# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. # # This file contains (i) proprietary rules that were created, tested and certified by # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by # Sourcefire and other third parties (the "GPL Rules") that are distributed under the # GNU General Public License (GPL), v2. # # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a # list of third party owners and their respective copyrights. # # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer # to the VRT Certified Rules License Agreement (v2.0). # #---------------------- # BROWSER-WEBKIT RULES #---------------------- # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Google Chrome and Apple Safari CSS float use-after-free attempt"; flow:to_server,established; file_data; content:"document.body.offsetTop"; nocase; content:"absolute"; within:125; nocase; content:"absolute"; within:125; nocase; content:"document.body.offsetTop"; within:200; nocase; pcre:"/var\s+(?P\w+)\s*?=\s*?document\.getElementById.*?var\s+(?P\w+)\s*?=\s*?(?P=element1).style.*?(?P=element2)\.height\s*?=\s*?[\x22\x27]\d/si"; metadata:service smtp; reference:bugtraq,48960; reference:cve,2011-2790; classtype:attempted-user; sid:29812; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Google Chrome and Apple Safari CSS float use-after-free attempt"; flow:to_server,established; file_data; content:"float:"; content:"document.body.offsetTop"; nocase; content:"absolute"; content:"document.body.offsetTop"; nocase; pcre:"/body\.offsetTop\x3b.*?\.position\s*?=\s*?[\x22\x27]absolute[\x22\x27].*?\.offsetTop\x3b.*?\.height\s*=.*?\.display\s*=/si"; metadata:service smtp; reference:bugtraq,48960; reference:cve,2011-2790; classtype:attempted-user; sid:29811; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Google Chrome and Apple Safari CSS float use-after-free attempt"; flow:to_client,established; file_data; content:"document.body.offsetTop"; nocase; content:"absolute"; within:125; nocase; content:"absolute"; within:125; nocase; content:"document.body.offsetTop"; within:200; nocase; pcre:"/var\s+(?P\w+)\s*?=\s*?document\.getElementById.*?var\s+(?P\w+)\s*?=\s*?(?P=element1).style.*?(?P=element2)\.height\s*?=\s*?[\x22\x27]\d/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,48960; reference:cve,2011-2790; classtype:attempted-user; sid:29810; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Google Chrome and Apple Safari CSS float use-after-free attempt"; flow:to_client,established; file_data; content:"float:"; content:"document.body.offsetTop"; nocase; content:"absolute"; content:"document.body.offsetTop"; nocase; pcre:"/body\.offsetTop\x3b.*?\.position\s*?=\s*?[\x22\x27]absolute[\x22\x27].*?\.offsetTop\x3b.*?\.height\s*=.*?\.display\s*=/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,48960; reference:cve,2011-2790; classtype:attempted-user; sid:29809; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-WEBKIT Possible Google Chrome Plugin install from non-trusted source"; flow:to_server,established; content:!"googleusercontent"; http_header; content:!"google.com"; http_header; content:"|2F|crx|2F|blobs"; http_uri; content:!"gvt1.com"; http_header; metadata:ruleset community, service http; reference:url,blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx; classtype:bad-unknown; sid:26658; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Apple Safari Webkit libxslt arbitrary file creation attempt"; flow:to_server,established; file_data; content:"http://icl.com/saxon"; fast_pattern:only; content:":output"; nocase; pcre:"/\s*[^>]file=/iR"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,48840; reference:cve,2011-1774; reference:url,attack.mitre.org/techniques/T1220; reference:url,support.apple.com/kb/HT4808; classtype:attempted-user; sid:26592; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari SVG Markers Memory Use-After-Free attempt"; flow:to_client,established; file_data; content:"object_whiteList"; fast_pattern:only; content:"shellcode"; nocase; content:"payload"; distance:0; nocase; content:"shellcode"; within:25; nocase; content:"window.open("; within:50; nocase; content:".svg"; within:25; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,46677; reference:cve,2011-1453; reference:url,support.apple.com/kb/HT4808; classtype:attempted-user; sid:26259; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari SVG Markers Memory Use-After-Free attempt"; flow:to_client,established; flowbits:isset,file.svg; file_data; content:"marker id"; fast_pattern; nocase; content:"removeChild"; distance:0; nocase; content:"document.getElementById"; within:35; nocase; pcre:"/marker id\s*\x3d\s*["']?(?P\w+)["'\s].*?marker\x2d(start|mid|end).*?removeChild\s*\x28\s*document\x2egetElementById\x28\s*["']?(?P=m1)["'\s]/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,46677; reference:cve,2011-1453; reference:url,support.apple.com/kb/HT4808; classtype:attempted-user; sid:26258; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt"; flow:to_server,established; file_data; content:""; distance:0; content:" $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt"; flow:to_server,established; file_data; content:""; distance:0; content:" $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari innerHTML use after free exploit attempt"; flow:to_client,established; file_data; content:"setTimeout"; nocase; content:"document.body.innerHTML"; distance:0; nocase; content:"document.getElementById("; distance:0; nocase; content:".innerHTML"; distance:0; nocase; pcre:"/setTimeout.*?\x7b[^\x7d]*document\.body\.innerHTML.*?\x7d.*document\.getElementById\x28(?P\x22|\x27|)(?P\w+?)(?P=q1)\x29\.innerHTML.*?div\s+id\s*\x3d\s*(?P\x22|\x27|)(?P=m1)(?P=q2)/smi"; metadata:service http; reference:bugtraq,48844; reference:cve,2011-0221; classtype:attempted-user; sid:21189; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Webkit Display box rendering corruption attempt"; flow:to_client,established; file_data; content:"-webkit-box"; fast_pattern:only; content:"\x22|\x27|)(?P\w+?)(?P=m1).*?\x2eremoveChild\x28(?P\x22|\x27|)(?P=q1)(?P=m2).*?\x2eappendChild\x28(?P\x22|\x27|)(?P=q1)(?P=m3)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,48960; reference:cve,2011-2818; classtype:attempted-user; sid:20997; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari x-man-page URI terminal escape attempt"; flow:to_client,established; file_data; content:"x-man-page://"; nocase; content:"%1b"; within:100; metadata:service http; reference:bugtraq,13502; reference:cve,2005-1342; classtype:attempted-user; sid:20736; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit SVG memory corruption attempt"; flow:to_client,established; file_data; flowbits:isset,file.svg; content:"|2E|svg"; nocase; content:"documentElement"; distance:0; nocase; pcre:"/\x3cscript.*documentElement\x2e(height|preserveAspectRatio|viewBox|width|x|y)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,48844; reference:cve,2011-0222; reference:url,support.apple.com/kb/HT4808; classtype:attempted-user; sid:19807; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit SVG memory corruption attempt"; flow:to_client,established; file_data; content:"target|2E|svg"; nocase; content:"arrey_name26|2E|push"; distance:0; nocase; content:"tweak_properties"; distance:0; nocase; metadata:service http; reference:bugtraq,48844; reference:cve,2011-0222; reference:url,support.apple.com/kb/HT4808; classtype:attempted-user; sid:19806; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari WebKit ParentStyleSheet exploit attempt"; flow:to_client,established; file_data; content:".sheet.rules["; fast_pattern:only; pcre:"/getElementById\(\x22(.*?)\x22\)\.sheet\.rules\[\d+\].*?([A-Z\d_]+)\s*=\s*document\.getElementById\(\x22\1\x22\).*?\s+\2\.parentElement/smi"; metadata:service http; reference:url,svnsearch.org/svnsearch/repos/WEBKIT/search?logMessage=51993; classtype:attempted-user; sid:18508; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C|img width=0.3133731337313373133731337"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:18295; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; file_data; content:"var Overflow = |22|31337|22 20 2B 20|0|2E|313373133731337313373133731337"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:18294; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari LI tag with large VALUE attribute exploit attempt"; flow:to_client,established; file_data; content:" $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari invalid FRAME tag remote code execution attempt"; flow:to_client,established; file_data; content:" $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari TABLE tag with large CELLSPACING attribute exploit attempt"; flow:to_client,established; file_data; content:"cellspacing"; nocase; pcre:"/^\s*\x3D\s*\d{10}/R"; metadata:service http; reference:bugtraq,17634; reference:cve,2006-1986; classtype:attempted-user; sid:17216; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Apple Safari x-unix-mode executable mail attachment"; flow:to_server,established; content:"x-unix-mode"; fast_pattern:only; pcre:"/x-unix-mode\s*\x3D\s*(?(?=\d{4})[0-7]([1357][0-7]{2}|[0-7][1357][0-7]|[0-7]{2}[1357])|([1357][0-7]{2}|[0-7][1357][0-7]|[0-7]{2}[1357]))/smi"; metadata:service smtp; reference:bugtraq,16736; reference:cve,2006-0848; reference:url,www.heise.de/english/newsticker/news/69919; reference:url,www.kb.cert.org/vuls/id/999708; classtype:attempted-user; sid:5714; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit attribute child removal code execution attempt"; flow:to_client,established; file_data; content:"= document.getElementById|28 22|t|22 29|"; fast_pattern; content:"= elem.getAttributeNode|28 27|id|27 29|"; within:50; content:"rows.childNodes|20|setTimeout|28|function|28 29 20 7B|"; within:80; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40642; reference:cve,2010-1119; classtype:attempted-user; sid:29623; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://<"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33631; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://^"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33630; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://|5C|"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33629; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://`"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33628; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://}"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33627; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://|7C|"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33626; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://>"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33625; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://{"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33624; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://%"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33623; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://|22|"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33622; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Apple Webkit rowspan denial of service attempt"; flow:to_server,established; file_data; content:" $HOME_NET any (msg:"BROWSER-WEBKIT Apple Webkit rowspan denial of service attempt"; flow:to_client,established; file_data; content:" $HOME_NET any (msg:"BROWSER-WEBKIT Apple WebKit QuickTime plugin content-type http header buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime|file.smil; content:"Content-Type: "; http_header; content:!"|3B|"; within:255; http_header; content:!"|0A|"; within:255; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2012-3753; reference:url,attack.mitre.org/techniques/T1176; classtype:attempted-user; sid:29394; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt"; flow:to_client,established; file_data; content:""; distance:0; content:" $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt"; flow:to_client,established; file_data; content:""; distance:0; content:" $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari WebKit form elements virtual function DoS attempt"; flow:established,to_client; file_data; content:" form="; fast_pattern; content:""; distance:0; nocase; content:" form="; distance:0; nocase; pcre:"/]*?id=[^>]+?>[^<]*?<\/form>.*?<\w+(?]*?form=/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-2813; reference:url,support.apple.com/kb/HT4981; classtype:attempted-dos; sid:25036; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT WebKit button column memory corruption attempt"; flow:to_client,established; file_data; content:"-webkit-column-span"; fast_pattern; nocase; content:"document.documentElement.offsetTop"; distance:0; pcre:"/(function\s+(?P[a-z0-9_\-]+)\(\)\s*\{.*?(?P
[a-z0-9_\-]+)\s*=\s*document\.createElement\('div'\)\x3b.*?(?P=div)\.style\['-webkit-column-span'\]\s*=\s*'all'\x3b.*?document\.getElementById\(\"(?P