:"|10 00|"; within:2; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29539; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Flip4Mac Windows media components WMV parsing memory corruption attempt"; flow:to_server,established; flowbits:isset,file.asf|file.wmv; file_data; content:"|26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C 0C B7 02 00 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,22286; reference:cve,2007-0466; reference:url,projects.info-pull.com/moab/MOAB-27-01-2007.html; classtype:attempted-user; sid:29521; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Flip4Mac Windows media components WMV parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.asf|file.wmv; file_data; content:"|26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C 0C B7 02 00 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,22286; reference:cve,2007-0466; reference:url,projects.info-pull.com/moab/MOAB-27-01-2007.html; classtype:attempted-user; sid:29520; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|52 58 6B 65 6B CD DC E0 DB A5 89 A8 4A BA A0 83 43 44 92 C6 A8 12 83 AC 6A 0C 05 E2 EE 96 01 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,64201; reference:cve,2013-5332; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-08.html; classtype:attempted-user; sid:30152; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt"; flow:to_server,established; file_data; content:"stageDom|00|http"; content:"System|00|security|00|allowDomain|00|AdSetupVersion|00|cID|00|aID|00|creativeID|00|"; within:62; distance:26; content:"|96 04 00 08 33 05 00 1D 96 02 00 08 26 1C 96 02 00 08|"; distance:0; content:"|06 00 09 21 01 09 22 01 1D 96 02 00 08 2D 1C 96 02 00 08 BC 49 12 9D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,64201; reference:cve,2013-5332; reference:url,helpx.adobe.com/security/products/flash-player/apsb13-28.html; classtype:attempted-user; sid:30151; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|52 58 6B 65 6B CD DC E0 DB A5 89 A8 4A BA A0 83 43 44 92 C6 A8 12 83 AC 6A 0C 05 E2 EE 96 01 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64201; reference:cve,2013-5332; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-08.html; classtype:attempted-user; sid:30150; rev:2;)
# alert tcp $EXTERNAL_NET [554,8554] -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player Live555 RTSP plugin stack-based buffer overflow attempt"; flow:to_client,established; content:"|20|"; depth:1; content:"RTSP/"; offset:1; nocase; pcre:"/^\x20.*?RTSP\x2F\s?\d\x2E\s?\d[^\n\r]/i"; metadata:service rtsp; reference:bugtraq,65131; reference:bugtraq,65139; reference:cve,2013-6933; reference:cve,2013-6934; reference:url,isecpartners.github.io/fuzzing/vulnerabilities/2013/12/30/vlc-vulnerability.html; classtype:attempted-user; sid:30215; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-MULTIMEDIA CoCSoft Stream Download session"; flow:to_server,established; content:"User-Agent|3A| CoCSoft Stream Download|0D 0A|"; fast_pattern:only; http_header; flowbits:set,cocsoft.stream; flowbits:noalert; metadata:service http; reference:bugtraq,51190; reference:cve,2011-5052; classtype:attempted-user; sid:30532; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA CoCSoft Stream Down SEH based buffer overflow attempt"; flow:to_client,established; flowbits:isset,cocsoft.stream; file_data; content:"|EB 06|"; content:"|48 94 01 10|"; within:4; distance:2; metadata:service http; reference:bugtraq,51190; reference:cve,2011-5052; classtype:attempted-user; sid:30531; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA CoCSoft Stream Down SEH based buffer overflow attempt"; flow:to_client,established; flowbits:isset,cocsoft.stream; file_data; content:"|EB 06|"; content:"|13 B2 05 10|"; within:4; distance:2; metadata:service http; reference:bugtraq,51190; reference:cve,2011-5052; classtype:attempted-user; sid:30530; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime long rnet atom size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"|14 72 6E 65 74 00 00 00 00 00 00 00 05 00 00 00 01 00 00 00 1A 72 6D 76|"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:bugtraq,56438; reference:cve,2012-3756; classtype:attempted-user; sid:30565; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime long rnet atom size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"|14 72 6E 65 74 00 00 00 00 00 00 00 05 00 00 00 01 00 00 00 1A 72 6D 76|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56438; reference:cve,2012-3756; classtype:attempted-user; sid:30564; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt"; flow:to_server,established; flowbits:isset,file.abc; file_data; content:"X:"; content:"|0D 0A|T:"; distance:0; content:"|0D 0A|P:"; distance:0; fast_pattern; pcre:"/^P:[A-G]\d{3}/m"; metadata:service smtp; reference:cve,2013-4233; classtype:attempted-user; sid:30764; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt"; flow:to_server,established; flowbits:isset,file.abc; file_data; content:"X:"; content:"|0D 0A|T:"; distance:0; content:"|0D 0A|P:"; distance:0; fast_pattern; content:"P:"; content:"("; within:10; content:"("; within:10; content:"("; within:10; metadata:service smtp; reference:cve,2013-4233; classtype:attempted-user; sid:30763; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt"; flow:to_client,established; flowbits:isset,file.abc; file_data; content:"X:"; content:"|0D 0A|T:"; distance:0; content:"|0D 0A|P:"; distance:0; fast_pattern; pcre:"/^P:[A-G]\d{3}/m"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-4233; classtype:attempted-user; sid:30762; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt"; flow:to_client,established; flowbits:isset,file.abc; file_data; content:"X:"; content:"|0D 0A|T:"; distance:0; content:"|0D 0A|P:"; distance:0; fast_pattern; content:"("; within:10; content:"("; within:10; content:"("; within:10; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-4233; classtype:attempted-user; sid:30761; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|A2 07|defaultValue|00|A|A0 00 00 00 0B|8|80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:30877; rev:5;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|A2 07|defaultValue|00|A|A0 00 00 00 0B|8|80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:30876; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt"; flow:to_server,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01|"; depth:3; byte_test:2,!&,0xFFF0,1,relative,big; metadata:service smtp; reference:bugtraq,50741; reference:cve,2011-4259; classtype:attempted-user; sid:31376; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_server,established; file_data; content:"|FE 34 2D 67 73 13 05 AF 28 1D 46 15 B5 40 27 7D 02 21 5E 4B C3 0A 63 4E 28 50 99 0C 4E 82 E9 2D 19 23 7B A8 38 E6 86|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:31524; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_server,established; file_data; content:"|24 D0 30 D0 60 09 68 03 D0 49 00 5D 0D 4A 0D 00 82 D5 10 08 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:31523; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_server,established; file_data; content:"|A6 4F 32 6F 7B 76 B3 86 D1 55 33 05 B5 46 B6 78 9C C9 64 62 A8 23 99 8C 82 D9 A8 71 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:31522; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_client,established; file_data; content:"|FE 34 2D 67 73 13 05 AF 28 1D 46 15 B5 40 27 7D 02 21 5E 4B C3 0A 63 4E 28 50 99 0C 4E 82 E9 2D 19 23 7B A8 38 E6 86|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:31521; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_client,established; file_data; content:"|24 D0 30 D0 60 09 68 03 D0 49 00 5D 0D 4A 0D 00 82 D5 10 08 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:31520; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_client,established; file_data; content:"|A6 4F 32 6F 7B 76 B3 86 D1 55 33 05 B5 46 B6 78 9C C9 64 62 A8 23 99 8C 82 D9 A8 71 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:31519; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime text track descriptors heap buffer overflow attempt"; flow:to_server,established; content:".mov"; file_data; content:"{"; isdataat:1033,relative; content:!"}"; within:1033; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0664; classtype:attempted-user; sid:32739; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime text track descriptors heap buffer overflow attempt"; flow:to_server,established; content:".mov"; file_data; content:"{"; isdataat:1033,relative; content:!"}"; within:1033; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-0664; classtype:attempted-user; sid:32738; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt"; flow:to_server,established; file_data; content:"stsd"; fast_pattern; content:"Motion JPEG"; within:11; distance:59; byte_extract:2,-30,width,relative; byte_extract:2,-28,height,relative; content:"tkhd"; content:"Video Media"; within:11; distance:199; content:"|00 00|"; within:2; distance:-147; byte_test:2,!=,width,-4,relative; content:"|00 00|"; within:2; distance:2; byte_test:2,!=,height,0,relative; metadata:service smtp; reference:cve,2013-1020; classtype:attempted-user; sid:32899; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt"; flow:to_client,established; file_data; content:"stsd"; fast_pattern; content:"Motion JPEG"; within:11; distance:59; byte_extract:2,-30,width,relative; byte_extract:2,-28,height,relative; content:"tkhd"; content:"Video Media"; within:11; distance:267; content:"|00 00|"; within:2; distance:-200; byte_test:2,!=,width,-4,relative; content:"|00 00|"; within:2; distance:2; byte_test:2,!=,height,-4,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1020; classtype:attempted-user; sid:32898; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Multiple media players M3U playlist file handling buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u; file_data; content:"|23|EXTM3U"; nocase; pcre:"/^[^\x0a]{501}/R"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,16410; reference:bugtraq,16623; reference:bugtraq,21206; reference:cve,2006-0476; reference:cve,2006-0708; reference:cve,2006-6063; classtype:attempted-user; sid:33043; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u; file_data; content:"#EXTM3U"; depth:7; content:!"#EXT-X-"; within:10; pcre:"/^\x23EXTM3U.{5}[^\x0d\x0a]{512}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53933; reference:cve,2012-0677; classtype:attempted-user; sid:33041; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA VideoLAN VLC 2.1.5 Media Player libavcodex memory corruption attempt"; flow:to_server, established; file_data; flowbits:isset,file.mpeg; content:"|57 27 0B 2C 00 00 01 B3 0C 17 F0 15 04 E2 23 80 00 00 01 B5 14 8A 00 01 00 00 00 00 01 B5|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-9598; classtype:attempted-user; sid:33206; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC 2.1.5 Media Player libavcodex memory corruption attempt"; flow:to_client, established; file_data; flowbits:isset,file.mpeg; content:"|57 27 0B 2C 00 00 01 B3 0C 17 F0 15 04 E2 23 80 00 00 01 B5 14 8A 00 01 00 00 00 00 01 B5|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-9598; classtype:attempted-user; sid:33205; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 malformed avc atom memory corruption attempt"; flow:established,to_server; flowbits:isset,file.mp4; file_data; content:"|61 76 63 43 01 42 C0 0D FF E1 00 1B 67 42 C0 0D 9A 74 0A 0F DF F8 07 80 0C 98 80 00 00 03 00 80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0321; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33474; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 malformed avc atom memory corruption attempt"; flow:established,to_client; flowbits:isset,file.mp4; file_data; content:"|61 76 63 43 01 42 C0 0D FF E1 00 1B 67 42 C0 0D 9A 74 0A 0F DF F8 07 80 0C 98 80 00 00 03 00 80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0321; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33473; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime Image Description Atom sign extension memory corruption attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"stsd"; content:"rpza"; distance:12; fast_pattern; content:"|00 00 00 00 00 00|"; within:6; byte_test:2,>,0x1FFC,18,relative,big; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35166; reference:cve,2009-0955; reference:url,support.apple.com/kb/HT3591; classtype:attempted-user; sid:33586; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime STSD JPEG atom heap corruption attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"Vjpeg"; fast_pattern; content:"appl"; within:16; distance:12; byte_test:2,<,0xFA,8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,33390; reference:cve,2009-0007; classtype:attempted-user; sid:33578; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime STSD JPEG atom heap corruption attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"Vjpeg"; fast_pattern; content:"appl"; within:16; distance:12; byte_test:2,<,0x37,10,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,33390; reference:cve,2009-0007; classtype:attempted-user; sid:33577; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime STSD JPEG atom heap corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"Vjpeg"; fast_pattern; content:"appl"; within:16; distance:12; byte_test:2,<,0xFA,8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33390; reference:cve,2009-0007; classtype:attempted-user; sid:33576; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime STSD JPEG atom heap corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"Vjpeg"; fast_pattern; content:"appl"; within:16; distance:12; byte_test:2,<,0x37,10,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33390; reference:cve,2009-0007; classtype:attempted-user; sid:33575; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player AVC parser integer overflow attempt"; flow:to_server,established; flowbits:isset,file.mp4; file_data; content:"|22 D1 AA 79 FD 5A 5B 6C 77 45 8F 7E 66 43 C1 B5 EE BA 3F 71 A2 D2 6D F0 6F 8E 6D 5F DF 7D AB 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0352; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34269; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player AVC parser integer overflow attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"|22 D1 AA 79 FD 5A 5B 6C 77 45 8F 7E 66 43 C1 B5 EE BA 3F 71 A2 D2 6D F0 6F 8E 6D 5F DF 7D AB 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0352; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34268; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player XSPF integer overflow attempt"; flow:to_server,established; flowbits:isset,file.xspf; file_data; content:""; within:1000; nocase; byte_test:10,>,100000,0,relative,string; metadata:service smtp; reference:bugtraq,48171; reference:cve,2011-2194; reference:url,videolan.org/security/sa1104.html; classtype:attempted-dos; sid:34344; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player XSPF integer overflow attempt"; flow:to_client,established; flowbits:isset,file.xspf; file_data; content:""; within:1000; nocase; byte_test:10,>,100000,0,relative,string; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,48171; reference:cve,2011-2194; reference:url,videolan.org/security/sa1104.html; classtype:attempted-dos; sid:34343; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pictmov; file_data; content:"|88 22 88 22 00 5C 00 08 00 08 00 71 00 09 00 02 00 02 00 6E 00 AA 00 6E 00 02 00 02 00 54 00 6E 00 AA 00 6E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:31309; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pictmov; file_data; content:"|88 22 88 22 00 5C 00 08 00 08 00 71 00 09 00 02 00 02 00 6E 00 AA 00 6E 00 02 00 02 00 54 00 6E 00 AA 00 6E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:31308; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer RealMedia URL length buffer overflow attempt"; flow:to_server,established; file_data; content:"[InternetShortcut]"; fast_pattern:only; content:"URL="; nocase; isdataat:500,relative; content:!"|0D|"; within:500; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,56956; reference:cve,2012-5691; classtype:attempted-user; sid:28962; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer RealMedia URL length buffer overflow attempt"; flow:to_client,established; file_data; content:"[InternetShortcut]"; fast_pattern:only; content:"URL="; nocase; isdataat:500,relative; content:!"|0D|"; within:500; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56956; reference:cve,2012-5691; classtype:attempted-user; sid:28961; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Mozilla products Ogg Vorbis decoding memory corruption attempt"; flow:to_client,established; file_data; content:"OggS|00|"; depth:5; content:"|0A 42 64 86 A8 CA 34 3C 04 87 07 97 00 11 71 15|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,51753; reference:cve,2012-0444; classtype:attempted-user; sid:25297; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime text track descriptors heap buffer overflow attempt"; flow:to_client,established; file_data; content:"{QTtext}"; depth:8; pcre:"/\x7b[^\x3a\x7d]+?\x3a[^\x7d]{1023}/"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0664; classtype:attempted-user; sid:24700; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime movie buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mp4|file.m4v; file_data; content:"moov"; nocase; content:"trak"; distance:0; nocase; content:"mdia"; distance:0; nocase; content:"minf"; distance:0; nocase; content:"stbl"; distance:0; nocase; content:"stsd"; distance:0; nocase; content:"avc1"; distance:0; nocase; content:"avcC"; distance:0; nocase; content:"|FF E1|"; within:2; distance:4; byte_test:2,>=,0x8000,0,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-4381; reference:url,support.apple.com/kb/TA24355; classtype:attempted-user; sid:24640; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime MOV Atom length buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"hspa"; content:"vrsg"; distance:0; byte_test:2,>,0x7000,14,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0667; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:24549; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"#EXTM3U"; depth:7; content:!"#EXT-X-"; within:10; pcre:"/^\x23EXTM3U.{5}[^\x0d\x0a]{512}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53933; reference:cve,2012-0677; classtype:attempted-user; sid:23271; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01|"; byte_test:1,>,0xBF,0,relative; byte_test:1,<,0xF0,0,relative; byte_jump:2,1,relative,post_offset -4; content:"|FF FF FF FF|"; within:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0659; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:23170; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 sequence parameter set parsing overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"vide"; distance:0; content:"stsd"; distance:0; content:"avc"; distance:0; content:"|FF E1|"; within:128; byte_test:2,>,256,0,relative; byte_test:2,>,256,21,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2140; reference:url,adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:23098; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom cprt field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"cprt|00|"; nocase; content:"|00 00 00 0D|"; within:4; distance:-9; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21342; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom 'dscp' field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"dscp|00|"; nocase; byte_test:4,<=,0x0000000d,-9,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21341; rev:12;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom titl field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"titl|00|"; nocase; byte_test:4,<=,0x0000000d,-9,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0754; reference:cve,2015-0360; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21340; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom auth field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"auth|00|"; nocase; byte_test:4,<=,0x0000000d,-9,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21339; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt"; flow:to_client,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01|"; depth:3; byte_test:2,!&,0xFFF0,1,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,50741; reference:cve,2011-4259; classtype:attempted-user; sid:21112; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player digital video recording buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.dvr-ms; file_data; content:"Vali"; byte_test:4,>,5000000,28,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-3401; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-092; classtype:attempted-user; sid:20734; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer QCP parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.qcp; file_data; content:"RIFF"; depth:4; content:"QLCMfmt|20|"; within:8; distance:4; byte_test:4,>,220,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2950; classtype:attempted-user; sid:20288; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC ModPlug ReadS3M overflow attempt"; flow:to_client,established; flowbits:isset,file.s3m; file_data; content:"SCRM"; depth:4; offset:44; byte_test:2,>,65,-12,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1574; classtype:attempted-user; sid:20284; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC ModPlug ReadS3M overflow attempt"; flow:to_client,established; flowbits:isset,file.s3m; file_data; content:"SCRM"; depth:4; offset:44; byte_test:2,>,65,-14,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1574; classtype:attempted-user; sid:20283; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"P|00|r|00|o|00|d|00|u|00|c|00|e|00|r|00|.|00|d|00|a|00|t|00 00 00|"; fast_pattern; nocase; byte_extract:4,94,low,relative,little; content:"W|00|m|00|t|00|o|00|o|00|l|00|s|00|V|00|a|00|l|00|i|00|d|00 00 00|"; distance:0; nocase; byte_test:4,>,low,94,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0265; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-016; classtype:attempted-user; sid:19956; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media encryption sample ID header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"|06 AF E1 00 EC 7B D1 11 A5 82 00 C0 4F C2 9C FB|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19450; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media encryption sample ID header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"N|B8 98|f|FA 0A|0C|AE B2 1C 0A 98 D7 A4|M"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19449; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media pixel aspect ratio header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"T|E5 1E 1B EA F9 C8|K|82 1A|7kt|E4 C4 B8|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19448; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media content type header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:" |DC 90 D5 BC 07|lC|9C F7 F3 BB FB F1 A4 DC|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19447; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media file name header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"|0E EC|e|E1 ED 19 D7|E|B4 A7|%|CB D1 E2 8E 9B|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19446; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media Timecode header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"|EC 95 95|9g|86|-N|8F DB 98 81|L|E7|l|1E|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19445; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media sample duration header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"P|94 BD C6 7F 86 07|I|83 A3 C7|y!|B7|3|AD|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19444; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp MIDI Timestamp buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mid; file_data; content:"|4D 55 53 1A C0 EB|"; depth:6; content:"|81 80 80 80 48|"; within:5; distance:308; fast_pattern; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,45221; classtype:attempted-user; sid:19432; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp MIDI Timestamp buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mid; file_data; content:"|4D 55 53 1A C0 EB|"; depth:6; content:"|81 80 80 80 48|"; within:5; distance:180; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,45221; classtype:attempted-user; sid:19431; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player Subtitle StripTags Heap Buffer Overflow"; flow:to_client,established; flowbits:isset,file.mkv; file_data; content:"|80 00 00 00 A0 B9 A1 B3 83 05 0C 00 3C 66 6F 6F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46008; reference:cve,2011-0522; classtype:attempted-user; sid:19421; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player Subtitle StripTags Heap Buffer Overflow"; flow:to_client,established; flowbits:isset,file.mkv; file_data; content:"|40 A0 83 03 8F 00 3C 70 6F 63|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46008; reference:cve,2011-0522; classtype:attempted-user; sid:19420; rev:12;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows AVI cinepak codec decompression remote code execution attempt"; flow:to_server,established; file_data; content:"strh"; content:"vidscvid"; within:8; distance:4; content:"movi00dc"; byte_test:2,>,3,12,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,42256; reference:cve,2010-2553; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-055; classtype:attempted-user; sid:19403; rev:17;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows AVI Header insufficient data corruption attempt"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"RIFF"; fast_pattern; content:"AVI "; within:4; distance:4; content:"avih"; distance:0; byte_extract:4,0,chunk_size,little,relative; isdataat:!chunk_size,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35967; reference:cve,2009-1545; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-038; classtype:attempted-user; sid:19320; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer vidplin.dll avi header parsing execution attempt"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"strlstrh"; fast_pattern; nocase; byte_jump:4,0,relative,little; content:!"strf"; within:4; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46047; reference:cve,2010-4393; classtype:attempted-user; sid:19169; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player SWF file MP4 data parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stsc"; byte_test:4,>,0xFFFF,12,relative,big; byte_jump:4,-8,relative,big; content:"stsz"; within:4; byte_test:4,>,10,8,relative,big; pcre:"/^.{12}([^\x00].{3}){10}/sR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40801; reference:cve,2010-2162; reference:url,www.adobe.com/support/security/bulletins/apsb10-14.html; classtype:attempted-user; sid:19148; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX quartz.dll MJPEG content processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|32 32 32 32 32 32 FF C0 00 0B 08 00 F0 01 40 01 9C 11 01 FF DD 00 04 00 00 FF C4 00 9F 01 72 12 00 00 00 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40432; reference:cve,2010-1879; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-033; classtype:attempted-user; sid:19146; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player JPG header record mismatch memory corruption attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"LIST"; content:"strl"; within:4; distance:4; content:"strf"; distance:0; content:"MJPG"; within:4; distance:20; content:"LIST"; distance:0; content:"movi"; within:4; distance:4; content:"|FF C0|"; distance:0; byte_extract:1,7,cnt,relative; content:"|FF DA|"; within:490; byte_test:1,!=,cnt,2,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40464; reference:cve,2010-1880; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-033; classtype:attempted-user; sid:19143; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer IVR handling heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer; file_data; content:"|01 00 00 00 00 00 00 5C 00 00 00 78 E0 00 00 05 40 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46946; reference:cve,2011-1525; classtype:attempted-user; sid:19127; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer IVR handling heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer; file_data; content:"|08 00 00 00 00 00 00 00 00 02 00 00 04 4E 00 01 03 00 00 00 00 00 03 CA 00 00 03 E6 E0 00 00 05 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46946; reference:cve,2011-1525; classtype:attempted-user; sid:19126; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker string size overflow attempt"; flow:to_client,established; flowbits:isset,file.mswmm; file_data; content:"|00 12 00 00|AAAAAAAAAAAA"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2564; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-050; classtype:attempted-user; sid:19063; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime streaming debug error logging buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.smil; file_data; content:" $HOME_NET 554 (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player network sharing service RTSP code execution attempt"; flow:to_server,established; content:"SETUP"; depth:5; content:"rtsp|3A 2F 2F|"; within:7; distance:1; content:"|0D 0A 0D 0A|"; distance:0; isdataat:8,relative; content:!"OPTIONS"; within:7; content:!"DESCRIBE"; within:8; content:!"SETUP"; within:5; metadata:policy max-detect-ips drop; reference:bugtraq,43776; reference:cve,2010-3225; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-075; classtype:attempted-user; sid:17753; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer invalid chunk size heap overflow attempt"; flow:to_client,established; content:"Transfer-Encoding"; nocase; http_header; content:"chunked"; fast_pattern; nocase; http_header; content:"Content-Type|3A|"; nocase; http_header; pcre:"/Content-Type\x3a[^\x10\x13]*real(audio|video)/smiH"; content:"HTTP"; within:4; nocase; rawbytes; content:"|0D 0A 0D 0A|"; distance:0; isdataat:1024,relative; pcre:"/([^\x0A]{1024,}|.*?\x0A[^\x0A]{1024,})/smiR"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17202; reference:cve,2005-2922; classtype:attempted-user; sid:17666; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA GStreamer QuickTime file parsing multiple heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stts"; content:"|00 00 00 00 00 00 00 01 EE 00 00 26 00 00 04 00 00|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33405; reference:cve,2009-0398; classtype:attempted-user; sid:17612; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA GStreamer QuickTime file parsing multiple heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stss"; content:"|00 00 00 00 00 00 00 03 00 00 00 01 00 FF FF FF|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33405; reference:cve,2009-0398; classtype:attempted-user; sid:17611; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA GStreamer QuickTime file parsing multiple heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"ctts"; content:"|00 00 00 00 00 00 00 8F 00 00 00 01 00 00 00 14 00 FF FF FF|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33405; reference:cve,2009-0398; classtype:attempted-user; sid:17610; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA ffdshow codec URL parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6"; fast_pattern:only; content:"\x22|\x27|)URL(?P=q1)[^>]+?value\s*=\s*(\x22|\x27)[^\x22\x27]{500}/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,32438; reference:cve,2008-5381; classtype:attempted-user; sid:17573; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer IVR Overly Long Filename Code Execution attempt"; flow:to_client,established; file_data; content:"|1F 5C 80 00 00 08 72 61 6D 34 2E 72 65 63 00 00 00 00 00 00 01 79|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,33652; reference:cve,2009-0375; classtype:attempted-user; sid:17561; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime SMIL File Handling Integer Overflow attempt"; flow:to_client,established; flowbits:isset,file.smil; file_data; content:""; pcre:"/meta\s*name\x3d\s*(?P(\x22|\x27|))(author|copyright|title|information)\s*(?P=q1)/smiR"; content:"content|3D 22|"; distance:1; nocase; isdataat:1024,relative; content:!"|22|"; within:1024; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24873; reference:cve,2007-2394; classtype:attempted-user; sid:17548; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"|55 12 FE 3F 35 F2 C0 00 00 00 0B 01 03 0A B1 54 0D 02 4A E3 17 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23650; reference:cve,2007-2295; classtype:attempted-user; sid:17531; rev:18;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player MP4_BoxDumpStructure Buffer Overflow"; flow:to_client,established; file_data; content:"|6F 76 00 00 19 FE 6D 6F 6F 76 00 00 19 F6 6D 6F|"; content:"|6F 76 00 00 19 CE 6D 6F 6F 76 00 00 19 C6 6D 6F|"; offset:32; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35232; reference:cve,2009-1122; classtype:attempted-user; sid:17527; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime H.264 Movie File Buffer Overflow"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"|81 F6 3B 80 00 00 40 80 FF FF FF 87 25 B8 20 00|"; content:"|F9 31 40 00 52 EA FB EF BE FB EF BE FB EF BE FB|"; within:16; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,36328; reference:cve,2009-2799; classtype:attempted-user; sid:17523; rev:16;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime STSD JPEG atom heap corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime|file.jpeg; file_data; content:"|00 00 00 56 6A 70 65 67 00 00 00 00 00 00 00 01 00 00 00 00 61 70 70 6C 00 00 00 00 00 00 02 00 00 02 00 03 00 48 00 00 00 48 00 00 00 00 00 00 00 01 0C 50 68 6F 74 6F 20 2D 20 4A 50 45 47 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,33390; reference:cve,2009-0007; classtype:attempted-user; sid:17470; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Mplayer Real Demuxer stream_read heap overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer; file_data; content:".RMF"; depth:4; content:"|14 76 69 64 65 6F 2F 78 2D 70 6E 2D 72 65 61 6C 76 69 64 65 6F 00 00 00 1A 59 49 59 55 56 49 44 4F 52 56 32 30 00 01 00 01 00 1E 59 49 59 55 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,31473; reference:cve,2008-3827; classtype:attempted-user; sid:17469; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft DirectShow AVI decoder buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"strn"; distance:0; nocase; byte_test:4,>,128,0,relative, little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15063; reference:cve,2005-2128; classtype:attempted-user; sid:17443; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime PDAT Atom parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"|00 00 00 01 0F 00 00 00 FE B4 00 00 FE 01 1A C4 42 01 1A C4 41 1A EC EC 42 81 1A C4 43 81 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-3625; reference:url,support.apple.com/kb/HT3027; classtype:attempted-user; sid:17381; rev:14;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime panorama atoms buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"pano"; content:"pdat"; within:250; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:4; byte_test:4,>,104,-20,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26342; reference:cve,2007-4675; classtype:attempted-user; sid:17373; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime udta atom parsing heap overflow vulnerability"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"udta"; content:"|A9|nam|FF|"; distance:0; byte_test:2,>,251,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,22844; reference:cve,2007-0714; classtype:attempted-user; sid:17372; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime marshaled punk remote code execution"; flow:to_client,established; file_data; content:"_Marshaled_pUnk"; nocase; pcre:"/name\s*=\s*(?P\x22|\x27|)_Marshaled_pUnk(?P=q1)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-1818; classtype:attempted-user; sid:17211; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC renamed zip file handling code execution attempt - 3"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"|50 4B 03 04|"; depth:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40428; classtype:attempted-user; sid:17150; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC renamed zip file handling code execution attempt - 2"; flow:to_client,established; flowbits:isset,file.mp3; file_data; content:"|50 4B 03 04|"; depth:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40428; classtype:attempted-user; sid:17149; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC renamed zip file handling code execution attempt - 1"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"|50 4B 03 04|"; depth:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40428; classtype:attempted-user; sid:17148; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker string size overflow attempt"; flow:to_client,established; flowbits:isset,file.mswmm; file_data; content:"|00 10 00 00|AAAAAAAAAAAA"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2564; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-050; classtype:attempted-user; sid:17135; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows AVI cinepak codec decompression remote code execution attempt"; flow:to_client,established; file_data; content:"strh"; content:"vidscvid"; within:8; distance:4; content:"movi00dc"; byte_test:2,>,3,12,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,42256; reference:cve,2010-2553; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-055; classtype:attempted-user; sid:17128; rev:19;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows MPEG Layer-3 audio heap corruption attempt"; flow:to_client,established; file_data; content:"|A9 00 04 48 58 DC E1 83 4B 68 32 01 9B BC 04 A3 27 0E A5 3D 71 66 0D 2D A8 D3 84 AF 3C 14 88 94|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1882; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-052; classtype:attempted-user; sid:17117; rev:17;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xspf; file_data; content:"smb|3A 2F 2F|"; pcre:"/smb\x3A\x2F\x2F[^\s\x0A\x0D\x3C]{251}/mi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35500; reference:cve,2009-2484; classtype:attempted-user; sid:16752; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player TY processing buffer overflow attempt"; flow:to_client,established; file_data; content:"|F5 46 7A BD 00 00 00 02 00 02 00 00|"; depth:12; byte_test:4,>,32,8,relative,big; metadata:policy max-detect-ips drop, service http; reference:bugtraq,31813; reference:cve,2008-4654; classtype:attempted-user; sid:16720; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp CAF file processing integer overflow attempt"; flow:to_client,established; file_data; content:"caff|00 01 00 00|desc"; depth:12; byte_test:4,>,268435455,32,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33963; reference:cve,2009-0186; classtype:attempted-user; sid:16683; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX quartz.dll MJPEG content processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|8E 8C 8B 8E 8C 8B 8E 8C 8C 8D 8B 8C 8D 8B 8C 8D 8B 8C 8D 8B 8C 8D 8B 8C FF C4 00 9F 01 72 12 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1879; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-033; classtype:attempted-user; sid:16661; rev:20;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player codec code execution attempt"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"strh"; content:"auds"; within:4; distance:4; fast_pattern; byte_jump:4,-8,relative,little; isdataat:16,relative; content:"strf"; within:4; content:"U|00|"; within:2; distance:4; byte_test:4,!=,48000,2,relative,little; byte_test:4,!=,44100,2,relative,little; byte_test:4,!=,32000,2,relative,little; byte_test:4,!=,24000,2,relative,little; byte_test:4,!=,22050,2,relative,little; byte_test:4,!=,16000,2,relative,little; byte_test:4,!=,12000,2,relative,little; byte_test:4,!=,11025,2,relative,little; byte_test:4,!=,8000,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0480; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-026; classtype:attempted-user; sid:16543; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime Image Description Atom sign extension memory corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stsd"; content:"rpza"; distance:12; fast_pattern; content:"|00 00 00 00 00 00|"; within:6; byte_test:2,>,0x1FFC,18,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35166; reference:cve,2009-0955; reference:url,support.apple.com/kb/HT3591; classtype:attempted-user; sid:16360; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA FFmpeg OGV file format memory corruption attempt"; flow:to_client,established; file_data; content:"OggS"; depth:4; content:"|82|theora"; distance:0; byte_test:1,!&,0xE0,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,36465; reference:cve,2009-4631; reference:cve,2009-4632; reference:cve,2009-4633; reference:cve,2009-4634; reference:cve,2009-4635; reference:cve,2009-4636; reference:cve,2009-4637; reference:cve,2009-4638; reference:cve,2009-4639; reference:cve,2009-4640; reference:url,secunia.com/advisories/36805; classtype:attempted-user; sid:16353; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows AVIFile truncated media file processing memory corruption attempt"; flow:to_client,established,only_stream; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI LIST"; within:8; distance:4; content:"hdrlavih8|00 00 00|"; within:12; distance:4; isdataat:!56,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-038; classtype:attempted-user; sid:16342; rev:17;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime and iTunes heap memory corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"dinf|00 00 00 1C|dref|00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15732; reference:cve,2005-4092; classtype:attempted-user; sid:16148; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes AAC file handling integer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"mp4a"; content:"stsc"; distance:0; byte_jump:4,-8,relative,big; content:"stsz"; within:4; byte_test:4,<,257,-8,relative,big; byte_test:4,>,60,8,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18730; reference:cve,2006-1467; classtype:attempted-user; sid:16055; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer RealMedia file format processing heap corruption attempt"; flow:to_client,established; file_data; content:"DATA|00 00|A'|00 00 00 00 00|'|00 00 00 00 00 00 01|<|FF FF|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26214; reference:cve,2007-5081; classtype:attempted-user; sid:16046; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime FLIC animation file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.fli; file_data; content:"|FA F1 02 00 00 00 00 00 00 00 00 00 0A 03 00 00 0B 00 01 00 FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19976; reference:cve,2006-4384; classtype:attempted-user; sid:16041; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp midi file header overflow attempt"; flow:to_client,established; flowbits:isset,file.mid; file_data; content:"MThd|00 00 00 06 00 00 00 01 00|`MTrk"; byte_test:4,>,2147483648,8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18507; reference:cve,2006-3228; classtype:attempted-user; sid:16027; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime color table id memory corruption attempt"; flow:to_client,established; file_data; content:"|00 00 00 00 18 00 00 00 00 00 0C 67 61 6D 61 00 01 CC CC 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,22839; reference:cve,2007-0718; reference:url,docs.info.apple.com/article.html?artnum=305149; classtype:attempted-user; sid:16006; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX malformed mjpeg arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|50 2E 00 00 10 27 00 00 00 00 00 00 00 00 00 00 40 01 F0 00|strf|28 00 00 00 28 00 00 00 40 00 00 00 F0 00 00 00 01 00 18 00|MJPG|00 84|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-033; classtype:attempted-user; sid:15995; rev:16;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer Multiple Products RA file processing overflow attempt"; flow:to_client,established; file_data; content:".ra|FD 00 04 00 00|.ra4|00 00 00 89 00 04 0F FF FF FF|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26214; reference:cve,2007-2264; classtype:attempted-user; sid:15940; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime VR Track Header Atom heap corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"trak"; content:"tkhd|00 00 00 0F|"; within:8; distance:4; fast_pattern; isdataat:40,relative; pcre:"/trak.{4}tkhd.{40}(?=.{20})(?!\x00\x01\x00\x00.{12}\x00\x01\x00\x00)/s"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33384; reference:cve,2009-0002; reference:url,support.apple.com/kb/HT3403; classtype:attempted-user; sid:15909; rev:18;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp AIFF parsing heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.aiff; file_data; content:"FORM"; depth:4; nocase; content:"AIF"; within:3; distance:4; fast_pattern; nocase; content:"COMM"; within:4; distance:1; byte_test:4,>,0xD9EF,0,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33226; reference:cve,2009-0263; classtype:attempted-user; sid:15901; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA FFmpeg 4xm processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.4xm; file_data; content:"strk|28 00 00 00|"; byte_test:4,>,0x7ffffffe,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33502; reference:cve,2009-0385; classtype:attempted-user; sid:15871; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows AVIFile media file processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI LIST"; within:8; distance:4; content:"hdrlavih"; within:8; distance:4; byte_test:4,!=,56,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-038; classtype:attempted-user; sid:15854; rev:18;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes ITPC protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"itpc|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itpc\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15707; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectShow QuickTime file stsc atom parsing heap corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stbl"; content:"stsd"; within:4; distance:4; content:"ima4"; distance:8; content:"stsc"; distance:0; byte_jump:4,4,relative,multiplier 12,big; isdataat:7,relative; content:!"stsz"; within:4; distance:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-1538; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-028; classtype:attempted-user; sid:15682; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime movie file clipping region handling heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"clip"; content:"crgn"; within:4; distance:4; byte_jump:4,-8,relative,big; content:!"|7F FF 7F FF|"; within:4; distance:-8; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35167; reference:cve,2009-0954; reference:url,support.apple.com/kb/HT3591; classtype:attempted-user; sid:15559; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows AVI DirectShow QuickTime parsing overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"vide"; distance:0; content:"stsd"; distance:0; fast_pattern; byte_test:1,>,31,58,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35139; reference:cve,2009-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-028; classtype:attempted-user; sid:15517; rev:18;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Multiple media players M3U playlist file handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|23|EXTM3U|0D 0A|"; depth:9; nocase; content:"|23|EXTINF:"; within:50; nocase; isdataat:400,relative; pcre:"/\x23EXTINF\:\d*\,\w*\x0D\x0A[^\x0A]{401}/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,16410; reference:bugtraq,16623; reference:bugtraq,21206; reference:cve,2006-0476; reference:cve,2006-0708; reference:cve,2006-6063; classtype:attempted-user; sid:15473; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Multiple MP3 player PLS buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pls; file_data; content:"[playlist]"; fast_pattern; nocase; content:"File"; distance:0; nocase; content:"="; within:5; distance:1; isdataat:500,relative; content:!"|0A|"; within:500; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,16410; reference:bugtraq,33589; reference:cve,2006-0476; reference:cve,2009-0476; classtype:attempted-user; sid:15472; rev:18;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; content:"|00 11 02 FF 0C 00|"; depth:6; offset:522; pcre:"/\x00[\x70-\x77]\x00[\x00-\x09]/R"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:15384; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC real.c ReadRealIndex real demuxer integer overflow attempt"; flow:to_client,established; flowbits:isset,file.realmedia; file_data; content:"INDX"; content:"|00 00|"; within:2; distance:4; byte_test:4,>,0x15555554,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32545; reference:cve,2008-5276; classtype:attempted-user; sid:15241; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime for Java toQTPointer function memory corruption attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"toQTPointer"; content:"quicktime/util/QTPointerRef"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23608; reference:cve,2007-2175; classtype:attempted-user; sid:15238; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player RealText buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"]