# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. # # This file contains (i) proprietary rules that were created, tested and certified by # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by # Sourcefire and other third parties (the "GPL Rules") that are distributed under the # GNU General Public License (GPL), v2. # # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a # list of third party owners and their respective copyrights. # # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer # to the VRT Certified Rules License Agreement (v2.0). # #------------------ # FILE-FLASH RULES #------------------ alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt"; flow:to_server,established; file_data; content:"|00|removeMovieClip|00|"; fast_pattern:only; content:"|4E 96 05 00 07 00 02 00 00 0B 4E|"; content:"|96 04 00 04|"; within:120; content:"|1C 96 02 00 08|"; within:5; distance:3; content:"|4E 48 12 9D 02 00|"; within:6; distance:1; content:"|1C 96 02 00 04|"; within:9; distance:12; content:"|4E 96 02 00 08|"; within:5; distance:1; content:"|52 17|"; within:2; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8641; reference:cve,2015-8642; reference:cve,2015-8643; reference:cve,2015-8646; reference:cve,2015-8647; reference:cve,2015-8648; reference:cve,2016-0994; reference:cve,2016-1017; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:37235; rev:9;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt"; flow:to_client,established; file_data; content:"|00|removeMovieClip|00|"; fast_pattern:only; content:"|4E 96 05 00 07 00 02 00 00 0B 4E|"; content:"|96 04 00 04|"; within:120; content:"|1C 96 02 00 08|"; within:5; distance:3; content:"|4E 48 12 9D 02 00|"; within:6; distance:1; content:"|1C 96 02 00 04|"; within:9; distance:12; content:"|4E 96 02 00 08|"; within:5; distance:1; content:"|52 17|"; within:2; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8641; reference:cve,2015-8642; reference:cve,2015-8643; reference:cve,2015-8646; reference:cve,2015-8647; reference:cve,2015-8648; reference:cve,2016-0994; reference:cve,2016-1017; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:37234; rev:9;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt"; flow:to_server,established; file_data; content:"|0B 0E 01 37 02 00 62 75 6C 6C 65 74 00 ED 14 03 00 4C 91 B9 24 6E 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1012; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38428; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt"; flow:to_server,established; file_data; content:"|D7 B9 8A 71 08 4E D5 5B F5 B3 7A 5B DE DA FB 64 00 D4 5B 7B BF FB C7 E3 FB 48 F6 5E 7B ED B5 D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1012; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38427; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt"; flow:to_client,established; file_data; content:"|0B 0E 01 37 02 00 62 75 6C 6C 65 74 00 ED 14 03 00 4C 91 B9 24 6E 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1012; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38426; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt"; flow:to_client,established; file_data; content:"|D7 B9 8A 71 08 4E D5 5B F5 B3 7A 5B DE DA FB 64 00 D4 5B 7B BF FB C7 E3 FB 48 F6 5E 7B ED B5 D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1012; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38425; rev:4;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-FLASH Adobe Flash Player request for setupapi.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"s|00|e|00|t|00|u|00|p|00|a|00|p|00|i|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2016-1014; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38424; rev:5;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-FLASH Adobe Flash Player request for RASMan.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"|5C 00|r|00|a|00|s|00|m|00|a|00|n|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2016-1014; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38423; rev:6;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-FLASH Adobe Flash Player request for HNetCfg.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"h|00|n|00|e|00|t|00|c|00|f|00|g|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2016-1014; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38422; rev:5;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-FLASH Adobe Flash Player request for ClbCatQ.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"c|00|l|00|b|00|c|00|a|00|t|00|q|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2016-1014; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38421; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player setupapi.dll dll-load exploit attempt"; flow:to_server,established; content:"/setupapi.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-1014; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38420; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player RASMan.dll dll-load exploit attempt"; flow:to_server,established; content:"/rasman.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-1014; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38419; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player HNetCfg.dll dll-load exploit attempt"; flow:to_server,established; content:"/hnetcfg.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-1014; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38418; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player ClbCatQ.dll dll-load exploit attempt"; flow:to_server,established; content:"/clbcatq.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-1014; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38417; rev:5;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"__proto__"; content:"__constructor__"; fast_pattern:only; content:"ColorMatrixFilter"; content:"NetConnection"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1015; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38416; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt"; flow:to_server,established; file_data; content:"|A6 C0 A5 6D BE 98 15 81 4A 77 4A 92 E3 8F E5 ED A7 93 75 DC 72 09 92 8F B2 72 58 15 44 47 93 2C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1015; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38415; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"__proto__"; content:"__constructor__"; fast_pattern:only; content:"ColorMatrixFilter"; content:"NetConnection"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1015; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38414; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt"; flow:to_client,established; file_data; content:"|A6 C0 A5 6D BE 98 15 81 4A 77 4A 92 E3 8F E5 ED A7 93 75 DC 72 09 92 8F B2 72 58 15 44 47 93 2C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1015; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38413; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player duplicateMovieClip use after free attempt"; flow:to_server,established; file_data; content:"|96 14 00 00|duplicateMovieClip|00 52 17 96 09 00 00|_parent|00 1C 96 02 00 04 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1013; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38412; rev:5;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player duplicateMovieClip use after free attempt"; flow:to_client,established; file_data; content:"|96 14 00 00|duplicateMovieClip|00 52 17 96 09 00 00|_parent|00 1C 96 02 00 04 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1013; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38411; rev:5;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt"; flow:to_client,established; file_data; content:"|64 CD EF 48 8A E6 77 25 55 F3 7B 92 A6 F9 7D 49 D7 FC 81 64 68 FE 50 32 35 7F 24 59 9A 3F 96 6C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1018; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38410; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt"; flow:to_server,established; file_data; content:"|64 CD EF 48 8A E6 77 25 55 F3 7B 92 A6 F9 7D 49 D7 FC 81 64 68 FE 50 32 35 7F 24 59 9A 3F 96 6C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1018; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38409; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt"; flow:to_server,established; file_data; content:"|4A 1C 04 68 1B D0 5D 08 2C 9C 2F 4A 08 01 68 23 D0 49 00 D0 5D 97 2F 46 97 2F 00 68 29 D0 5D 06|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1018; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38408; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt"; flow:to_client,established; file_data; content:"|4A 1C 04 68 1B D0 5D 08 2C 9C 2F 4A 08 01 68 23 D0 49 00 D0 5D 97 2F 46 97 2F 00 68 29 D0 5D 06|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1018; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38407; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|68 79 30 4E F5 F4 26 93 60 60 14 8B 8C B2 92 31 9C 28 31 C9 46 89 1A 43 EF F4 AD 1C 6A AC A5 A1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1016; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38406; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|68 79 30 4E F5 F4 26 93 60 60 14 8B 8C B2 92 31 9C 28 31 C9 46 89 1A 43 EF F4 AD 1C 6A AC A5 A1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1016; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38405; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"flash|00|geom|00|Transform|00|"; fast_pattern:only; content:"|00|createEmptyMovieClip|00|"; content:"|00|removeMovieClip|00|"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1016; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38404; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"flash|00|geom|00|Transform|00|"; fast_pattern:only; content:"|00|createEmptyMovieClip|00|"; content:"|00|removeMovieClip|00|"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1016; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38403; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player multiple scripts display rendering use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"updateAfterEvent"; fast_pattern:only; content:"gotoAndPlay"; content:"target"; distance:0; content:"data.menu"; within:90; content:"open"; content:"data.index"; within:90; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1011; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38402; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player multiple scripts display rendering use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"updateAfterEvent"; fast_pattern:only; content:"gotoAndPlay"; content:"target"; distance:0; content:"data.menu"; within:90; content:"open"; content:"data.index"; within:90; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1011; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-10.html; classtype:attempted-user; sid:38401; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed HTML text null dereference attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|92 D1 16 24 43 72 25 53 63 82 93 A2 C2 E1 F0 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3329; reference:url,www.adobe.com/support/security/bulletins/apsb13-14.html; classtype:attempted-user; sid:26688; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed HTML text null dereference attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|92 D1 16 24 43 72 25 53 63 82 93 A2 C2 E1 F0 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3329; reference:url,www.adobe.com/support/security/bulletins/apsb13-14.html; classtype:attempted-user; sid:26687; rev:4;) alert tcp $EXTERNAL_NET 1935 -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player RTMP malformed onStatus message type confusion attempt"; flow:to_client,established; flowbits:isset,rtmp.flashver; content:"|02 00 08|onStatus|00|"; pcre:"/^.{9}[^\x03\x0a\x11\x10]/R"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service rtmp; reference:cve,2013-2555; reference:url,www.adobe.com/support/security/bulletins/apsb13-11.html; classtype:attempted-user; sid:26430; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1935 (msg:"FILE-FLASH Adobe Flash Player RTMP malformed onStatus message type confusion attempt"; flow:to_server,established; content:"|00 08|flashVer"; fast_pattern:only; flowbits:set,rtmp.flashver; flowbits:noalert; metadata:service rtmp; reference:cve,2013-2555; reference:url,www.adobe.com/support/security/bulletins/apsb13-11.html; classtype:attempted-user; sid:26429; rev:12;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player sortOn heap overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|AF AC 5F 95 49 29 55 85 ED BD AA 20 D4 DE 76 B0 2B D0 11 9B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0646; reference:url,www.adobe.com/support/security/bulletins/apsb13-09.html; classtype:attempted-user; sid:26173; rev:5;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player sortOn heap overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|AF AC 5F 95 49 29 55 85 ED BD AA 20 D4 DE 76 B0 2B D0 11 9B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0646; reference:url,www.adobe.com/support/security/bulletins/apsb13-09.html; classtype:attempted-user; sid:26172; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player SWF-based shellcode download attempt"; flow:to_server,established; file_data; content:"www.mypagex.com/fileshare/questions/"; fast_pattern:only; content:"explorer.exe"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26009; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SWF-based shellcode download attempt"; flow:to_client,established; file_data; content:"www.mypagex.com/fileshare/questions/"; fast_pattern:only; content:"explorer.exe"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26008; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|43 57 53 0E BC 03 00 00 78 DA 5D 52 41 6F D3 30 14 B6 93 34|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26007; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|43 57 53 0E BC 03 00 00 78 DA 5D 52 41 6F D3 30 14 B6 93 34|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26006; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|43 57 53 0D A3 14 00 00 78 DA 75 37 69 73 1B 57 72 AF E7 7A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26005; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|43 57 53 0D A3 14 00 00 78 DA 75 37 69 73 1B 57 72 AF E7 7A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26004; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|43 57 53 0D B6 3A 00 00 78 DA 95 7B 09 60 54 C7 91 68 D7 7B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26003; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|43 57 53 0D B6 3A 00 00 78 DA 95 7B 09 60 54 C7 91 68 D7 7B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26002; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_server,established; file_data; content:".LoadMovie"; content:"allowscriptaccess=|22|always|22|"; distance:0; content:"swLiveConnect=true"; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26001; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_client,established; file_data; content:".LoadMovie"; content:"allowscriptaccess=|22|always|22|"; distance:0; content:"swLiveConnect=true"; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26000; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript 3 integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|02 61 30 02 61 31 02 61 32 02 61 33 02 61 34 02 61 35 02 61|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,49081; reference:cve,2011-2416; reference:url,www.adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:25835; rev:7;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player FLV crafted ADPCM stream heap overflow attempt"; flow:to_server,established; flowbits:isset,file.flv; file_data; content:"|46 4C 56 01 05 00 00 00 09 00 00 00 00 09 00 02|"; depth:16; content:"|1D 25 00 00 08 42 10 84 21 08 42 10 84 21 08 42|"; within:16; distance:560; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,57907; reference:cve,2013-0638; reference:url,www.adobe.com/support/security/bulletins/apsb13-05.html; classtype:attempted-user; sid:25816; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player FLV crafted ADPCM stream heap overflow attempt"; flow:to_client,established; flowbits:isset,file.flv; file_data; content:"|46 4C 56 01 05 00 00 00 09 00 00 00 00 09 00 02|"; depth:16; content:"|1D 25 00 00 08 42 10 84 21 08 42 10 84 21 08 42|"; within:16; distance:560; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57907; reference:cve,2013-0638; reference:url,www.adobe.com/support/security/bulletins/apsb13-05.html; classtype:attempted-user; sid:25815; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player nested SWF cross domain clickjacking attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|EA F8 BA 02 46 AE 74 67 BC 1D 25 61 41 B7 EB 8A B6 6F A2 46|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-0637; reference:url,www.adobe.com/support/security/bulletins/apsb13-05.html; classtype:attempted-recon; sid:25814; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player CFF FeatureCount integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf.cff; file_data; content:"|00 7E 00 E2|"; content:"|00 01 00 00|"; within:4; distance:-10; byte_jump:2,0,relative,post_offset 2; byte_jump:2,0,relative,post_offset 2; content:"|FF FF|"; within:2; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0633; reference:url,www.adobe.com/support/security/bulletins/apsb13-04.html; classtype:attempted-user; sid:25683; rev:4;) # alert tcp any any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player DoInitAction invalid action overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|B6 0D 00 04 02 04 03 07 02 00 00 00 04 01 08 07|"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:cve,2012-5268; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24992; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player DoInitAction invalid action overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|B6 0D 00 04 02 04 03 07 02 00 00 00 04 01 08 07|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-5268; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24991; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player specially invalid traits structure attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|09 0A 11 D0 30 5E A9 03 D1 68 A9 03 5D 8F 03 4F 8F 03 00 47 00 00 91 03 03 01 09 0A 1D D0 30 5E|"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:cve,2012-5678; classtype:attempted-user; sid:24990; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player specially invalid traits structure attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|09 0A 11 D0 30 5E A9 03 D1 68 A9 03 5D 8F 03 4F 8F 03 00 47 00 00 91 03 03 01 09 0A 1D D0 30 5E|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-5678; classtype:attempted-user; sid:24989; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player index overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|31 33 31 59 CE FD 53 4A 77 B7 30 2C 90 35 63 A4 31 14 C9 76 C9 28 4A 21 55 EC 09 3A 26 62 E5 86|"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:cve,2012-5676; reference:url,www.adobe.com/support/security/bulletins/apsb12-XX.html; classtype:attempted-user; sid:24986; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player index overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|31 33 31 59 CE FD 53 4A 77 B7 30 2C 90 35 63 A4 31 14 C9 76 C9 28 4A 21 55 EC 09 3A 26 62 E5 86|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-5676; reference:url,www.adobe.com/support/security/bulletins/apsb12-XX.html; classtype:attempted-user; sid:24985; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player loadPCMFromByteArray bad sample count attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"loadPCMFromByteArray"; fast_pattern:only; content:"|80 07 4F 13 01 62 05 20 82 13 04 00 00 10 0A 00|"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-5677; classtype:attempted-user; sid:24984; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player actionscript bytecode trait type null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|1F 91 C2 5F AC B1 71 4A 7E 99 DA 93 EC A2 6D 53 DF 3C 39 97 4D 2C 1B BF|"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:cve,2012-5266; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24983; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player actionscript bytecode trait type null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1F 91 C2 5F AC B1 71 4A 7E 99 DA 93 EC A2 6D 53 DF 3C 39 97 4D 2C 1B BF|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-5266; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24982; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player actionscript bytecode trait type null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"FWS"; depth:3; content:"|03 00 00 00 00 00 00 00 00 00 00 00 00 00 01 02 03 09 06 00 01 01 01 03|"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:cve,2012-5266; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24981; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player actionscript bytecode trait type null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"FWS"; depth:3; content:"|03 00 00 00 00 00 00 00 00 00 00 00 00 00 01 02 03 09 06 00 01 01 01 03|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-5266; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24980; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript bytecode symbolclass tag type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|FF 01 2B 00 00 00 6C 00 01 00 8A 06 06 01 00 67 00 1B 36 1F C9 00|"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:cve,2012-5270; reference:url,adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24896; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript bytecode symbolclass tag type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|FF 01 2B 00 00 00 6C 00 01 00 8A 06 06 01 00 67 00 1B 36 1F C9 00|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-5270; reference:url,adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24895; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96|"; content:"|07|"; within:1; distance:2; byte_test:4,>,0x040000,0,relative,little; byte_test:2,<,0xFF,-3,relative,little; byte_jump:2,-3,relative,little; content:"|42|"; within:1; metadata:service smtp; reference:cve,2012-5269; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24894; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Action InitArray stack overflow attempt"; flow:to_server,established; flowbits:isset, file.swf; file_data; content:"|96 05 00 07|"; byte_test:4,>,0x040000,0,relative,little; content:"|42|"; within:1; distance:4; metadata:policy security-ips drop, service smtp; reference:cve,2012-5269; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24893; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Action InitArray stack overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96|"; byte_jump:2,0,relative,little; content:"|42|"; within:1; content:"|07|"; within:1; distance:-6; byte_test:4,>,0x040000,0,relative,little; metadata:policy security-ips drop, service smtp; reference:cve,2012-5269; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24892; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player action InitArray stack overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96|"; content:"|07|"; within:1; distance:2; byte_test:4,>,0x040000,0,relative,little; byte_jump:2,-3,relative,little; content:"|42|"; within:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-5269; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24891; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt"; flow:to_client,established; flowbits:isset, file.swf; file_data; content:"|96 05 00 07|"; byte_test:4,>,0x040000,0,relative,little; content:"|42|"; within:1; distance:4; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-5269; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24890; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96|"; byte_jump:2,0,relative,little; content:"|42|"; within:1; content:"|07|"; within:1; distance:-6; byte_test:4,>,0x040000,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-5269; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24889; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player invalid JPEG index attempt"; flow:to_server,established; file_data; content:"FWS"; depth:3; content:"|FF E0 10 00|JFIF|00|"; content:"|FF DA 00 08 01|"; distance:0; byte_test:1,>,3,1,relative; metadata:policy security-ips drop, service smtp; reference:cve,2012-5267; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24882; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player invalid JPEG index attempt"; flow:to_client,established; file_data; content:"FWS"; depth:3; content:"|FF E0 00 10|JFIF|00|"; distance:0; content:"|FF DA 00 08 01|"; distance:0; byte_test:1,>,3,1,relative; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-5267; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24879; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS2 privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|F5 69 1A 7D 8A 46 9F 5C 64 48 32 9B 52 CC DC 4E 35 EB F5 5F|"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:cve,2012-5278; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24813; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS2 privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|F5 69 1A 7D 8A 46 9F 5C 64 48 32 9B 52 CC DC 4E 35 EB F5 5F|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-5278; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24812; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS2 privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|B9 6D 3D DC 78 02 AD 3D 79 F8 B8 79 79 00 09 E9 40 4F 6B 5B|"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:cve,2012-5278; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24811; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS2 privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|B9 6D 3D DC 78 02 AD 3D 79 F8 B8 79 79 00 09 E9 40 4F 6B 5B|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-5278; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24810; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Microsoft Internet Explorer premature unload of Flash plugin use after free attempt"; flow:to_server,established; file_data; content:".innerHTML"; nocase; content:"embed src"; within:64; nocase; content:"swf"; within:32; nocase; pcre:"/\.innerHTML\s*=\s*[\x22\x27]\s*<\s*embed[^>]*?src=\\?[\x22\x27][^\x22\x27]*?\.swf\\?[\x22\x27]/ims"; content:".innerHTML"; distance:0; nocase; pcre:"/^\s*=\s*[\x22\x27]{2}\s*\;/R"; metadata:policy security-ips drop, service smtp; reference:cve,2012-5272; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24809; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Microsoft Internet Explorer premature unload of Flash plugin use after free attempt"; flow:to_client,established; file_data; content:".innerHTML"; nocase; content:"embed src"; within:64; nocase; content:"swf"; within:32; nocase; pcre:"/\.innerHTML\s*=\s*[\x22\x27]\s*<\s*embed[^>]*?src=\\?[\x22\x27][^\x22\x27]*?\.swf\\?[\x22\x27]/ims"; content:".innerHTML"; distance:0; nocase; pcre:"/^\s*=\s*[\x22\x27]{2}\s*\;/R"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-5272; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24808; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player stsz box heap overflow attempt"; flow:to_server,established; flowbits:isset,file.drm.f4v; file_data; content:"stsz|00 00 00 00 00 00 00 00|"; byte_test:4,!=,0,0,relative; byte_test:4,=,0,4,relative; metadata:policy security-ips drop, service smtp; reference:cve,2012-4167; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; classtype:attempted-user; sid:24415; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player stsz box heap overflow attempt"; flow:to_client,established; flowbits:isset,file.drm.f4v; file_data; content:"stsz|00 00 00 00 00 00 00 00|"; byte_test:4,!=,0,0,relative; byte_test:4,=,0,4,relative; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4167; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; classtype:attempted-user; sid:24414; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player DRM encrypted file detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"sinf"; fast_pattern:only; flowbits:set,file.drm.f4v; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24413; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player DRM encrypted file detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"sinf"; fast_pattern:only; flowbits:set,file.drm.f4v; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24412; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash malformed record stack exhaustion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|3F 08 E1 00 00 00 01 00 45 F2 25 F2 20 01 12 A9 12 44 80 02 00 FF FF FF FF FF FF FF FF 00 00 10 15 00|"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:cve,2012-4163; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; classtype:denial-of-service; sid:24367; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash malformed record stack exhaustion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|3F 08 E1 00 00 00 01 00 45 F2 25 F2 20 01 12 A9 12 44 80 02 00 FF FF FF FF FF FF FF FF 00 00 10 15 00|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4163; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; classtype:denial-of-service; sid:24366; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash null reference JIT compilation attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|09 0A BF 03 D0 30 20 80 06 D5 20 80 06 D6 60 64 66 09 80 06 D5 10 A3 01 00 09 D1 66 7E 80 06 D6|"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:cve,2012-4165; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; classtype:denial-of-service; sid:24365; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash null reference JIT compilation attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|ED B6 DB 4D 85 68 66 57 89 24 CB 66 92 1D 34 FC 5C A0 CF 32 2A A2 54 46 3C B1 B5 4F 46 7C 26 0F|"; fast_pattern:only; isdataat:!624; metadata:policy security-ips drop, service smtp; reference:cve,2012-4165; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; classtype:denial-of-service; sid:24364; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash null reference JIT compilation attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|09 0A BF 03 D0 30 20 80 06 D5 20 80 06 D6 60 64 66 09 80 06 D5 10 A3 01 00 09 D1 66 7E 80 06 D6|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4165; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; classtype:denial-of-service; sid:24363; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash null reference JIT compilation attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|ED B6 DB 4D 85 68 66 57 89 24 CB 66 92 1D 34 FC 5C A0 CF 32 2A A2 54 46 3C B1 B5 4F 46 7C 26 0F|"; fast_pattern:only; isdataat:!624; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4165; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; classtype:denial-of-service; sid:24362; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player newfunction memory corruption exploit attempt"; flow:to_server,established; file_data; content:"CWS|09|"; content:"|3D BF CF FB CF 8B D6 E9 EE EA EA EA AA EA EA EA|"; within:16; distance:94; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0197; reference:cve,2010-1297; classtype:attempted-admin; sid:23592; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player newfunction memory corruption attempt"; flow:to_server,established; file_data; content:"|D2 60 3B 40 C1 03 AB 12 E5 00 00 60 E8 03 24 00|"; content:"|46 FF 04 02 75 63 07 60 97 01 24 02 A1 62 04 0E|"; within:16; distance:16; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:23591; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash use-after-free attack attempt"; flow:to_server,established; file_data; content:"|53 68 68 68 20 64 6F 6E 27 74 20 74 65 6C 6C 20 61 6E 79 20 6F 6E 65 20 74 68 69 73 20 69 73 20 61 20 73 65 63 72 65 74 20 6B 65 79 21 16 54 68 65 20 74 72 75 74 68 20 69 73 20 6F 75 74 20 74 68 65 72 65 08 43 4F 4D 50 4C 45 54 45 0B 72 65 6D 6F 76 65 43 68 69 6C 64 0A 55 52 4C 52 65 71 75 65 73 74 30 68 74 74 70|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-1297; classtype:attempted-user; sid:23579; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player flash.DisplayObject memory corruption attempt"; flow:established,to_client; flowbits:isset,file.swf; file_data; content:"flash.display|3A|DisplayObject|24|"; fast_pattern:only; content:"addChild"; content:"removed"; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2034; reference:url,www.adobe.com/support/security/bulletins/apsb12-14.html; classtype:misc-attack; sid:23135; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player broker destructor DoS attempt"; flow:to_client,established; file_data; content:"D27CDB6E-AE6D-11CF-96B8-444553540000"; fast_pattern:only; content:"document.onkeypress"; nocase; pcre:"/var\s+(\w+)\s*=\s*\x27document[^\=]*?=\x5c\x27]*?>\s*? $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player flash.display.BitmapData constuctor overflow attempt"; flow:established,to_client; flowbits:isset,file.swf; file_data; content:"flash.display"; content:"BitmapData"; distance:0; content:"|30 D0 49 00 5D 03 24 10|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2036; reference:url,www.adobe.com/support/security/bulletins/apsb12-14.html; classtype:misc-attack; sid:23133; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player DefineSound tag long recordheader length field attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|BF 03 00 EE FF 7F 0F 00 26 37 02 00 00 61 06 FF E3 20 C0 00 00 00 02 58|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2037; reference:url,www.adobe.com/support/security/bulletins/apsb12-14.html; classtype:attempted-user; sid:23132; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player X500 DistinguishedName property access attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|6B 3E 35 2F D7 02 D4 F0 88 41 EB 67 C7 D7 4F A8 56 8C D8 A7 C4 A5 AE AD E9 15 CF AE F7 E0 74 47|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2039; reference:url,www.adobe.com/support/security/bulletins/apsb12-14.html; classtype:attempted-user; sid:23131; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player X509 direct instantiation property access attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|2F 65 54 07 41 6C AD 12 37 3E 1A 37 A0 D9 F7 60 1F 29 07 AF FD D8 AD ED D7 08 31 52 76 8A 43 A8|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2039; reference:url,www.adobe.com/support/security/bulletins/apsb12-14.html; classtype:attempted-user; sid:23130; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SecureSocket use without Connect attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|3A 58 E6 FB 74 80 30 B8 BF 2C 54 5B F9 4D C8 B2 AB BA 3D 56 1C 6C F7 3D 9D D6 34 A0 52 7E F2 6A|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2039; reference:url,www.adobe.com/support/security/bulletins/apsb12-14.html; classtype:attempted-user; sid:23129; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Video invalid tag type attempt"; flow:to_client,established; flowbits:isset,file.flv; file_data; content:"FLV|01|"; depth:4; content:"|00 00 00 00 17|"; within:5; distance:5; metadata:policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0773; classtype:attempted-user; sid:21655; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Video invalid tag type attempt"; flow:to_client,established; file_data; content:"|FB 1A BD E9 6B F4 AE 37 BD 71 2F FA 02 BD EA 6D 5F A0 F4 8C 9D 06 A8 7A 55 CB F6 CC 39 E7 3B DF 9C 3F 7B 8A A4 DF 11 2A FE 88 50 1D A3 CE C2 32 42 E8 BB CA 2F 18 A1 DD D0 1E EC BC EE 1C 36 A6|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0773; classtype:attempted-user; sid:21654; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player ActionScript getURL target null reference attempt"; flow:to_server,established; content:".swf?"; nocase; http_uri; content:"&TARGET="; within:20; nocase; http_uri; pcre:"/\x26TARGET\x3d\x5f(blank|parent|top)/Usi"; content:"&REDIR=javascript"; distance:0; nocase; http_uri; metadata:policy security-ips drop, service http; reference:cve,2012-0772; reference:url,adobe.com/support/security/bulletins/apsb12-07.html; classtype:denial-of-service; sid:21653; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript Stage3D null dereference attempt"; flow:to_client,established; file_data; content:"import flash.geom"; fast_pattern:only; content:"new"; nocase; content:"Stage3D()"; within:20; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0768; reference:url,www.adobe.com/support/security/bulletins/apsb12-05.html; classtype:attempted-user; sid:21536; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript Matrix3D.copyRawDataFrom buffer overflow attempt"; flow:to_client,established; file_data; content:"|A3 96 56 6C 5B B4 87 59 19 DB B6 A1 6B D8 B5 53 46 59 A7 6B 69 27 43 3C|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0768; reference:url,www.adobe.com/support/security/bulletins/apsb12-05.html; classtype:attempted-user; sid:21535; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript Matrix3D.copyRawDataFrom buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"RawDataFrom(new Vector.(), 0x41414141"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0768; reference:url,www.adobe.com/support/security/bulletins/apsb12-05.html; classtype:attempted-user; sid:21534; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript Stage3D null dereference attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|7D B3 D7 78 DB 3A 2A 4D 86 B6 13 34 B8 B5 57 1E 30 E6 35 54 75 3C 1E 57|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0768; reference:url,www.adobe.com/support/security/bulletins/apsb12-05.html; classtype:attempted-user; sid:21533; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player action script 3 bitmap malicious rectangle attempt"; flow:to_client,established; file_data; content:"bitmap.histogram|28|new Rectangle|28|"; nocase; content:!"-"; within:3; byte_test:8,>=,0x40000000,0,relative,string; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,52299; reference:cve,2012-0769; reference:url,adobe.com/support/security/bulletins/apsb12-05.html; classtype:attempted-user; sid:21532; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player action script 3 bitmap malicious rectangle attempt"; flow:to_client,established; file_data; content:"bitmap.histogram|28|new Rectangle|28|"; nocase; content:"-"; within:3; byte_test:8,<=,0x40000000,0,relative,string; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,52299; reference:cve,2012-0769; reference:url,adobe.com/support/security/bulletins/apsb12-05.html; classtype:attempted-user; sid:21531; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player action script 3 bitmap malicious rectangle attempt"; flow:to_client,established; file_data; content:"|43 57 53 0E 93 03 00 00 78 DA 5D 52 CB 6E D3 40 14 BD 33 76 EC D8 7D AB 28 2A 0B 24 4B 45 8A 54 91 D8 49 61 D1 28 B5 28 75 83 DA 05 95 CA 06 55|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,52299; reference:cve,2012-0769; reference:url,adobe.com/support/security/bulletins/apsb12-05.html; classtype:attempted-user; sid:21530; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript bytecode type confusion null dereference attempt"; flow:to_client,established; file_data; content:"|A3 5E D6 FD 5B F4 25 97 57 C3 FE 17 42 A7 C5 3D CA 49 8E 9E 3B 73 FE F4 58 7B 2C 3A 4A 6E 8B C7|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0752; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21335; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActiveX URL import attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"FWS"; depth:3; byte_test:1,<,8,0,relative; byte_test:1,>,0,0,relative; content:"D|0E 3F|"; distance:0; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0751; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21326; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player cross site request forgery attempt"; flow:to_client,established; file_data; content:"|49 6E 69 74 00 74 61 72 67 65 74 00 6A 61 76 61 73 63 72 69 70 74|"; fast_pattern:only; content:"|00 67 65 74 55 52 4C 00|"; nocase; content:"|02 00 00 00 08 09 1C 96 02 00 08 0A 52 3C 96 0D|"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-0767; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21325; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Acrobat Flash Player uxtheme.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|uxtheme.dll"; nocase; http_uri; content:!"User-Agent: Microsoft-Symbol-Server/"; http_header; metadata:service http; reference:cve,2012-0756; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21324; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Acrobat Flash Player atl.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|atl.dll"; nocase; http_uri; content:!"User-Agent: Microsoft-Symbol-Server/"; http_header; metadata:service http; reference:cve,2012-0756; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21323; rev:7;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-FLASH Adobe Acrobat Flash Player request for uxtheme.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"u|00|x|00|t|00|h|00|e|00|m|00|e|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2012-0756; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21321; rev:6;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-FLASH Adobe Acrobat Flash Player request for atl.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"a|00|t|00|l|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2012-0756; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21320; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Shockwave Flash Flex authoring tool XSS exploit attempt"; flow:to_server,established; content:"/EncDecUtils.swf|3F|"; fast_pattern; http_uri; content:"resourceModuleURLs="; nocase; http_uri; content:"http"; within:4; nocase; http_uri; metadata:service http; reference:cve,2011-2461; reference:url,www.adobe.com/support/security/bulletins/apsb11-25.html; classtype:attempted-admin; sid:20610; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash SWF ActionScript 3 ByteArray class vulnerability"; flow:to_client,established; file_data; content:"|4F 62 6A 65 63 74 0B 66 6C 61 73 68 2E 75 74 69 6C 73 01 41 08 75 73 2D 61 73 63 69 69 0E 77 72 69 74 65 4D 75 6C 74 69 42 79 74 65 06 6C 65 6E 67 74 68 08 70 6F 73 69 74 69 6F 6E 08 74 6F 53 74 72 69 6E 67|"; fast_pattern:only; content:"|72 65 70 72 6F 0D 66 6C 61 73 68 2E 64 69 73 70 6C 61 79 06 53 70 72 69 74 65 09 42 79 74 65 41 72 72 61 79 21 68 74 74 70 3A 2F 2F 61 64 6F 62 65|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2445; classtype:attempted-user; sid:20568; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash SWF AVM2 namespace lookup deref exploit"; flow:to_client,established; file_data; content:"|56 65 63 74 6F 72 04 53 68 75 6F 07 70 61 6E 74 65 73 74|"; fast_pattern; content:"|53 70 72 69 74 65 0B 5F 5F 41 53 33 5F 5F 2E 76 65 63|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2455; classtype:attempted-user; sid:20567; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player salign null javascript access attempt"; flow:to_client,established; file_data; content:""; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2459; reference:url,www.adobe.com/support/security/bulletins/apsb11-28.html; classtype:attempted-user; sid:20560; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionDefineFunction2 length overflow attempt"; flow:to_client,established; file_data; content:"|24 9D 50 B6 F2 62 C0 FA 0C 9C FF 00 2A 1C D4 4A 8C 1C 8E 77 EE B5 5C B7 B4 9E 46 67 FD EB A8 43|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2454; reference:url,www.adobe.com/support/security/bulletins/apsb11-28.html; classtype:attempted-user; sid:20557; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player PlaceObjectX null pointer dereference attempt"; flow:to_client,established; file_data; content:"|00 26 00 78 03 00 00 FF D8 FF E0 00 10 4A 46 49 46 00 01 01 00 00 01 00 01 00 00 FF DB 00 43 00 2F|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2450; reference:url,www.adobe.com/support/security/bulletins/apsb11-28.html; classtype:attempted-user; sid:20556; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash MP4 ref_frame allocated buffer overflow attempt"; flow:to_client,established; file_data; content:"|FA 34 27 84 33 9E 09 F7 84 44 41 B9 D6 99 46 42 32 91 31 51 DC 4C 20 2E A9 4C A2 F5 46 C7 28 74|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2140; reference:url,www.adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-admin; sid:20555; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Stage 3D texture format overflow attempt"; flow:to_client,established; file_data; content:"ATF|05 B6 B2 BF 14 B1 37 00 00 01 00 00 00 66 72 61 6D 65 31 00 10 00 2E 00 1C C1 95|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2456; reference:url,www.adobe.com/support/security/bulletins/apsb11-28.html; classtype:attempted-user; sid:20551; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Mover3D clipping exploit"; flow:to_client,established; file_data; content:"|05 72 6F 75 6E 64 09 72 6F 74 61 74 69 6F 6E 59 06 6D 6F 75 73 65 59 09 72 6F 74 61 74 69 6F 6E|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2460; reference:url,www.adobe.com/support/security/bulletins/apsb11-28.html; classtype:attempted-user; sid:20550; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript bytecode type confusion attempt"; flow:to_client,established; file_data; content:"|19 13 02 00 01 F0 4C 6F 61 64 69 6E 67 00 00 00 66 6C 61 73 68 2E 42 6F 6F 74 00 40 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2451; reference:url,www.adobe.com/support/security/bulletins/apsb11-28.html; classtype:attempted-user; sid:20549; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player recursive doaction stack exhaustion"; flow:to_client,established; file_data; content:"|4E 96 02 00 08 04 8E 35 00 00 05 00 08 19 00 04|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2457; reference:url,www.adobe.com/support/security/bulletins/apsb11-28.html; classtype:attempted-user; sid:20548; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player overlapping record overflow attempt"; flow:to_client,established; file_data; content:"|40 09 40 00 40 00 40 00 40 00 3F 15 59 00 00 00 0B 00 7A 72 37 AC FF FD 42 5A 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2453; reference:url,www.adobe.com/support/security/bulletins/apsb11-28.html; classtype:attempted-user; sid:20547; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SWF embedded font null pointer attempt"; flow:to_client,established; file_data; content:"|00 01 00 04 00 09 00 10 8E 09 7F 40 2D 4E C0 4E 7C 15 3C 14 00 50|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2452; reference:url,www.adobe.com/support/security/bulletins/apsb11-28.html; classtype:attempted-user; sid:20545; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player recursive stack overflow attempt"; flow:to_client,established; file_data; content:"|42 1B EB 68 C4 A9 39 96 95 4B 0E 39 71 A9 9E E8 72 CE 38 A4 3B C4 92 4B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2426; reference:url,www.adobe.com/support/security/bulletins/apsb11-26.html; classtype:attempted-user; sid:20211; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player pcre ActionScript under allocation"; flow:to_client,established; file_data; content:"|4D EA BB 49 2E 01 A2 21 8E F1 C7 FB 4B 42 0C 4E 66 D1 88 17 46 C8 B3 70|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2427; reference:url,www.adobe.com/support/security/bulletins/apsb11-26.html; classtype:attempted-user; sid:20206; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player setInterval use attempt"; flow:to_client,established; file_data; content:"|27 93 BE 70 22 40 33 C1 A4 2F 69 0D A0 85 0B 34|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2444; reference:url,www.adobe.com/support/security/bulletins/apsb11-26.html; classtype:attempted-user; sid:20183; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player viewSource blacklist exclusion attempt"; flow:to_client,established; file_data; content:" $HOME_NET any (msg:"FILE-FLASH Adobe Flash Speex-encoded audio buffer underflow attempt"; flow:to_client,established; file_data; content:"|A9 FC EB C4 44 EA 39 DC C2 E6 7A 38 85 81 71 46 3B 43 B6 E8 69 30 D5 77 47 47 A1 DE 99 B6 32 A2 7B D4 DA AD 90 AF 76 EB F4 B0 8D 3F F2 66 C5 06 3B 18 ED 9C 13 2E 42 BB 18 50 C2 ED D2 AE 33 B2|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2130; reference:url,www.adobe.com/support/security/bulletins/apsb11-26.html; classtype:attempted-user; sid:20181; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player memory consumption vulnerability"; flow:to_client,established; file_data; content:"CWS|09|"; depth:4; content:"|68 C4 21 5E 20 F0 E9 17 D8 EF DD 03 92 AC 4A 8C|"; within:16; distance:828; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-3793; classtype:denial-of-service; sid:20050; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash MP4 ref_frame allocated buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"NetStream"; nocase; content:"|16 03 16 05 16 07 18 09 16 0B 16 10 17 05 05 00 05 00 08 17 16 18 16 19 16 1A 16 1B 16 1C|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2140; reference:url,www.adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-admin; sid:19693; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash cross-site request forgery attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|00|loadClip"; nocase; content:"|00|loadVariables"; nocase; content:"|00 8E 0F 00|loadUrl"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2139; reference:url,www.adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:19692; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript File reference buffer overflow attempt"; flow:to_client,established; file_data; content:"|F0 E8 E8 E8 45 42 64 43 21 B3 9F 04 1E DF 61 7F EC F9 02 5A BF 6B 6C 48 7E 4C 3C C4 96 03 BE 1F|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2137; reference:url,www.adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:19691; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript duplicateDoorInputArguments stack overwrite"; flow:to_client,established; file_data; content:"|00 C3 02 00 04 09 00 C4 02 00 01 06 00 C5 02 00 06 07 00 22 05 08 03 04 59 02 02 02 02 02 02 02|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2136; reference:url,www.adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:19690; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript dynamic calculation double-free attempt"; flow:to_client,established; file_data; content:"|25 90 03 A2 5D 09 66 09 46 0A 00 25 90 03 A2 46 0B 02 29 65 01 5D 0C 4A 0C 00 82 6D 01 5D 0D 65|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2135; reference:url,www.adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-dos; sid:19689; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript BitmapData buffer overflow attempt"; flow:to_client,established; file_data; content:"|07 04 07 07 02 08 07 05 09 07 04 0A 07 04 0B 07 04 0C 07 06 0E 07 02 0F 07 02 10 07 02 11 07 02|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2138; reference:url,www.adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:19688; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash uninitialized bitmap structure memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"display|3A|IBitmapDrawable"; nocase; content:"|02|sx|02|sy|02|tx|02|ty|01|a|01|b|01|c|01|d|0F|beginBitmapFill"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2425; reference:url,www.adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:19686; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash regular expression grouping depth buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"RegExp"; nocase; content:"|28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28|"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,65703; reference:cve,2011-2134; reference:cve,2014-0499; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-07.html; reference:url,www.adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:19685; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript 3 buffer overflow attempt"; flow:to_client,established; file_data; content:"|E9 3F 00 00 00 00 00 00 D0 3F 33 33 33 33 33 33 E3 3F 7B 14 AE 47 E1 7A A4 3F 66 66 66 66 66 66 F6 3F 9A 99 99 99 99 99 B9 3F EB 09 00 07 42 6F 6F 6C 65 61 6E 04 76 6F 69 64 03 69 6E 74 0B 66|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2415; reference:url,www.adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:19683; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript 3 integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|02 61 30 02 61 31 02 61 32 02 61 33 02 61 34 02 61 35 02 61|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49081; reference:cve,2011-2416; reference:url,www.adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:19682; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"chunked"; content:"C"; within:50; content:"W"; within:10; content:"S"; within:10; content:"|0A|"; within:10; content:"|DC|"; within:10; content:"|CC|"; within:10; content:"|00|"; within:10; content:"|00|"; within:10; content:"|DA|"; within:10; content:"|7C|"; within:10; content:"|BD|"; within:10; content:"|4B|"; within:10; content:"|D3|"; within:10; content:"|6E|"; within:10; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-01.html; classtype:attempted-user; sid:19293; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe ActionScript float index memory corruption attempt"; flow:to_client,established; file_data; content:"_0day2_fla"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2110; reference:url,www.adobe.com/support/security/bulletins/apsb11-18.html; classtype:attempted-user; sid:19257; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Universal3D meshes.removeItem exploit attempt"; flow:to_client,established; file_data; content:"|2F|Type|20 2F|3D|20 2F|Subtype|20 2F|U3D"; nocase; content:"c3d.scene.nodes.removeItem|28 76 31 29 3B|"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2099; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-admin; sid:19249; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player cross-site request forgery attempt"; flow:to_client,established; file_data; content:"|09 1C 96 02 00 08 0B 52 17 96 05 00 07 E8 03 00 00 8E 08 00 00 00 00 03 2A 00 D3 00 96 09 00 08|"; fast_pattern:only; metadata:service http; reference:cve,2011-2107; reference:url,www.adobe.com/support/security/bulletins/apsb11-13.html; classtype:attempted-user; sid:19179; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player cross-site request forgery attempt"; flow:to_client,established; file_data; content:"|52 CA 95 3B 3C C3 B0 C5 AA 52 C4 E1 8D 98 0E 9E F8 27 0B F8 26 0D 78 B1 3D B7 C5 16 F8 3A 85 08|"; fast_pattern:only; metadata:service http; reference:cve,2011-2107; reference:url,www.adobe.com/support/security/bulletins/apsb11-13.html; classtype:attempted-user; sid:19178; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player content parsing execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ROPPayload|08|strToInt|09|shellcode"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,44503; reference:cve,2010-3654; classtype:attempted-user; sid:18992; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash beginGradientfill improper color validation attempt"; flow:to_client,established; file_data; content:"|2B 6D 01 65 01 5D BD 02 5D BB 02 65 01 6C 04 46 BB 02 01 46 BD 02 01 60 09 87 80 09 6D 04 10 2D|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0620; reference:url,www.adobe.com/support/security/bulletins/apsb11-12.html; classtype:attempted-user; sid:18971; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player null pointer dereference attempt"; flow:to_client,established; file_data; content:"|01 B1 04 00 8E 00 10 0D CF 55 5C 11 EC 89 47 0D 09 48 00 86 C3 72 D4 52 37 2C F1 B8 C1 95 0D 77|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0626; reference:url,www.adobe.com/support/security/bulletins/apsb11-12.html; classtype:attempted-user; sid:18970; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript ActionIf integer overflow attempt"; flow:to_client,established; file_data; content:"|00 18 36 00 3F 03 07 00 00 00 12 9D 02 00 12 B1 00 40 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0623; reference:cve,2011-0625; reference:url,www.adobe.com/support/security/bulletins/apsb11-12.html; classtype:attempted-user; sid:18969; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript3 stack integer overflow attempt"; flow:to_client,established; file_data; content:"|2A 2A 24 48 24 65 24 6C 2A 24 6F 24 00 24 40 24 00 2A 2A 56|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0618; reference:url,www.adobe.com/support/security/bulletins/apsb11-12.html; classtype:attempted-user; sid:18968; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe ActionScript argumentCount download attempt"; flow:to_client,established; file_data; content:"|0B 0B D0 30 20 80 04 24 01 55 01 02 47 00 00 02|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0621; reference:url,www.adobe.com/support/security/bulletins/apsb11-12.html; classtype:attempted-user; sid:18967; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash file DefineFont4 remote code execution attempt"; flow:to_client,established; file_data; content:"|01 01 09 00 04 00 02 00 00 00 02 00 00 01 0D 07 00 02 01 07 09 00 00 02 02 08 07|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0627; reference:url,www.adobe.com/support/security/bulletins/apsb11-12.html; classtype:attempted-user; sid:18966; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash file ActionScript 2 ActionJump remote code execution attempt"; flow:to_client,established; file_data; content:"|99 02 00 BC CB|"; content:"|99 02 00 39 FA|"; distance:0; content:"|99 02 00 48 9D 99 02 06 A2 F9|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0624; reference:url,www.adobe.com/support/security/bulletins/apsb11-12.html; classtype:attempted-user; sid:18965; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash file DefineFont4 remote code execution attempt"; flow:to_client,established; file_data; content:"|FF 16 D8 89 00 00 01 00 04 57 69 6E 64 73 6F 6E 67 00 4F 54 54 4F 00 0A 00 80 00 03 00 20 43 46 46 20 C5 97 55|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0619; reference:url,www.adobe.com/support/security/bulletins/apsb11-12.html; classtype:attempted-user; sid:18964; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe ActionScript 3 addEventListener exploit attempt"; flow:to_client,established; file_data; content:"|AB 02 60 90 01 4F AC 02 02 47 00 00 67 03 02 09|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0622; reference:url,www.adobe.com/support/security/bulletins/apsb11-12.html; classtype:attempted-user; sid:18963; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player undefined tag exploit attempt"; flow:to_client,established; file_data; content:"|46 57 53 0A 9A 04 00 00 78 00 03 E8 00 00 0F A0 00 00 E8 01 00 44 11 08 00 00 00 3F 12 69 04 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2214; classtype:attempted-user; sid:18805; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript flash.geom.Point constructor memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0A|flash.geom|06|Matrix|0B|setMaterial"; content:"|05|Point"; distance:0; content:"|12|generateFilterRect|0B|applyFilter"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0578; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; classtype:attempted-user; sid:18503; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe OpenAction crafted URI action thru Firefox attempt"; flow:to_client,established; file_data; content:"|2F|OpenAction|20 3C 3C|"; fast_pattern:only; pcre:"/[^\x3e]{0,300}\x2fURI \x28data/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0587; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18447; rev:10;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-FLASH Adobe Acrobat Flash Player nvapi.dll dll-load exploit attempt"; flow:to_server,established; content:"n|00|v|00|a|00|p|00|i|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2011-0575; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; classtype:attempted-user; sid:18446; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Acrobat Flash Player nvapi.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|nvapi.dll"; nocase; http_uri; metadata:service http; reference:cve,2011-0575; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; classtype:attempted-user; sid:18445; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript ASnative function remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ASnative|00|"; content:"|96 16 00 07 03 00 00 00 07 2E 01 00 00 07 3A 08 00 00 07 02 00 00 00 08 02|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0559; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; classtype:attempted-user; sid:18420; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript apply function memory corruption attempt"; flow:to_client,established; file_data; content:"|43 57 53 0A 2C 91 00 00 78 9C CD BD 77 60 54 D5 D6 3E 7C F6|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0558; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; classtype:attempted-user; sid:18418; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash authplay.dll memory corruption attempt"; flow:to_client,established; file_data; content:"|94 C5 F6 3F 3E E5 D9 7D 76 53 37 D9 10 62 28 06 8D 44 71|"; content:"|CC F3 6C A1 DC 0F DF DF EB F5 FD E7 8B 99 E7 99 39 73 E6 CC 99|"; distance:0; content:"|EE 7E F1 F1 1E E9 C8 72 36 A9 3A 54 1F 2A 1A C4 58 B7 DB|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3654; reference:url,www.adobe.com/support/security/advisories/apsa10-05.html; classtype:attempted-user; sid:17808; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player and Reader remote code execution attempt"; flow:to_client,established; file_data; content:"|6C 23 B1 63 9A 87 31 36 CC 6F DD BA 75 7F C7 D0|"; depth:160; offset:144; content:"|9F 4E AA 98 1C 24 BF 33 AE 78 A5 58 32 B3 DE 54|"; within:16; distance:352; content:"|05 7D 9F EA A8 E5 CA A6 73 4A CE BC 5C 72 65 63|"; within:16; distance:240; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2884; reference:url,www.adobe.com/support/security/advisories/apsa10-03.html; classtype:attempted-user; sid:17257; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SWF ActionScript exploit attempt"; flow:to_client,established; file_data; content:"|04 01 08 32 4E 96 04 00 04 01 08 2D 4E 4E 96 09 00 03 49 12 9D 02 00 09 00 96 04 00 04 01 08 08 4E 3E 96 04 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-0209; reference:url,www.adobe.com/support/security/bulletins/apsb10-16.html; classtype:attempted-user; sid:17142; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash invalid data precision arbitrary code execution exploit attempt"; flow:to_client,established; file_data; content:"|0C 0C FF C0 00 11 88 00 96 00 71 03 01 11 00 02|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2216; reference:url,www.adobe.com/support/security/bulletins/apsb10-16.html; classtype:attempted-user; sid:17141; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed getPropertyLate actioncode attempt"; flow:to_client,established; file_data; content:",|BD 06|J|C6 01 01 80 C6 01 D6 D1 D2|O|97 06 01 D1|`|81 04|g|9D 08|f|9E 08|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-3797; classtype:attempted-user; sid:16316; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash PlugIn check if file exists attempt"; flow:to_client,established; file_data; content:".Movie"; content:".readyState"; distance:0; pcre:"/document\x2E(.*?)\x2EMovie\s*\x3D.*document\x2E\1\x2EreadyState\s*\x21?\x3D+\s*4/smi"; metadata:service http; reference:cve,2009-3951; classtype:misc-activity; sid:16315; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Possible Adobe Flash Player ActionScript byte_array heap spray attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ByteArray"; nocase; content:"|04 0C 0C 0C 0C|"; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,35759; reference:cve,2009-1862; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:attempted-user; sid:15729; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SWF scene and label data memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|A8 15|"; content:"|8C 15|"; within:2; distance:40; content:"|BF 14 7F 01 00 00|"; within:6; distance:12; content:"|19 13|"; within:2; distance:383; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28695; reference:bugtraq,29386; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; classtype:attempted-user; sid:13822; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SWF scene and label data memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|BF 15 84 03 00 00|"; content:"|BF 14|D|02 00 00|"; within:6; distance:900; content:"?|13 1F 00 00 00|"; within:6; distance:640; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28695; reference:bugtraq,29386; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; classtype:attempted-user; sid:13821; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash DOACTION tag overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"FWS"; content:"|03|"; distance:19; content:!"|00|"; within:1; byte_test:1,<,128,0,relative; content:"|9B|"; within:1; distance:1; content:!"|00|"; within:1; distance:-2; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.macromedia.com/devnet/security/security_zone/mpsb05-07.html; classtype:attempted-user; sid:4675; rev:10;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player remote memory corruption attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|E8 3F 00 00 00 00 00 00 00 00 E9 04 00 04|void|19|promolenta.dat"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60478; reference:cve,2013-3343; reference:url,www.adobe.com/support/security/bulletins/apsb13-16.html; classtype:attempted-user; sid:26983; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote memory corruption attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|E8 3F 00 00 00 00 00 00 00 00 E9 04 00 04|void|19|promolenta.dat"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60478; reference:cve,2013-3343; reference:url,www.adobe.com/support/security/bulletins/apsb13-16.html; classtype:attempted-user; sid:26982; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript user-supplied PCM resampling integer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|88 ED 54 2A 27 AA 96 79 2A EA 47 81 9B 4A 5A A6 46 5C 32 22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,61048; reference:cve,2013-3347; reference:url,www.adobe.com/support/security/bulletins/apsb13-17.html; classtype:attempted-user; sid:27268; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript user-supplied PCM resampling integer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|88 ED 54 2A 27 AA 96 79 2A EA 47 81 9B 4A 5A A6 46 5C 32 22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,61048; reference:cve,2013-3347; reference:url,www.adobe.com/support/security/bulletins/apsb13-17.html; classtype:attempted-user; sid:27267; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player heap buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|76 DB E9 F0 AD 26 55 2A C8 BD 68 4C 99 A4 8A D8 6B 7F 9D 15 22 41 05 7B 76 A3 20 2A 54 5C DB A8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,61045; reference:cve,2013-3345; reference:url,www.adobe.com/support/security/bulletins/apsb13-17.html; classtype:attempted-user; sid:27266; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player heap buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|76 DB E9 F0 AD 26 55 2A C8 BD 68 4C 99 A4 8A D8 6B 7F 9D 15 22 41 05 7B 76 A3 20 2A 54 5C DB A8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,61045; reference:cve,2013-3345; reference:url,www.adobe.com/support/security/bulletins/apsb13-17.html; classtype:attempted-user; sid:27265; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player embedded JPG image height overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"FWS"; content:"|FF D8|"; distance:0; content:"JFIF"; distance:0; content:"|FF C0|"; within:256; pcre:"/^...(..)?[\x80-\xff]/R"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26951; reference:cve,2007-6242; classtype:attempted-admin; sid:27671; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt"; flow:to_server,established; flowbits:isset, file.swf; file_data; content:"|96 05 00 07|"; byte_test:4,>,0x040000,0,relative,little; content:"|42|"; within:1; distance:4; metadata:policy security-ips drop, service smtp; reference:cve,2012-5269; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:27755; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96|"; byte_jump:2,0,relative,little; content:"|42|"; within:1; content:"|07|"; within:1; distance:-6; byte_test:4,>,0x040000,0,relative,little; metadata:policy security-ips drop, service smtp; reference:cve,2012-5269; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:27754; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|EF 06 02 01 01 04 1E D0 30 F1 F6 12 F0 1A 5D 86 0B 60 18 30 60 05 30 60|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3363; reference:url,www.adobe.com/support/security/bulletins/apsb13-21.html; classtype:attempted-user; sid:28590; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|EF 06 02 01 01 04 1E D0 30 F1 F6 12 F0 1A 5D 86 0B 60 18 30 60 05 30 60|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3363; reference:url,www.adobe.com/support/security/bulletins/apsb13-21.html; classtype:attempted-user; sid:28589; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player GlyphOffset memory disclosure attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|FF 12|"; content:"|00 00 E0 6D 00 40 33 6F 00 00 0F 70 00 00 87 70|"; within:600; distance:10; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-5324; reference:url,www.adobe.com/support/security/bulletins/apsb13-21.html; classtype:attempted-user; sid:28588; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player GlyphOffset memory disclosure attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|FF 12|"; content:"|00 00 E0 6D 00 40 33 6F 00 00 0F 70 00 00 87 70|"; within:600; distance:10; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-5324; reference:url,www.adobe.com/support/security/bulletins/apsb13-21.html; classtype:attempted-user; sid:28587; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player remote memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|4E 8F 5F B5 DD 60 BE 81 C5 22 83 F9 36 83 B9 8E 1E 3F 93 86 D2 2D 28 73 B2 AF 7E BB D3 B9 E3 BD D8 6D 7B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,62294; reference:cve,2013-3362; reference:url,adobe.com/support/security/bulletins/apsb13-21.html; classtype:attempted-user; sid:28569; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|4E 8F 5F B5 DD 60 BE 81 C5 22 83 F9 36 83 B9 8E 1E 3F 93 86 D2 2D 28 73 B2 AF 7E BB D3 B9 E3 BD D8 6D 7B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,62294; reference:cve,2013-3362; reference:url,adobe.com/support/security/bulletins/apsb13-21.html; classtype:attempted-user; sid:28568; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player use after free race condition"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|6F AB DE 4D E9 B5 73 2F 00 25 84 02 B2 A9 B5 4A 7F 11 B0 40 00 10 0D 0B 20 1E 18 CF 62 C7 66 EB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3361; reference:url,www.adobe.com/support/security/bulletins/apsb13-21.html; classtype:attempted-user; sid:28567; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASnative command execution attempt"; flow:to_server,established; file_data; content:"|A8 AE 9F FC DD 34 E7 24 FF 71 36 DB 9A 32 40 27 DD 18 C9 F7 D3 CB E2 5C C3 6F 8F 41 75 7F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,32896; reference:cve,2008-5499; reference:url,www.adobe.com/support/security/bulletins/apsb08-24.html; classtype:attempted-user; sid:28686; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASnative command execution attempt"; flow:to_server,established; file_data; content:"|A3 D9 86 B1 D3 6F 07 ED BF 7D EB C4 59 9B 2E C0 84 E8 1F 00 00 00 FF FF 03 00 89 17 52 74|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,32896; reference:cve,2008-5499; reference:url,www.adobe.com/support/security/bulletins/apsb08-24.html; classtype:attempted-user; sid:28678; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASnative command execution attempt"; flow:to_server,established; file_data; content:"|00|airappinstaller|00|ASnative|00|"; pcre:"/\x00[\x3b\x7c\x26\x60][^\x00]+\x00airappinstaller\x00ASnative\x00/smi"; content:"|99 08|"; distance:0; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,32896; reference:cve,2008-5499; reference:url,www.adobe.com/support/security/bulletins/apsb08-24.html; classtype:attempted-user; sid:28677; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player loadPCMFromByteArray bad sample count attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|16 7F 87 00 6C FB 86 D9 7C D5 E9 2A C7 63 DB 09|"; fast_pattern:only; metadata:service smtp; reference:cve,2012-5677; classtype:attempted-user; sid:28793; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player loadPCMFromByteArray bad sample count attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"loadPCMFromByteArray"; fast_pattern:only; content:"|80 07 4F 13 01 62 05 20 82 13 04 00 00 10 0A 00|"; metadata:service smtp; reference:cve,2012-5677; classtype:attempted-user; sid:28792; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player loadPCMFromByteArray bad sample count attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|16 7F 87 00 6C FB 86 D9 7C D5 E9 2A C7 63 DB 09|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-5677; classtype:attempted-user; sid:28791; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt"; flow:to_client,established; file_data; content:"|86 06 E4 96 CA 82 03 D2 A8 AC 94 07 A8 9E DC D5 04 A6 E6 FC 9F 03 C0 D9 F2 89 06 FC 84 B0 81 02 C1 9F B7 18|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64199; reference:cve,2013-5331; reference:url,helpx.adobe.com/security/products/flash-player/apsb13-28.html; classtype:attempted-user; sid:29054; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt"; flow:to_server,established; file_data; content:"|86 06 E4 96 CA 82 03 D2 A8 AC 94 07 A8 9E DC D5 04 A6 E6 FC 9F 03 C0 D9 F2 89 06 FC 84 B0 81 02 C1 9F B7 18|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,64199; reference:cve,2013-5331; reference:url,helpx.adobe.com/security/products/flash-player/apsb13-28.html; classtype:attempted-user; sid:29053; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt"; flow:to_server,established; file_data; content:"|44 F6 78 B2 2F 94 C5 8C 17 C2 C8 16 E0 1D B5 6D 52 D3 63 4D B4 97 AD B5 C4 DF C1 69 11 29 02 07 08 94 23 A1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,64199; reference:cve,2013-5331; reference:url,helpx.adobe.com/security/products/flash-player/apsb13-28.html; classtype:attempted-user; sid:29052; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt"; flow:to_client,established; file_data; content:"|44 F6 78 B2 2F 94 C5 8C 17 C2 C8 16 E0 1D B5 6D 52 D3 63 4D B4 97 AD B5 C4 DF C1 69 11 29 02 07 08 94 23 A1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64199; reference:cve,2013-5331; reference:url,helpx.adobe.com/security/products/flash-player/apsb13-28.html; classtype:attempted-user; sid:29051; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt"; flow:to_server,established; file_data; content:"|08 06 8E 0F 00 00 01 00 02 2A 00 01 6D 79 67 67 66 00 0E 00 96 02 00 08 01 1C 96 04 00 08 03 04 01 4F 4F 96|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,64199; reference:cve,2013-5331; reference:url,helpx.adobe.com/security/products/flash-player/apsb13-28.html; classtype:attempted-user; sid:29050; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt"; flow:to_client,established; file_data; content:"|08 06 8E 0F 00 00 01 00 02 2A 00 01 6D 79 67 67 66 00 0E 00 96 02 00 08 01 1C 96 04 00 08 03 04 01 4F 4F 96|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64199; reference:cve,2013-5331; reference:url,helpx.adobe.com/security/products/flash-player/apsb13-28.html; classtype:attempted-user; sid:29049; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt"; flow:to_server,established; file_data; content:"|E4 5E 12 3F 6F A2 06 46 BF 4C A2 52 9E D6 EC 56 7D 70 4F 69 0F 54 69 1D 77 77 46 31 3B 24 81 F3 BE 2F A1 AB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,64199; reference:cve,2013-5331; reference:url,helpx.adobe.com/security/products/flash-player/apsb13-28.html; classtype:attempted-user; sid:29048; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt"; flow:to_client,established; file_data; content:"|E4 5E 12 3F 6F A2 06 46 BF 4C A2 52 9E D6 EC 56 7D 70 4F 69 0F 54 69 1D 77 77 46 31 3B 24 81 F3 BE 2F A1 AB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64199; reference:cve,2013-5331; reference:url,helpx.adobe.com/security/products/flash-player/apsb13-28.html; classtype:attempted-user; sid:29047; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|0B 30 0A 51 44 12 2F 4B 28 85 48 2A 95 42 39 5E 46 28 8D 32|"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:cve,2013-5329; classtype:attempted-user; sid:29288; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|87 01 BB 65 65 2C D4 40 1F 41 79 8F AC DC BA 0F F9 A3 C8 1F|"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:cve,2013-5329; classtype:attempted-user; sid:29287; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|0B 30 0A 51 44 12 2F 4B 28 85 48 2A 95 42 39 5E 46 28 8D 32|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-5329; classtype:attempted-user; sid:29286; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|87 01 BB 65 65 2C D4 40 1F 41 79 8F AC DC BA 0F F9 A3 C8 1F|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-5329; classtype:attempted-user; sid:29285; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"ByteArrayAsset"; fast_pattern:only; content:"mx.core"; content:"|FF 15|"; content:"|00 00 00 00|"; within:4; distance:6; byte_jump:4,-10,relative,little; content:"|14|"; within:1; byte_extract:4,0,ABCLength,relative,little; content:"ByteArrayAsset"; within:ABCLength; metadata:policy security-ips drop, service smtp; reference:cve,2013-5329; classtype:attempted-user; sid:29284; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"ByteArrayAsset"; fast_pattern:only; content:"mx.core"; content:"|15|"; byte_test:1,>,0xC0,-2,relative; byte_test:1,<,0xFF,-2,relative; content:"|00 00 00 00|"; within:4; distance:2; content:"|14|"; within:62; distance:4; byte_extract:4,0,ABCLength,relative,little; content:"ByteArrayAsset"; within:ABCLength; metadata:policy security-ips drop, service smtp; reference:cve,2013-5329; classtype:attempted-user; sid:29283; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"ByteArrayAsset"; fast_pattern:only; content:"mx.core"; content:"|FF 15|"; content:"|00 00 00 00|"; within:4; distance:6; byte_jump:4,-10,relative,little; content:"|14|"; within:1; byte_extract:4,0,ABCLength,relative,little; content:"ByteArrayAsset"; within:ABCLength; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-5329; classtype:attempted-user; sid:29282; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"ByteArrayAsset"; fast_pattern:only; content:"mx.core"; content:"|15|"; byte_test:1,>,0xC0,-2,relative; byte_test:1,<,0xFF,-2,relative; content:"|00 00 00 00|"; within:4; distance:2; content:"|14|"; within:62; distance:4; byte_extract:4,0,ABCLength,relative,little; content:"ByteArrayAsset"; within:ABCLength; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-5329; classtype:attempted-user; sid:29281; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player invalid instruction memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|38 C8 1F CC E7 2D 7B B7 50 BC 73 E7 4E 41 99 2B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-5330; reference:url,www.adobe.com/support/security/bulletins/apsb13-26.html; classtype:attempted-user; sid:29554; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player invalid instruction memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0A A2 15 AB FF FF 02 62 07 37 76 2A 12 14 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-5330; reference:url,www.adobe.com/support/security/bulletins/apsb13-26.html; classtype:attempted-user; sid:29553; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player invalid instruction memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|38 C8 1F CC E7 2D 7B B7 50 BC 73 E7 4E 41 99 2B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-5330; reference:url,www.adobe.com/support/security/bulletins/apsb13-26.html; classtype:attempted-user; sid:29552; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player invalid instruction memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0A A2 15 AB FF FF 02 62 07 37 76 2A 12 14 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-5330; reference:url,www.adobe.com/support/security/bulletins/apsb13-26.html; classtype:attempted-user; sid:29551; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player loadPCMFromByteArray bad sample count attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|A4 69 02 21 21 ED 61 DD 75 52 5A 8A 76 65 CB 3A|"; fast_pattern:only; metadata:service smtp; reference:cve,2012-5677; classtype:attempted-user; sid:29525; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player loadPCMFromByteArray bad sample count attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|A4 69 02 21 21 ED 61 DD 75 52 5A 8A 76 65 CB 3A|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-5677; classtype:attempted-user; sid:29524; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript bytecode object type confusion information disclosure attempt"; flow:to_server,established; file_data; content:"|D0 30 24 00 74 D6 24 00 74 D7 24 00 74 63 04 5D 09 5D 08 D1 4A 08 01 4A 09 01 75 63 05 5D 01 4A 01 00 80 01 2A 63 06 62 05 4F 0A 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0492; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-02.html; classtype:attempted-recon; sid:29836; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript bytecode object type confusion information disclosure attempt"; flow:to_client,established; file_data; content:"|D0 30 24 00 74 D6 24 00 74 D7 24 00 74 63 04 5D 09 5D 08 D1 4A 08 01 4A 09 01 75 63 05 5D 01 4A 01 00 80 01 2A 63 06 62 05 4F 0A 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0492; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-02.html; classtype:attempted-recon; sid:29835; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash regular expression grouping depth buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"RegExp"; nocase; content:"|28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28|"; within:50; metadata:service smtp; reference:bugtraq,65703; reference:cve,2011-2134; reference:cve,2014-0499; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-07.html; reference:url,www.adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:29934; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player PCRE regexp out of bounds memory leak ASLR bypass attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|6E A3 85 65 0A 3E 0D C3 E8 92 5E 5D CA 34 B4 66 04 14 EF 8E|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,65703; reference:cve,2014-0499; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-07.html; classtype:attempted-user; sid:29933; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player PCRE regexp out of bounds memory leak ASLR bypass attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|6E A3 85 65 0A 3E 0D C3 E8 92 5E 5D CA 34 B4 66 04 14 EF 8E|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,65703; reference:cve,2014-0499; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-07.html; classtype:attempted-user; sid:29932; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|D3 83 C3 23 EA 4E 54 59 7B D7 CF AD 7F 68 76 7C 76 DD D3 F5 CF D4 ED 02 C5 29 CC F0 50 DD 82 BA|"; metadata:policy balanced-ips alert, policy security-ips drop, service smtp; reference:cve,2014-0498; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-07.html; classtype:attempted-user; sid:29927; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D3 83 C3 23 EA 4E 54 59 7B D7 CF AD 7F 68 76 7C 76 DD D3 F5 CF D4 ED 02 C5 29 CC F0 50 DD 82 BA|"; metadata:policy balanced-ips alert, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0498; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-07.html; classtype:attempted-user; sid:29926; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash incorrect null uri character normalization attempt"; flow:to_server,established; file_data; content:" $HOME_NET any (msg:"FILE-FLASH Adobe Flash incorrect null uri character normalization attempt"; flow:to_client,established; file_data; content:" $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash incorrect null uri character normalization attempt"; flow:to_server,established; file_data; content:" $HOME_NET any (msg:"FILE-FLASH Adobe Flash incorrect null uri character normalization attempt"; flow:to_client,established; file_data; content:" $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player JPEG parsing heap overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|FF D8 FF E0|"; content:"JFIF|00|"; within:5; distance:2; content:"|FF C0|"; within:2; distance:9; byte_test:2,>,0x7fff,5,relative; metadata:service smtp; reference:cve,2009-3794; classtype:attempted-user; sid:30349; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player JPEG parsing heap overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|FF D8 FF E0|"; content:"JFIF|00|"; within:5; distance:2; content:"|FF C0|"; within:2; distance:9; byte_test:2,>,0x7fff,3,relative; metadata:service smtp; reference:cve,2009-3794; classtype:attempted-user; sid:30348; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player JPEG parsing heap overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|FF D8 FF E0|"; content:"JFIF|00|"; within:5; distance:2; content:"|FF C0|"; within:2; distance:9; byte_test:2,>,0x7fff,5,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-3794; classtype:attempted-user; sid:30347; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player navigateToUrl hidden channel to file creation"; flow:to_server,established; file_data; content:".replace|28|"; nocase; content:"/5C/g"; within:10; nocase; content:".replace|28|"; within:100; nocase; content:"/2F/g"; within:10; nocase; content:".replace|28|"; within:100; nocase; content:"/%/g"; within:10; nocase; content:"localStorage.file"; within:100; fast_pattern; metadata:service smtp; reference:cve,2014-0508; classtype:attempted-user; sid:30540; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player navigateToUrl hidden channel to file creation"; flow:to_client,established; file_data; content:".replace|28|"; nocase; content:"/5C/g"; within:10; nocase; content:".replace|28|"; within:100; nocase; content:"/2F/g"; within:10; nocase; content:".replace|28|"; within:100; nocase; content:"/%/g"; within:10; nocase; content:"localStorage.file"; within:100; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-0508; classtype:attempted-user; sid:30539; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed HTML text null dereference attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|7E F0 ED B8 1F 86 3B E8 6E EC 1E DA BD 9C EA AD F7 0A 5E 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,66208; reference:cve,2014-0506; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-09.html; classtype:attempted-user; sid:30538; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed HTML text null dereference attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|61 6C 49 6E 74 65 72 66 61 63 65 07 65 78 70 6C 6F 69 74 06|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,66208; reference:cve,2014-0506; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-09.html; classtype:attempted-user; sid:30537; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed HTML text null dereference attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|61 6C 49 6E 74 65 72 66 61 63 65 07 65 78 70 6C 6F 69 74 06|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66208; reference:cve,2014-0506; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-09.html; classtype:attempted-user; sid:30536; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed HTML text null dereference attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|7E F0 ED B8 1F 86 3B E8 6E EC 1E DA BD 9C EA AD F7 0A 5E 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66208; reference:cve,2014-0506; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-09.html; classtype:attempted-user; sid:30535; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_server,established; file_data; content:"|A7 DC 72 96 8E 0A E7 DC A7 EB D4 AC 8E 8D B9 52 53 8D 33 47 95 16 6B 68 5A 2E 5A 95 86 EA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,57787; reference:cve,2013-0634; reference:url,www.adobe.com/support/security/bulletins/apsb13-04.html; classtype:attempted-user; sid:30755; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_client,established; file_data; content:"|A7 DC 72 96 8E 0A E7 DC A7 EB D4 AC 8E 8D B9 52 53 8D 33 47 95 16 6B 68 5A 2E 5A 95 86 EA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57787; reference:cve,2013-0634; reference:url,www.adobe.com/support/security/bulletins/apsb13-04.html; classtype:attempted-user; sid:30754; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player SWF ActionScript exploit attempt"; flow:to_server,established; file_data; content:"|86 A1 54 55 EE BB 0C F2 A8 D7 27 22 AF 0D 4C 8D 2B 85 3A 2C 05 42 6A BE 76 4C 58 65 02 17 EB 3F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0507; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-09.html; classtype:attempted-user; sid:30846; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SWF ActionScript exploit attempt"; flow:to_client,established; file_data; content:"|86 A1 54 55 EE BB 0C F2 A8 D7 27 22 AF 0D 4C 8D 2B 85 3A 2C 05 42 6A BE 76 4C 58 65 02 17 EB 3F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0507; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-09.html; classtype:attempted-user; sid:30845; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Acrobat Reader cross-site scripting attempt"; flow:to_server,established; content:".swf"; http_raw_uri; content:"%ED%A0%80%5C"; distance:0; http_raw_uri; metadata:service http; reference:bugtraq,66703; reference:cve,2014-0509; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-09.html; classtype:attempted-user; sid:30844; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Acrobat Reader cross-site scripting attempt"; flow:to_server,established; content:".swf"; http_raw_uri; content:"%ED%A0%80|5C|"; distance:0; http_raw_uri; metadata:service http; reference:bugtraq,66703; reference:cve,2014-0509; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-09.html; classtype:attempted-user; sid:30843; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|9E F0 A0 C5 BC 7B F7 EE ED 6E 86 16 48 08 2E 14 62 11 5E 02 E0 ED 4E 95 F5 0D B4 65 41 C9 EF 64|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0510; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-14.html; classtype:attempted-user; sid:31026; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|9E F0 A0 C5 BC 7B F7 EE ED 6E 86 16 48 08 2E 14 62 11 5E 02 E0 ED 4E 95 F5 0D B4 65 41 C9 EF 64|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0510; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-14.html; classtype:attempted-user; sid:31025; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0D 01 D0 66 06 60 02 66 0E D0 66 0B 4F 0F 02 D0|"; fast_pattern:only; content:"|66 06 D0 66 07 4F 0D 01 D0 66 05 24 00 4F 10 01|"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0510; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-14.html; classtype:attempted-user; sid:31024; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0D 01 D0 66 06 60 02 66 0E D0 66 0B 4F 0F 02 D0|"; fast_pattern:only; content:"|66 06 D0 66 07 4F 0D 01 D0 66 05 24 00 4F 10 01|"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0510; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-14.html; classtype:attempted-user; sid:31023; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_server,established; file_data; content:"{|00|7|00|3|00|c|00|9|00|d|00|f|00|a|00|0|00|-|00|7|00|5|00|0|00|d|00|-|00|1|00|1|00|e|00|1|00|-|00|b|00|0|00|c|00|4|00|-|00|0|00|8|00|0|00|0|00|2|00|0|00|0|00|c|00|9|00|a|00|6|00|6|00|}|00|"; fast_pattern:only; content:"d|00|i|00|g|00|e|00|s|00|t|00|.|00|s|00|"; metadata:service smtp; reference:cve,2014-0518; reference:cve,2014-0520; reference:url,adobe.com/security/products/flash-player/apsb14-14.html; classtype:attempted-user; sid:31246; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_client,established; file_data; content:"{|00|7|00|3|00|c|00|9|00|d|00|f|00|a|00|0|00|-|00|7|00|5|00|0|00|d|00|-|00|1|00|1|00|e|00|1|00|-|00|b|00|0|00|c|00|4|00|-|00|0|00|8|00|0|00|0|00|2|00|0|00|0|00|c|00|9|00|a|00|6|00|6|00|}|00|"; fast_pattern:only; content:"d|00|i|00|g|00|e|00|s|00|t|00|.|00|s|00|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-0518; reference:cve,2014-0520; reference:url,adobe.com/security/products/flash-player/apsb14-14.html; classtype:attempted-user; sid:31245; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Usage: InjectDll"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0517; reference:cve,2015-0333; reference:cve,2015-1743; reference:cve,2015-3081; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-14.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-056; classtype:attempted-admin; sid:31286; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"ExploitFlashBroker_Canonicalization.pdb"; fast_pattern:only; metadata:service smtp; reference:cve,2014-0517; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-14.html; classtype:attempted-admin; sid:31285; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Usage: InjectDll"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0517; reference:cve,2015-0333; reference:cve,2015-1743; reference:cve,2015-3081; reference:cve,2015-3083; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-14.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-056; classtype:attempted-admin; sid:31284; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"ExploitFlashBroker_Canonicalization.pdb"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-0517; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-14.html; classtype:attempted-admin; sid:31283; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player redirect attempt"; flow:to_client,established; file_data; content:"|92 46 59 93 3A 52 CC 52 8E 8C 03 78 FE EE DA D0 87 FC 33 97 9A|"; fast_pattern:only; content:"|96 9C F8 6E FA A7 24 F2 54 9E 1D 04 76 20 73 F8 ED DE 74 92 5B|"; metadata:service smtp; reference:bugtraq,67970; reference:cve,2014-0535; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:attempted-user; sid:31282; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player redirect attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|92 46 59 93 3A 52 CC 52 8E 8C 03 78 FE EE DA D0 87 FC 33 97 9A|"; fast_pattern:only; content:"|96 9C F8 6E FA A7 24 F2 54 9E 1D 04 76 20 73 F8 ED DE 74 92 5B|"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,67970; reference:cve,2014-0535; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:attempted-user; sid:31281; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe AS3 decompressed pcre assertion out of bounds corruption attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"flash.display"; content:"RegExp"; distance:0; fast_pattern; content:"|28 3F 3D|"; within:10; pcre:"/\x28\x3f\x3d[^)]{300}/"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0536; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; reference:url,www.securityfocus.com/bid/67961; classtype:attempted-user; sid:31354; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe AS3 decompressed pcre assertion out of bounds corruption attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"flash.display"; content:"RegExp"; distance:0; fast_pattern; content:"|28 3F 3D|"; within:10; pcre:"/\x28\x3f\x3d[^)]{300}/"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0536; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; reference:url,www.securityfocus.com/bid/67961; classtype:attempted-user; sid:31353; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe AS3 decompressed pcre assertion out of bounds corruption attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"flash.display"; content:"RegExp"; distance:0; content:"|28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D|"; within:65; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0536; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; reference:url,www.securityfocus.com/bid/67961; classtype:attempted-user; sid:31352; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe AS3 decompressed pcre assertion out of bounds corruption attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"flash.display"; content:"RegExp"; distance:0; content:"|28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D 28 3F 3D|"; within:65; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0536; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; reference:url,www.securityfocus.com/bid/67961; classtype:attempted-user; sid:31351; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe AS3 simplified pcre assertion out of bounds corruption attempt"; flow:to_client,established; file_data; content:"|FB 62 54 C9 C3 D8 7F 2E A8 7D 9E 48 31 F2 43 19 4D 44 F1 D2 F8 C7 5B C3 44 2A 57 31 32 6F D3 51 24 85 19 8B A4 27 FB E6 8D E8 9D 3E A5 C6 20 F7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0536; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; reference:url,www.securityfocus.com/bid/67961; classtype:attempted-user; sid:31350; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe AS3 simplified pcre assertion out of bounds corruption attempt"; flow:to_client,established; file_data; content:"|FB 62 54 C9 C3 D8 7F 2E A8 7D 9E 48 31 F2 43 19 4D 44 F1 D2 F8 C7 5B C3 44 2A 57 31 32 6F D3 51 24 85 19 8B A4 27 FB E6 8D E8 9D 3E A5 C6 20 F7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0536; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; reference:url,www.securityfocus.com/bid/67961; classtype:attempted-user; sid:31349; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe AS3 pcre assertion out of bounds corruption attempt"; flow:to_client,established; file_data; content:"|D7 C6 6E C9 B7 F6 2D BB 37 7A C5 18 65 1C CD C5 88 D8 E7 19 BF 30 B6 6E 22 AB E5 A3 16 2E 55 EF 05 6B A7 71 50 23 22 B8 74 17 1D C8 B9 94 9C 53|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0536; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; reference:url,www.securityfocus.com/bid/67961; classtype:attempted-user; sid:31348; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe AS3 pcre assertion out of bounds corruption attempt"; flow:to_client,established; file_data; content:"|D7 C6 6E C9 B7 F6 2D BB 37 7A C5 18 65 1C CD C5 88 D8 E7 19 BF 30 B6 6E 22 AB E5 A3 16 2E 55 EF 05 6B A7 71 50 23 22 B8 74 17 1D C8 B9 94 9C 53|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0536; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; reference:url,www.securityfocus.com/bid/67961; classtype:attempted-user; sid:31347; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt"; flow:to_client,established; file_data; content:"application/x-shockwave-flash"; nocase; content:"codebase="; within:200; nocase; content:"http"; within:6; content:"callback="; within:200; fast_pattern; content:"ws"; within:3; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-4671; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-17.html; classtype:attempted-user; sid:31397; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt"; flow:to_client,established; file_data; content:"application/x-shockwave-flash"; nocase; content:"archive="; within:200; nocase; content:"http"; within:6; content:"callback="; within:200; fast_pattern; content:"ws"; within:3; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-4671; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-17.html; classtype:attempted-user; sid:31396; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt"; flow:to_server,established; file_data; content:"application/x-shockwave-flash"; nocase; content:"codebase="; within:200; nocase; content:"http"; within:6; content:"callback="; within:200; fast_pattern; content:"ws"; within:3; nocase; metadata:service smtp; reference:cve,2014-4671; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-17.html; classtype:attempted-user; sid:31395; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt"; flow:to_server,established; file_data; content:"application/x-shockwave-flash"; nocase; content:"archive="; within:200; nocase; content:"http"; within:6; content:"callback="; within:200; fast_pattern; content:"ws"; within:3; nocase; metadata:service smtp; reference:cve,2014-4671; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-17.html; classtype:attempted-user; sid:31394; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt"; flow:to_server,established; file_data; content:"application/x-shockwave-flash"; nocase; content:"data="; within:200; nocase; content:"http"; within:6; content:"callback="; within:200; fast_pattern; content:"ws"; within:3; nocase; metadata:service smtp; reference:cve,2014-4671; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-17.html; classtype:attempted-user; sid:31393; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt"; flow:to_client,established; file_data; content:"application/x-shockwave-flash"; nocase; content:"data="; within:200; nocase; content:"http"; within:6; content:"callback="; within:200; fast_pattern; content:"ws"; within:3; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-4671; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-17.html; classtype:attempted-user; sid:31392; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt"; flow:to_server,established; file_data; content:"ExploitFlashBroker_ShortFileName.pdb"; fast_pattern:only; metadata:service smtp; reference:cve,2014-0519; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-14.html; classtype:attempted-admin; sid:31496; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt"; flow:to_client,established; file_data; content:"ExploitFlashBroker_ShortFileName.pdb"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-0519; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-14.html; classtype:attempted-admin; sid:31495; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player security sandbox bypass attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|F7 98 89 2B 18 31 4C 5D EA 5B 06 EF C8 1D 66 B5 3B 3C 4E 0D 63 A7 63 D9 86 32 0A 76 18 57 BE 3E A8 56 5D 6A|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,67963; reference:cve,2014-0534; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:policy-violation; sid:31494; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player security sandbox bypass attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|F7 98 89 2B 18 31 4C 5D EA 5B 06 EF C8 1D 66 B5 3B 3C 4E 0D 63 A7 63 D9 86 32 0A 76 18 57 BE 3E A8 56 5D 6A|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,67963; reference:cve,2014-0534; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:policy-violation; sid:31493; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player security sandbox bypass attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0F 97 23 BE 53 7B FE 75 B5 5C 2F CF 00 37 DA DA AA 05 33 3A CC 27 96 5B 0E 17 2F DA 40 97 39 F5 DB 8C 8B 70|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,67963; reference:cve,2014-0534; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:policy-violation; sid:31492; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player security sandbox bypass attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0F 97 23 BE 53 7B FE 75 B5 5C 2F CF 00 37 DA DA AA 05 33 3A CC 27 96 5B 0E 17 2F DA 40 97 39 F5 DB 8C 8B 70|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,67963; reference:cve,2014-0534; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:policy-violation; sid:31491; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player security sandbox bypass attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"Security.sandboxType"; content:"LOCAL_WITH_FILE"; fast_pattern:only; content:"URLLoader|0A|URLRequest"; content:"navigateToURL"; metadata:service smtp; reference:bugtraq,67963; reference:cve,2014-0534; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:policy-violation; sid:31490; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player security sandbox bypass attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"Security.sandboxType"; content:"LOCAL_WITH_FILE"; fast_pattern:only; content:"URLLoader|0A|URLRequest"; content:"navigateToURL"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,67963; reference:cve,2014-0534; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:policy-violation; sid:31489; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player pcast scheme security sandbox bypass attempt"; flow:established,to_server; flowbits:isset,file.swf; file_data; content:"localsandbox_bypass"; fast_pattern:only; content:"URLLoader|0A|URLRequest"; content:"pcast:http"; within:15; content:"sendToURL"; within:100; metadata:service smtp; reference:bugtraq,68454; reference:cve,2014-0539; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-17.html; classtype:policy-violation; sid:31554; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player feed scheme security sandbox bypass attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|65 6C 6E 53 2B 69 76 56 73 39 79 70 45 4B 56 6C 72 54 43 2B 75 61 2F 72|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,68454; reference:cve,2014-0539; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-17.html; classtype:policy-violation; sid:31553; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player feed scheme security sandbox bypass attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"localsandbox_bypass"; fast_pattern:only; content:"URLLoader|0A|URLRequest"; content:"feed:http"; within:15; content:"sendToURL"; within:100; metadata:service smtp; reference:bugtraq,68454; reference:cve,2014-0539; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-17.html; classtype:policy-violation; sid:31552; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player pcast scheme security sandbox bypass attempt"; flow:established,to_client; flowbits:isset,file.swf; file_data; content:"localsandbox_bypass"; fast_pattern:only; content:"URLLoader|0A|URLRequest"; content:"pcast:http"; within:15; content:"sendToURL"; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,68454; reference:cve,2014-0539; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-17.html; classtype:policy-violation; sid:31551; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player feed scheme security sandbox bypass attempt"; flow:established,to_client; flowbits:isset,file.swf; file_data; content:"|9F 58 96 10 02 0F 64 F9 B4 C9 0A 68 04 E5 43 A2 75 24 9D 72 DB 4C 45 BD|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,68454; reference:cve,2014-0539; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-17.html; classtype:policy-violation; sid:31550; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player feed scheme security sandbox bypass attempt"; flow:established,to_client; flowbits:isset,file.swf; file_data; content:"localsandbox_bypass"; fast_pattern:only; content:"URLLoader|0A|URLRequest"; content:"feed:http"; within:15; content:"sendToURL"; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,68454; reference:cve,2014-0539; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-17.html; classtype:policy-violation; sid:31549; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player cross-origin security policy bypass attempt"; flow:to_server,established; flowbits:isset,file.swf|file.cws; file_data; content:"|04 00 00 78 DA 5D 53 DB 6E D3 30 18 B6 93 B4 6E BB 75 EB|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,67361; reference:cve,2014-0516; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-14.html; classtype:policy-violation; sid:31685; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player cross-origin security policy bypass attempt"; flow:to_client,established; flowbits:isset,file.swf|file.cws; file_data; content:"|04 00 00 78 DA 5D 53 DB 6E D3 30 18 B6 93 B4 6E BB 75 EB|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,67361; reference:cve,2014-0516; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-14.html; classtype:policy-violation; sid:31684; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash valueOf memory leak attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|21 87 78 41 C4 91 68 6C 24 3E 1A BF AE E5 A2 22 C4 68 1C 8F 8A F3 08 72 18 25 F1 D8 0D 8C 26 A3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service smtp; reference:cve,2014-0540; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-18.html; classtype:attempted-recon; sid:31679; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash valueOf memory leak attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|21 87 78 41 C4 91 68 6C 24 3E 1A BF AE E5 A2 22 C4 68 1C 8F 8A F3 08 72 18 25 F1 D8 0D 8C 26 A3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0540; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-18.html; classtype:attempted-recon; sid:31678; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Broker write to junction exploit attempt"; flow:to_server,established; file_data; flowbits:isset,file.junction; content:"{|00|7|00|3|00|c|00|9|00|d|00|f|00|a|00|0|00|-|00|7|00|5|00|0|00|d|00|-|00|1|00|1|00|e|00|1|00|-|00|b|00|0|00|c|00|4|00|-|00|0|00|8|00|0|00|0|00|2|00|0|00|0|00|c|00|9|00|a|00|6|00|6|00|}|00|"; fast_pattern:only; content:"|5C 00|?|00|?|00 5C 00|"; metadata:service smtp; reference:cve,2014-0518; reference:cve,2014-0520; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-14.html; classtype:attempted-user; sid:31677; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Broker write to junction exploit attempt"; flow:to_server,established; file_data; flowbits:set,file.junction; content:"|03 00 00 A0|"; content:"|A4 00 09 00|"; flowbits:noalert; metadata:service smtp; reference:cve,2014-0518; reference:cve,2014-0520; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-14.html; classtype:attempted-user; sid:31676; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Broker write to junction exploit attempt"; flow:to_client,established; file_data; flowbits:set,file.junction; content:"|03 00 00 A0|"; content:"|A4 00 09 00|"; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-0518; reference:cve,2014-0520; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-14.html; classtype:attempted-user; sid:31675; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Broker write to junction exploit attempt"; flow:to_client,established; file_data; flowbits:isset,file.junction; content:"{|00|7|00|3|00|c|00|9|00|d|00|f|00|a|00|0|00|-|00|7|00|5|00|0|00|d|00|-|00|1|00|1|00|e|00|1|00|-|00|b|00|0|00|c|00|4|00|-|00|0|00|8|00|0|00|0|00|2|00|0|00|0|00|c|00|9|00|a|00|6|00|6|00|}|00|"; fast_pattern:only; content:"|5C 00|?|00|?|00 5C 00|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-0518; reference:cve,2014-0520; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-14.html; classtype:attempted-user; sid:31674; rev:2;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player URL handling remote code execution attempt"; flow:to_server,established; content:".swf?"; fast_pattern:only; http_uri; pcre:"/\.swf\?\w+?=(https?|ftps?)?\x5C{2}(\x2F\D:\x2F)/Ii"; metadata:service http; reference:bugtraq,69191; reference:cve,2014-0541; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-18.html; classtype:attempted-admin; sid:31673; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player memory leak ASLR bypass attempt"; flow:to_client,established; file_data; content:"FWS"; depth:3; content:"|05 77 05 00 00 01 00 03 40 00 40 00 FF 08 1D 01 00 03 FF FC 00 00 00 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0544; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-18.html; classtype:policy-violation; sid:31726; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player memory leak ASLR bypass attempt"; flow:to_server,established; file_data; content:"FWS"; depth:3; fast_pattern; content:"|3F 05|"; distance:22; byte_test:1,>=,3,6,relative,little; byte_test:1,<=,5,6,relative,little; byte_jump:4,0,relative,little,align; isdataat:5,relative; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:-9; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0544; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-18.html; classtype:policy-violation; sid:31725; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player memory leak ASLR bypass attempt"; flow:to_server,established; file_data; content:"FWS"; depth:3; content:"|05 77 05 00 00 01 00 03 40 00 40 00 FF 08 1D 01 00 03 FF FC 00 00 00 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0544; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-18.html; classtype:policy-violation; sid:31724; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player memory leak ASLR bypass attempt"; flow:to_client,established; file_data; content:"FWS"; depth:3; fast_pattern; content:"|3F 05|"; distance:22; byte_test:1,>=,3,6,relative,little; byte_test:1,<=,5,6,relative,little; byte_jump:4,0,relative,little,align; isdataat:5,relative; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:-9; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0544; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-18.html; classtype:policy-violation; sid:31723; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player MMgc use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|B0 AE 21 46 B6 BE 69 98 BF 3A 5C 19 18 56 15 AE 1B 7E A1 BF 61 F8 88 61|"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0538; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-18.html; reference:url,www.securityfocus.com/bid/69192; classtype:attempted-user; sid:31733; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MMgc use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|B0 AE 21 46 B6 BE 69 98 BF 3A 5C 19 18 56 15 AE 1B 7E A1 BF 61 F8 88 61|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0538; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-18.html; reference:url,www.securityfocus.com/bid/69192; classtype:attempted-user; sid:31732; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player corrupt image memory leak"; flow:to_client,established; file_data; content:"FWS"; depth:3; content:"|BF 16|"; distance:28; byte_jump:4,6,relative,little; content:"|00 00|"; within:20; metadata:policy security-ips drop, service smtp; reference:bugtraq,69197; reference:cve,2014-0545; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-18.html; classtype:attempted-user; sid:31740; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player corrupt image memory leak"; flow:to_client,established; file_data; content:"FWS"; depth:3; content:"|BF 16|"; distance:28; byte_jump:4,6,relative,little; content:"|00 00|"; within:20; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,69197; reference:cve,2014-0545; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-18.html; classtype:attempted-user; sid:31739; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player marshallException through JavaScript XSS attempt"; flow:to_server,established; file_data; content:".swf"; fast_pattern; nocase; content:"throwException"; distance:0; nocase; content:"sendDataToJS"; within:300; nocase; pcre:"/var\s+?(?P\w+?)\s*?=\s*?([^'"]|['"])+?[^>]*?throwException\s*?\(\s*?(?P=unesc)\s*?\)[^\r]*?sendDataToJS\s*?\(\s*?(?P=unesc)\s*?\)/i"; metadata:service smtp; reference:bugtraq,67962; reference:cve,2014-0531; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:attempted-user; sid:31750; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player marshallException through JavaScript XSS attempt"; flow:to_client,established; file_data; content:".swf"; fast_pattern; nocase; content:"throwException"; distance:0; nocase; content:"sendDataToJS"; within:300; nocase; pcre:"/var\s+?(?P\w+?)\s*?=\s*?([^'"]|['"])+?[^>]*?throwException\s*?\(\s*?(?P=unesc)\s*?\)[^\r]*?sendDataToJS\s*?\(\s*?(?P=unesc)\s*?\)/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,67962; reference:cve,2014-0531; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:attempted-user; sid:31749; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|FF FC 81 D9 83 07 0E 1E DC 1F 14 FD 83 B3 6A EA 3D D7 F4 AF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0554; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:31842; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"proxy_fla"; nocase; content:"file:///"; fast_pattern:only; content:"toLowerCase"; nocase; content:"toUpperCase"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0554; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:31841; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|FF FC 81 D9 83 07 0E 1E DC 1F 14 FD 83 B3 6A EA 3D D7 F4 AF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0554; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:31840; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"proxy_fla"; nocase; content:"file:///"; fast_pattern:only; content:"toLowerCase"; nocase; content:"toUpperCase"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0554; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:31839; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player corrupt image memory leak"; flow:to_client,established; file_data; content:"|FF D8 FF|"; depth:3; fast_pattern; content:"|FF C0|"; offset:2; content:"|08|"; within:1; distance:2; content:!"|00 00 00 00|"; within:4; content:!"|01|"; within:1; distance:4; content:!"|03|"; within:1; distance:4; content:!"|04|"; within:1; distance:4; metadata:service smtp; reference:bugtraq,69194; reference:cve,2014-0542; classtype:attempted-user; sid:31862; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player corrupt image memory leak"; flow:to_client,established; file_data; content:"|FF D8 FF|"; depth:3; fast_pattern; content:"|FF C0|"; offset:2; content:"|08|"; within:1; distance:2; content:!"|00 00 00 00|"; within:4; content:!"|01|"; within:1; distance:4; content:!"|03|"; within:1; distance:4; content:!"|04|"; within:1; distance:4; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,69194; reference:cve,2014-0542; classtype:attempted-user; sid:31861; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|B9 74 64 46 31 F5 52 97 D7 D4 E7 52 59 F0 DD 10 21 11 A5 BD C0 4F 86 24|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0559; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:31850; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"RegExp<((?i)((?i)(?J)WMLIANG(?-J)(?-i)|7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C|)(?-i))"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0559; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:31849; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|B9 74 64 46 31 F5 52 97 D7 D4 E7 52 59 F0 DD 10 21 11 A5 BD C0 4F 86 24|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0559; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:31848; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"RegExp<((?i)((?i)(?J)WMLIANG(?-J)(?-i)|7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C|)(?-i))"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0559; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:31847; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player invalid TRCK frame attempt"; flow:to_server,established; file_data; content:"ID3"; depth:3; content:"TRCK|00 00 00 01 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,69703; reference:cve,2014-0552; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:32027; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player invalid TRCK frame attempt"; flow:to_client,established; file_data; content:"ID3"; depth:3; content:"TRCK|00 00 00 01 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,69703; reference:cve,2014-0552; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:32026; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player unsupported bitmapFormat value memory disclosure attempt"; flow:to_client,established; file_data; content:"|3F 05 77 05 00 00 01 00 00 40 00 40 00 01 08 1D 01 06 02 F9 FD 00 00 00 FF|"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,69195; reference:cve,2014-0543; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-18.html; classtype:attempted-user; sid:32025; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player unsupported bitmapFormat value memory disclosure attempt"; flow:to_client,established; file_data; content:"|3F 05 77 05 00 00 01 00 00 40 00 40 00 01 08 1D 01 06 02 F9 FD 00 00 00 FF|"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,69195; reference:cve,2014-0543; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-18.html; classtype:attempted-user; sid:32024; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_server,established; file_data; content:"|7D 6E 5C 23 7A DD 21 75 5A D8 7C E6 C5 AE 6C 2F 47 C2 68 61 D7 D1 C4 EC D2 13 31 27 67 97 FC 34|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:32098; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_client,established; file_data; content:"|7D 6E 5C 23 7A DD 21 75 5A D8 7C E6 C5 AE 6C 2F 47 C2 68 61 D7 D1 C4 EC D2 13 31 27 67 97 FC 34|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:32097; rev:3;) alert tcp $EXTERNAL_NET 1935 -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player RTMP ping abort message double free attempt"; flow:to_client,established; dsize:17; content:"|01 02 00 00 00 00 00 04 02 00 00 00 00 00 00 00 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2014-0551; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:32077; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player string concatenation memory corruption attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|00 0B 00|X|00|_global|00|s|00|A|00|str_n|00|n|00|prototype|00|pow2str"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0558; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; classtype:attempted-user; sid:32239; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player string concatenation memory corruption attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|00 0B 00|X|00|_global|00|s|00|A|00|str_n|00|n|00|prototype|00|pow2str"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0558; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; classtype:attempted-user; sid:32238; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player string concatenation memory corruption attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|F8 54 2C 1D B7 41 E9 47 FA BA 3B C8 2B 90 D2 D5 AC A4 50 84 4D 07 BE AD 28 A8 B6 41 A7 EF D1 51 F8 B9 84 84|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0558; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; classtype:attempted-user; sid:32237; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player string concatenation memory corruption attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|F8 54 2C 1D B7 41 E9 47 FA BA 3B C8 2B 90 D2 D5 AC A4 50 84 4D 07 BE AD 28 A8 B6 41 A7 EF D1 51 F8 B9 84 84|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0558; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; classtype:attempted-user; sid:32236; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"atomicCompareAndSwapLength"; content:"casi32"; content:"|24 01 4F 0B 02 5D 0C 2F 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0569; reference:url,www.adobe.com/support/security/bulletins/apsb14-22.html; classtype:attempted-user; sid:32229; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"atomicCompareAndSwapLength"; content:"casi32"; content:"|24 01 4F 0B 02 5D 0C 2F 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0569; reference:url,www.adobe.com/support/security/bulletins/apsb14-22.html; classtype:attempted-user; sid:32228; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|74 DA 25 FE 65 D4 C9 59 13 3B 3F E6 0D D5 73 CC 06 F5 78 B1 93 9A 6F 9D F4 70 F0 ED 08 57 C0 57 9E 56 76 FC 88 F1 7A 75 CC B0 EC 8D 18 69 13 87|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0569; reference:url,www.adobe.com/support/security/bulletins/apsb14-22.html; classtype:attempted-user; sid:32227; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|74 DA 25 FE 65 D4 C9 59 13 3B 3F E6 0D D5 73 CC 06 F5 78 B1 93 9A 6F 9D F4 70 F0 ED 08 57 C0 57 9E 56 76 FC 88 F1 7A 75 CC B0 EC 8D 18 69 13 87|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0569; reference:url,www.adobe.com/support/security/bulletins/apsb14-22.html; classtype:attempted-user; sid:32226; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player regex denial of service attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"exp|06|RegExp|11|(?:(?1){1020}())?"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0564; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; classtype:attempted-dos; sid:32308; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player regex denial of service attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"exp|06|RegExp|11|(?:(?1){1020}())?"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0564; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; classtype:attempted-dos; sid:32307; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player regex denial of service attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|28 3F 3A 28 41 29 28 3F 32 29 7B 30 2C 31 30 32 30 7D 3F 28 42 29 29 3F 29 5E 16 01 16 05 16 07|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0564; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; classtype:attempted-dos; sid:32306; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player regex denial of service attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|28 3F 3A 28 41 29 28 3F 32 29 7B 30 2C 31 30 32 30 7D 3F 28 42 29 29 3F 29 5E 16 01 16 05 16 07|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0564; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; classtype:attempted-dos; sid:32305; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player regex denial of service attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|EF 40 CA C8 03 F4 11 94 77 22 65 E4 41 BA 17 94 BB 28 96 E7 21 8A 75 DA 4D 1F 45 FD 61 FA 18 D2 3D 74 1F D2 47 E8 7E A4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0564; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; classtype:attempted-dos; sid:32304; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player regex denial of service attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|EF 40 CA C8 03 F4 11 94 77 22 65 E4 41 BA 17 94 BB 28 96 E7 21 8A 75 DA 4D 1F 45 FD 61 FA 18 D2 3D 74 1F D2 47 E8 7E A4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0564; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; classtype:attempted-dos; sid:32303; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player regex denial of service attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|EC 2E E3 1F 26 F3 21 8E 46 53 3C A2 DE D1 CB 22 77 13 17 35 62 4E BD 27 26 23 DC 32 DB 8E BB 53 56 21 C1 AE FD 5F B3 AF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0564; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; classtype:attempted-dos; sid:32302; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player regex denial of service attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|EC 2E E3 1F 26 F3 21 8E 46 53 3C A2 DE D1 CB 22 77 13 17 35 62 4E BD 27 26 23 DC 32 DB 8E BB 53 56 21 C1 AE FD 5F B3 AF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0564; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; classtype:attempted-dos; sid:32301; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt"; flow:to_server,established; file_data; content:"|9E 4E B0 BC 2D 9D 36 A9 41 6A 09 70 18 09 A5 C9 70 0B A7 11 F8 80 B2 86 45 56 F1 91 2E E0 7C D4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0502; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-07.html; classtype:attempted-user; sid:32360; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player HTML focus with no data denial of service attempt"; flow:to_server,established; file_data; content:"focus()"; nocase; content:"onfocusout="; within:15; nocase; content:"document.write("; within:20; nocase; content:"src="; within:30; nocase; content:".swf"; within:20; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-8441; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-dos; sid:32545; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player HTML focus with no data denial of service attempt"; flow:to_client,established; file_data; content:"focus()"; nocase; content:"onfocusout="; within:15; nocase; content:"document.write("; within:20; nocase; content:"src="; within:30; nocase; content:".swf"; within:20; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8441; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-dos; sid:32544; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player compressed microphone object codec denial of service attempt"; flow:to_server,established; file_data; content:"|0A 71 8B 84 10 13 51 40 06 4C 1C A5 BF B5 1C 4A 6F 64 4E D0 E5 6D C5 71 66 99 97 6A 76 F5 4E 8D 77 C7 01 BD 18 8F 09 C0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,71038; reference:cve,2014-0577; classtype:attempted-dos; sid:32543; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player compressed microphone object codec denial of service attempt"; flow:to_client,established; file_data; content:"|0A 71 8B 84 10 13 51 40 06 4C 1C A5 BF B5 1C 4A 6F 64 4E D0 E5 6D C5 71 66 99 97 6A 76 F5 4E 8D 77 C7 01 BD 18 8F 09 C0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,71038; reference:cve,2014-0577; classtype:attempted-dos; sid:32542; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player decompressed microphone object codec denial of service attempt"; flow:to_server,established; file_data; content:"|96 02 00 08 8A 4E 96 02 00 08 8B 52 96 16 00 07 02 00 00 00 07 04 00 00 00 07 38 08 00 00 07 02 00 00 00 08 02 1C 96 02 00 08 40 4E 96 02 00 08 6C 4E 96 02 00 08 06 4E 96 02 00 08 8C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,71038; reference:cve,2014-0577; classtype:attempted-dos; sid:32541; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player decompressed microphone object codec denial of service attempt"; flow:to_client,established; file_data; content:"|96 02 00 08 8A 4E 96 02 00 08 8B 52 96 16 00 07 02 00 00 00 07 04 00 00 00 07 38 08 00 00 07 02 00 00 00 08 02 1C 96 02 00 08 40 4E 96 02 00 08 6C 4E 96 02 00 08 06 4E 96 02 00 08 8C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,71038; reference:cve,2014-0577; classtype:attempted-dos; sid:32540; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|EC E9 AE E9 50 93 D8 09 1E A3 3A E9 D0 CD 64 F2 52 D5 D0 AF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0581; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-dos; sid:32539; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|DC EA 71 49 2D 6A DA 63 B5 D1 B5 6C 6A 39 11 36 43 A3 2D 1F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0581; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-dos; sid:32538; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"(((((((("; content:"RegExp"; within:50; content:"match"; distance:0; nocase; content:"Object"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0581; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-dos; sid:32537; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|EC E9 AE E9 50 93 D8 09 1E A3 3A E9 D0 CD 64 F2 52 D5 D0 AF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0581; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-dos; sid:32536; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|DC EA 71 49 2D 6A DA 63 B5 D1 B5 6C 6A 39 11 36 43 A3 2D 1F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0581; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-dos; sid:32535; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"(((((((("; content:"RegExp"; nocase; content:"match"; within:50; nocase; content:"Object"; within:20; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0581; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-dos; sid:32534; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.cws; content:"|9F 80 9D 01 1D 03 0E 2B D5 AB D7 A0 9E 6B A8 D0 6B 1D AB A8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,69700; reference:cve,2014-0550; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:32576; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.cws; content:"|77 D2 9A A4 EB 60 E5 F7 A2 D5 DC 4D 5B C8 6B 9F 24 76 36 0F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,69700; reference:cve,2014-0550; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:32575; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"MTASC_MAIN|00|this|00|AS2StringConcat"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,69700; reference:cve,2014-0550; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:32574; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.cws; content:"|9F 80 9D 01 1D 03 0E 2B D5 AB D7 A0 9E 6B A8 D0 6B 1D AB A8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,69700; reference:cve,2014-0550; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:32573; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.cws; content:"|77 D2 9A A4 EB 60 E5 F7 A2 D5 DC 4D 5B C8 6B 9F 24 76 36 0F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,69700; reference:cve,2014-0550; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:32572; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"MTASC_MAIN|00|this|00|AS2StringConcat"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,69700; reference:cve,2014-0550; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:32571; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|E3 FB 0E 95 B1 3C 9C A7 87 A3 C1 51 A8 05 37 55 DC D9 3F AA 8C 06 57 80 0C 1C 68 60 E3 3B 17 94|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0555; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:32570; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|1D 01 62 04 24 00 4F 1D 01 D3 62 04 2D 01 26 4F 1E 03 47 00 00 03 02 01 01 08 23 D0 30 65 00 60|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0555; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:32569; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|E3 FB 0E 95 B1 3C 9C A7 87 A3 C1 51 A8 05 37 55 DC D9 3F AA 8C 06 57 80 0C 1C 68 60 E3 3B 17 94|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0555; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:32568; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1D 01 62 04 24 00 4F 1D 01 D3 62 04 2D 01 26 4F 1E 03 47 00 00 03 02 01 01 08 23 D0 30 65 00 60|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0555; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:32567; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|07 6D 2D 01 2D 01 63 04 D3 30 D1 6F 01 D2 63 04 03 47 62 04 50 29 47 6D 02 65 01 D3 6D 03 65 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0584; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:32561; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|07 6D 2D 01 2D 01 63 04 D3 30 D1 6F 01 D2 63 04 03 47 62 04 50 29 47 6D 02 65 01 D3 6D 03 65 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0584; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:32560; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|70 A4 8B 52 A9 3F 4E B8 2B 23 41 C2 15 85 36 D9 06 53 CA AD F2 56 59 29 B5 4A 4A A3 D5 D8 6A 70|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0584; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:32559; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|70 A4 8B 52 A9 3F 4E B8 2B 23 41 C2 15 85 36 D9 06 53 CA AD F2 56 59 29 B5 4A 4A A3 D5 D8 6A 70|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0584; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:32558; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player incorrect codec denial of service attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|BF 03|"; content:"|01 00 8F|"; within:3; distance:4; content:"|68 00 F1 16 22 FC B8 0D F8 15 C4 3F E4 40 8F 1C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0576; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:denial-of-service; sid:32553; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player incorrect codec denial of service attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|BF 03|"; content:"|01 00 8F|"; within:3; distance:4; content:"|68 00 F1 16 22 FC B8 0D F8 15 C4 3F E4 40 8F 1C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0576; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:denial-of-service; sid:32552; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed JPEG information leak attempt"; flow:to_server,established; file_data; flowbits:isset,file.jpeg; content:"|76 2A 95 8A 96 E4 F9 A5 A4 10 4B 38 84 BE C3 A7 9F EF 1C 3B 35 41 3C 93 35 92 F3 07 26 0C 6A 48 58 0C 07 C2 42 F7 F7 16|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,69701; reference:cve,2014-0557; classtype:attempted-user; sid:32593; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed JPEG information leak attempt"; flow:to_client,established; file_data; flowbits:isset,file.jpeg; content:"|76 2A 95 8A 96 E4 F9 A5 A4 10 4B 38 84 BE C3 A7 9F EF 1C 3B 35 41 3C 93 35 92 F3 07 26 0C 6A 48 58 0C 07 C2 42 F7 F7 16|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,69701; reference:cve,2014-0557; classtype:attempted-user; sid:32592; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player byteArray.uncompress use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|7C 7A AC 60 DB AB 45 67 76 74 D5 B2 98 DD 01 F4 44 26 CB BB 11 B3 19 1C 8F 99 82 97 ED 16|"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:bugtraq,71048; reference:cve,2014-0588; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-28.html; classtype:attempted-user; sid:32669; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player byteArray.uncompress use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|7C 7A AC 60 DB AB 45 67 76 74 D5 B2 98 DD 01 F4 44 26 CB BB 11 B3 19 1C 8F 99 82 97 ED 16|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,71048; reference:cve,2014-0588; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-28.html; classtype:attempted-user; sid:32668; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe ActionScript malformed pushwith opcode attempt"; flow:to_server,established; file_data; content:"|53 98 DC D8 6B 9A D5 AD 62 CB 4B 22 1F 9F B5 BB 6F 89 4D 4B 77 A2 66 C8 6E 83 17 90 78 71 7F C4 EC E4 67 98 DA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0586; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:32767; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe ActionScript malformed pushwith opcode attempt"; flow:to_client,established; file_data; content:"|53 98 DC D8 6B 9A D5 AD 62 CB 4B 22 1F 9F B5 BB 6F 89 4D 4B 77 A2 66 C8 6E 83 17 90 78 71 7F C4 EC E4 67 98 DA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0586; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:32766; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe ActionScript malformed pushwith opcode attempt"; flow:to_server,established; file_data; content:"|09 03 D0 30 47 00 00 01 03 01 09 0A 16 D0 30 D0 49 00 5D 02 2C 07 2C 03 4F 02 02 5D 04 2C 0D 4F 04 01 47 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0586; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:32765; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe ActionScript malformed pushwith opcode attempt"; flow:to_client,established; file_data; content:"|09 03 D0 30 47 00 00 01 03 01 09 0A 16 D0 30 D0 49 00 5D 02 2C 07 2C 03 4F 02 02 5D 04 2C 0D 4F 04 01 47 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0586; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:32764; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed pushcode type confusion remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|D0 30 D0 49 00 5D 02 2C 07 2C 03 4F 02 02 5D 04 2C 0D 4F 04 01 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,71044; reference:cve,2014-0585; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:32752; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed pushcode type confusion remote code execution attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|4A 99 D8 93 D8 D4 F1 58 E3 C9 A3 2B 36 F0 21 6C F8 0D 04 12 2B 36|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,71044; reference:cve,2014-0585; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:32751; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed pushcode type confusion remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D0 30 D0 49 00 5D 02 2C 07 2C 03 4F 02 02 5D 04 2C 0D 4F 04 01 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,71044; reference:cve,2014-0585; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:32750; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed pushcode type confusion remote code execution attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|4A 99 D8 93 D8 D4 F1 58 E3 C9 A3 2B 36 F0 21 6C F8 0D 04 12 2B 36|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,71044; reference:cve,2014-0585; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:32749; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player parseFloat stack overflow remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|68 13 5D 21 D0 66 13 2C 47 A0 4F 21 01 5D 21 2C 48 4F 21 01 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-9163; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-27.html; classtype:attempted-user; sid:32785; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player parseFloat stack overflow remote code execution attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|26 95 85 B7 63 3B CB 6C F8 A8 91 B6 59 C4 65 2F F2 1F 98 EF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-9163; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-27.html; classtype:attempted-user; sid:32784; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player parseFloat stack overflow remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|68 13 5D 21 D0 66 13 2C 47 A0 4F 21 01 5D 21 2C 48 4F 21 01 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-9163; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-27.html; classtype:attempted-user; sid:32783; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player parseFloat stack overflow remote code execution attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|26 95 85 B7 63 3B CB 6C F8 A8 91 B6 59 C4 65 2F F2 1F 98 EF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-9163; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-27.html; classtype:attempted-user; sid:32782; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt"; flow:to_server,established; file_data; flowbits:isset,file.mp4; content:"stsc"; nocase; byte_test:4,>,0,4,relative; content:!"|01|"; within:1; distance:11; byte_test:4,<=,1,16,relative; metadata:service smtp; reference:bugtraq,69707; reference:cve,2014-0553; reference:cve,2015-5578; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-dos; sid:32818; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt"; flow:to_client,established; file_data; flowbits:isset,file.mp4; content:"stsc"; nocase; byte_test:4,>,0,4,relative; content:!"|01|"; within:1; distance:11; byte_test:4,<=,1,16,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,69707; reference:cve,2014-0553; reference:cve,2015-5578; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-dos; sid:32817; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player regex buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|9B 7E 90 25 21 39 D2 0F 92 34 E0 4C FF EB 51 FB 9E E3 A2 3F D0 9F 73 45 7D C4 83 30 2B DF 39 E2|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-9162; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-27.html; classtype:attempted-user; sid:32812; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player regex buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|93 87 A6 0F 1B D0 3F 25 23 33 33 59 E7 7A 19 16 3E 59 1D 35 E5 D3 1D 65 99 35 EE 4A B1 0A D5 F6|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-9162; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-27.html; classtype:attempted-user; sid:32811; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player regex buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|85 D5 20 85 D6 24 00 82 D7 2C 05 82 63 04 24 00 82 63 05 10 12 00 00 09 2C 06 62 04 A0 2C 07 A0|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-9162; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-27.html; classtype:attempted-user; sid:32810; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player regex buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|37 F0 11 75 6C EE C8 B4 6D 94 04 57 5F F0 1E 45 CA 23 A3 60 87 25 1D 9A BC 00 01 43 45 3D D6 F6|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-9162; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-27.html; classtype:attempted-user; sid:32809; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player regex buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|9B 7E 90 25 21 39 D2 0F 92 34 E0 4C FF EB 51 FB 9E E3 A2 3F D0 9F 73 45 7D C4 83 30 2B DF 39 E2|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-9162; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-27.html; classtype:attempted-user; sid:32808; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player regex buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|93 87 A6 0F 1B D0 3F 25 23 33 33 59 E7 7A 19 16 3E 59 1D 35 E5 D3 1D 65 99 35 EE 4A B1 0A D5 F6|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-9162; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-27.html; classtype:attempted-user; sid:32807; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player regex buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|85 D5 20 85 D6 24 00 82 D7 2C 05 82 63 04 24 00 82 63 05 10 12 00 00 09 2C 06 62 04 A0 2C 07 A0|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-9162; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-27.html; classtype:attempted-user; sid:32806; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player regex buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|37 F0 11 75 6C EE C8 B4 6D 94 04 57 5F F0 1E 45 CA 23 A3 60 87 25 1D 9A BC 00 01 43 45 3D D6 F6|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-9162; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-27.html; classtype:attempted-user; sid:32805; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player orphaning MP3 crash attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|55 37 FF 80 89 01 7B 02 4C BB 0F ED FE 53 77 5E CA 57 49 01 8E 82 C4 5B 57 A6 D7 C3 D9 FD|"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:cve,2014-8443; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-27.html; classtype:attempted-user; sid:32802; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player orphaning MP3 crash attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|55 37 FF 80 89 01 7B 02 4C BB 0F ED FE 53 77 5E CA 57 49 01 8E 82 C4 5B 57 A6 D7 C3 D9 FD|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8443; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-27.html; classtype:attempted-user; sid:32801; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray crash attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|78 07 C1 19 04 E7 10 9C 47 F0 2E 82 F7 10 BC 8F E0 03 04 1F 22 F8 08 41 6A 25 8D 60 06 41 11 41 09|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,71041; reference:cve,2014-0574; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:32874; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray crash attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|78 07 C1 19 04 E7 10 9C 47 F0 2E 82 F7 10 BC 8F E0 03 04 1F 22 F8 08 41 6A 25 8D 60 06 41 11 41 09|"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:bugtraq,71041; reference:cve,2014-0574; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:32873; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash pepper player 307 redirect custom header cross domain policy evasion attempt"; flow:to_client,established; content:"Location: |2F 09|"; fast_pattern:only; http_header; content:"307"; http_stat_code; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-0580; classtype:attempted-user; sid:32900; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player FlashUtil memory corruption attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|FF 15 4C F1 00 10 8B 3D 54 F1 00 10 8D 44 24 14 50 68 C0 17 01 10 6A 04 6A 00 8D 8C 24 48 10 00 00 51 FF D7 8B 44 24 14 8B 10 68 7F 7F 7F 7F 68 7F 7F 7F 7F 68 7F 7F 7F 7F 56 50 8B 42 6C FF D0|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0306; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-01.html; classtype:attempted-user; sid:33092; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player FlashUtil memory corruption attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|FF 15 4C F1 00 10 8B 3D 54 F1 00 10 8D 44 24 14 50 68 C0 17 01 10 6A 04 6A 00 8D 8C 24 48 10 00 00 51 FF D7 8B 44 24 14 8B 10 68 7F 7F 7F 7F 68 7F 7F 7F 7F 68 7F 7F 7F 7F 56 50 8B 42 6C FF D0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0306; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-01.html; classtype:attempted-user; sid:33091; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player pre-compile regex length denial of service attempt"; flow:to_server,established; file_data; content:"|CF 07 27 CC 61 07 74 13 34 20 36 58 02 75 4E 2B 01 65 14 F9 9E C2 49 45 31 F0 BA E7 A7 71 80 CE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0309; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-01.html; classtype:attempted-dos; sid:33080; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player pre-compile regex length denial of service attempt"; flow:to_server,established; file_data; content:"|5C|3{1,2}|7C|(?s-i:[|5C|W]+|7C|ac){37}|7C|(?!BBBBBBBBBB)AAAAAAAAAA"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0309; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-01.html; classtype:attempted-dos; sid:33079; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player pre-compile regex length denial of service attempt"; flow:to_client,established; file_data; content:"|CF 07 27 CC 61 07 74 13 34 20 36 58 02 75 4E 2B 01 65 14 F9 9E C2 49 45 31 F0 BA E7 A7 71 80 CE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0309; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-01.html; classtype:attempted-dos; sid:33078; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player pre-compile regex length denial of service attempt"; flow:to_client,established; file_data; content:"|5C|3{1,2}|7C|(?s-i:[|5C|W]+|7C|ac){37}|7C|(?!BBBBBBBBBB)AAAAAAAAAA"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0309; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-01.html; classtype:attempted-dos; sid:33077; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript out-of-bounds read attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|E0 EC 04 13 FF BB 19 32 3F 82 BF B6 CF 08 00 D6 E0 A5 2C E4 36 B4 C1 00 F2 16 17 C2 B7 D7 CB AB 36 F8 85 CC|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0307; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-01.html; classtype:attempted-user; sid:33181; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript out-of-bounds read attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|E0 EC 04 13 FF BB 19 32 3F 82 BF B6 CF 08 00 D6 E0 A5 2C E4 36 B4 C1 00 F2 16 17 C2 B7 D7 CB AB 36 F8 85 CC|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0307; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-01.html; classtype:attempted-user; sid:33180; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript out-of-bounds read attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|32 D0 30 D0 49 00 D0 5D 05 4A 05 00 68 04 D0 5D 07 D0 66 04 4A 07 01 68 06 D0 66 04 60 0B 66 0C D0 66 0A 4F|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0307; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-01.html; classtype:attempted-user; sid:33179; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript out-of-bounds read attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|32 D0 30 D0 49 00 D0 5D 05 4A 05 00 68 04 D0 5D 07 D0 66 04 4A 07 01 68 06 D0 66 04 60 0B 66 0C D0 66 0A 4F|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0307; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-01.html; classtype:attempted-user; sid:33178; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash AWM2 out of bounds corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|01 02 0F 00 01 00 00 00 00 00 00 01 00 00 01 00 00 80 02 00 80 02 03 35 47 47 01 00 01 02 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0589; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:33177; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash AWM2 out of bounds corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|01 02 0F 00 01 00 00 00 00 00 00 01 00 00 01 00 00 80 02 00 80 02 03 35 47 47 01 00 01 02 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0589; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:33176; rev:1;) # alert tcp $EXTERNAL_NET 1935 -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player RTMP out-of-bounds read attempt"; flow:to_client,established; content:"|14 00 00 00 00 01 00 0C|"; depth:8; offset:8; byte_test:4,>,0x7FFFFFFD,0,relative; reference:bugtraq,69699; reference:cve,2014-0549; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:33164; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 53 56 57 8B 7D 08 33 F6 8B D9 85 FF 74 14 83 FF FF 77 50 57 E8 07 0D 00 00 8B F0 83 C4|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-0583; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-admin; sid:33163; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 53 56 57 8B 7D 08 33 F6 8B D9 85 FF 74 14 83 FF FF 77 50 57 E8 07 0D 00 00 8B F0 83 C4|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-0583; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-admin; sid:33162; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AVM2 opcode type confusion denial of service attempt"; flow:to_server,established; file_data; content:"|4A 0B 01 85 D5 D0 5D 05 4A 05 00 D1 4F 04 02 5D 0C 4A 0C 00 80 0C D6 D2 2C 12 61 0D 5D 0E D2 4F|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-0590; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-dos; sid:33160; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AVM2 opcode type confusion denial of service attempt"; flow:to_client,established; file_data; content:"|4A 0B 01 85 D5 D0 5D 05 4A 05 00 D1 4F 04 02 5D 0C 4A 0C 00 80 0C D6 D2 2C 12 61 0D 5D 0E D2 4F|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-0590; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-dos; sid:33159; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player class confusion memory corruption compressed file attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"display|00|BitmapData|00|onSelect|3A|"; fast_pattern:only; content:"onSelect|00|os|00|net|00|FileReferenceList|00|addListener"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0305; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-01.html; classtype:attempted-user; sid:33204; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player class confusion memory corruption compressed file attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"display|00|BitmapData|00|onSelect|3A|"; fast_pattern:only; content:"onSelect|00|os|00|net|00|FileReferenceList|00|addListener"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0305; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-01.html; classtype:attempted-user; sid:33203; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player class confusion memory corruption compressed file attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|81 0E ED 69 40 DC FC E5 2D 54 79 27 A8 F6 BC 79 67 7F 7F 1A 2D 5B 40 64 96 59 28 3B FB 66 5D 18 78 5A 8E DE 24 D3 22 AB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0305; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-01.html; classtype:attempted-user; sid:33202; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player class confusion memory corruption compressed file attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|81 0E ED 69 40 DC FC E5 2D 54 79 27 A8 F6 BC 79 67 7F 7F 1A 2D 5B 40 64 96 59 28 3B FB 66 5D 18 78 5A 8E DE 24 D3 22 AB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0305; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-01.html; classtype:attempted-user; sid:33201; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt"; flow:to_server,established; file_data; content:"|D0 49 00 D0 2C 08 61 0E D0 5D 1B 2C 09 46 1B 01 60 24 87 61 07 D0 2C 04 61 05 D0 2C 0C 61 03 D0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-8440; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:33270; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt"; flow:to_server,established; file_data; content:"|D0 49 00 D0 2C 06 61 15 D0 5D 1A 2C 07 46 1A 01 60 23 87 61 07 D0 2C 03 61 06 D0 2C 0A 61 03 D0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-8440; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:33269; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt"; flow:to_server,established; file_data; content:"|D0 30 20 80 17 D7 20 80 05 63 04 D0 49 00 5D 06 4A 06 00 80 06 63 05 5D 02 4A 02 00 80 02 63 06|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-8440; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:33268; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt"; flow:to_server,established; file_data; content:"|4E E0 3F FD 9E B5 3C 48 CA 1F 9B D0 43 FF 06 EF 03 95 75 ED FC BA 99 0B 31 D8 83 D2 DC 74 EF 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-8440; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:33267; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt"; flow:to_server,established; file_data; content:"|11 96 4E 59 3D 34 46 0C E1 67 9C D3 D5 A6 3C FA B8 AC DA 47 60 BD F7 D6 6A B1 65 55 F9 2C 31 ED|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-8440; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:33266; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt"; flow:to_client,established; file_data; content:"|D0 49 00 D0 2C 08 61 0E D0 5D 1B 2C 09 46 1B 01 60 24 87 61 07 D0 2C 04 61 05 D0 2C 0C 61 03 D0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8440; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:33265; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt"; flow:to_client,established; file_data; content:"|D0 49 00 D0 2C 06 61 15 D0 5D 1A 2C 07 46 1A 01 60 23 87 61 07 D0 2C 03 61 06 D0 2C 0A 61 03 D0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8440; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:33264; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt"; flow:to_client,established; file_data; content:"|D0 30 20 80 17 D7 20 80 05 63 04 D0 49 00 5D 06 4A 06 00 80 06 63 05 5D 02 4A 02 00 80 02 63 06|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8440; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:33263; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt"; flow:to_client,established; file_data; content:"|4E E0 3F FD 9E B5 3C 48 CA 1F 9B D0 43 FF 06 EF 03 95 75 ED FC BA 99 0B 31 D8 83 D2 DC 74 EF 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8440; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:33262; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt"; flow:to_client,established; file_data; content:"|11 96 4E 59 3D 34 46 0C E1 67 9C D3 D5 A6 3C FA B8 AC DA 47 60 BD F7 D6 6A B1 65 55 F9 2C 31 ED|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8440; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:33261; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt"; flow:to_server,established; file_data; content:"|9F C4 30 C9 AD C6 28 E6 22 4E 66 C5 07 DA 9D A8 91 F2 64 18 88 69 FE 64 35 DD 55 6A F9 51 9C 88|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0310; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-02.html; classtype:denial-of-service; sid:33303; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt"; flow:to_server,established; file_data; content:"|A9 F8 BA FA C3 C3 FF F8 91 9F 5D 4C 7B D2 D5 6B 95 2F BF DF 87 76 18 CF 3F BE E2 4F A3 3F DB A4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0310; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-02.html; reference:url,pastebin.com/nVKV8Ess; classtype:denial-of-service; sid:33302; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt"; flow:to_client,established; file_data; content:"|9F C4 30 C9 AD C6 28 E6 22 4E 66 C5 07 DA 9D A8 91 F2 64 18 88 69 FE 64 35 DD 55 6A F9 51 9C 88|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0310; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-02.html; classtype:denial-of-service; sid:33301; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt"; flow:to_client,established; file_data; content:"|A9 F8 BA FA C3 C3 FF F8 91 9F 5D 4C 7B D2 D5 6B 95 2F BF DF 87 76 18 CF 3F BE E2 4F A3 3F DB A4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0310; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-02.html; reference:url,pastebin.com/nVKV8Ess; classtype:denial-of-service; sid:33300; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player sound object heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|1E 62 08 61 1F D3 25 83 01 14 0E 00 00 62 06 62 05 24 20 2C 27 26 2D 04 4F 20 05 D3 91 74 D7 D3|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0304; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-01.html; classtype:attempted-user; sid:33298; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player sound object heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|8F 5B AD 5D D8 64 E1 CD BA 29 81 67 B1 DB 29 B4 65 26 9A C4 B4 9D F1 F3 EC 55 68 CB D8 41 31 7E|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0304; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-01.html; classtype:attempted-user; sid:33297; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player sound object heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|8F 5B AD 5D D8 64 E1 CD BA 29 81 67 B1 DB 29 B4 65 26 9A C4 B4 9D F1 F3 EC 55 68 CB D8 41 31 7E|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0304; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-01.html; classtype:attempted-user; sid:33296; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player sound object heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1E 62 08 61 1F D3 25 83 01 14 0E 00 00 62 06 62 05 24 20 2C 27 26 2D 04 4F 20 05 D3 91 74 D7 D3|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0304; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-01.html; classtype:attempted-user; sid:33295; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player stage object use-after-free attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|64 75 63 6B 5F 33 32 36 00 CE 10 42 61 64 49 63 65 63 72 65 61 6D 5F 62 6C 61 2E 64 69 72 65 63 74 69 6F 6E 61 6C 5F 74 69 6C 65 5F 33 32 35|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0308; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-01.html; classtype:attempted-user; sid:33291; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player stage object use-after-free attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|64 75 63 6B 5F 33 32 36 00 CE 10 42 61 64 49 63 65 63 72 65 61 6D 5F 62 6C 61 2E 64 69 72 65 63 74 69 6F 6E 61 6C 5F 74 69 6C 65 5F 33 32 35|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0308; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-01.html; classtype:attempted-user; sid:33290; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|97 EE 6E 96 EE 54 42 90 54 90 52 90 90 5C 96 25 A4 D9 45 4A C1 A0 41 10 90 32 40 51 31 B0 40 45 14 A5 24 14|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33410; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|97 EE 6E 96 EE 54 42 90 54 90 52 90 90 5C 96 25 A4 D9 45 4A C1 A0 41 10 90 32 40 51 31 B0 40 45 14 A5 24 14|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33409; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|69 61 F4 59 E5 BF B8 FF C4 32 71 69 43 D2 A0 62 FB 25 F4 EB 8F 7F 4A DC D5 9D 7C E6 FF 61 76 CA CC FB C3 B5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33408; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|69 61 F4 59 E5 BF B8 FF C4 32 71 69 43 D2 A0 62 FB 25 F4 EB 8F 7F 4A DC D5 9D 7C E6 FF 61 76 CA CC FB C3 B5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33407; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|9D 1F DF B4 C7 BD BE 6F 75 DD BE 76 7F EC 44 09 ED B7 FD FE 41 BB BE AC A5 45 97 6B EC 3C C6 3C BF 8B 62 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33406; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|9D 1F DF B4 C7 BD BE 6F 75 DD BE 76 7F EC 44 09 ED B7 FD FE 41 BB BE AC A5 45 97 6B EC 3C C6 3C BF 8B 62 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33405; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|FF 1E F5 56 FA F1 16 D9 94 65 BE 60 D4 94 24 0F 24 C5 2D 53 AC 3B E3 AD 28 90 43 6E 7B C9 53 FB 03 02 D1 7C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33404; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|FF 1E F5 56 FA F1 16 D9 94 65 BE 60 D4 94 24 0F 24 C5 2D 53 AC 3B E3 AD 28 90 43 6E 7B C9 53 FB 03 02 D1 7C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33403; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|00 09 7A 10 68 12 65 A9 2D 18 F4 AF F3 2D ED 40 C3 50 EB 68 B9 F5 E0 0C E5 01 06 21 02 0C 22 D8 46 79 80 81|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33402; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|00 09 7A 10 68 12 65 A9 2D 18 F4 AF F3 2D ED 40 C3 50 EB 68 B9 F5 E0 0C E5 01 06 21 02 0C 22 D8 46 79 80 81|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33401; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|29 50 CC 20 30 4C C0 0B 20 A5 50 A1 C3 42 19 0A FC 8D D9 A2 03 D6 02 36 30 DD FA 03 AC 88 B4 C4 1C 03 BC C1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33400; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|29 50 CC 20 30 4C C0 0B 20 A5 50 A1 C3 42 19 0A FC 8D D9 A2 03 D6 02 36 30 DD FA 03 AC 88 B4 C4 1C 03 BC C1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33399; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|FC EC D8 6F B8 79 7F 41 63 32 CD F0 6A 53 13 34 55 98 B4 49 C8 F4 EC 0E 88 CE 8D B6 F0 59 B0 E3 4D 00 1D AC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33398; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|FC EC D8 6F B8 79 7F 41 63 32 CD F0 6A 53 13 34 55 98 B4 49 C8 F4 EC 0E 88 CE 8D B6 F0 59 B0 E3 4D 00 1D AC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33397; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|6C FE 3C C4 29 5C 66 14 87 0D 52 C0 91 42 AA E3 22 46 E1 69 8C 25 81 5B E0 C1 82 91 07 28 CA A3 D8 8D 20 0D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33396; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|6C FE 3C C4 29 5C 66 14 87 0D 52 C0 91 42 AA E3 22 46 E1 69 8C 25 81 5B E0 C1 82 91 07 28 CA A3 D8 8D 20 0D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33395; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|DA 24 57 E8 16 5D C8 A6 D5 C2 E0 6A A1 6E 55 69 A9 F6 B7 5F 6D 08 97 25 83 0B 34 5B CF A8 16 EE BD 4A A1 8E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33394; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|DA 24 57 E8 16 5D C8 A6 D5 C2 E0 6A A1 6E 55 69 A9 F6 B7 5F 6D 08 97 25 83 0B 34 5B CF A8 16 EE BD 4A A1 8E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33393; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|92 12 42 FE 86 36 11 17 B1 81 20 34 75 A5 67 AE D3 D8 6F 8F 68 A6 1D 92 5C 7F 5F 52 A7 94 89 82 43 2E E6 A6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33392; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|92 12 42 FE 86 36 11 17 B1 81 20 34 75 A5 67 AE D3 D8 6F 8F 68 A6 1D 92 5C 7F 5F 52 A7 94 89 82 43 2E E6 A6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33391; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|A8 F7 07 9F D3 0A FE DA 75 6C DE CC EB 03 CA FC 37 96 B7 4D 80 77 25 06 1A AC C0 8E 6F 60 22 EE 12 22 BC A4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33390; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|A8 F7 07 9F D3 0A FE DA 75 6C DE CC EB 03 CA FC 37 96 B7 4D 80 77 25 06 1A AC C0 8E 6F 60 22 EE 12 22 BC A4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33389; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|50 E0 6F CC 0E 13 B0 16 B0 81 E5 C6 1F 60 45 A4 15 F6 18 E0 0D 36 60 B5 35 F6 24 5A C4 0A 82 76 28 15 1E 75|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33388; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|50 E0 6F CC 0E 13 B0 16 B0 81 E5 C6 1F 60 45 A4 15 F6 18 E0 0D 36 60 B5 35 F6 24 5A C4 0A 82 76 28 15 1E 75|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33387; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|63 4E B0 51 E2 C4 A8 A6 E0 14 04 99 68 8A 0D 34 12 01 68 B2 8E C3 38 B6 3C 90 2B 3D BB DD B3 C5 6E AB 95 FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33386; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|63 4E B0 51 E2 C4 A8 A6 E0 14 04 99 68 8A 0D 34 12 01 68 B2 8E C3 38 B6 3C 90 2B 3D BB DD B3 C5 6E AB 95 FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33385; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0A FC 8D 3A 41 00 6B 01 1B D8 AE FC 01 56 1C B1 C3 1D 05 BC C1 05 AC B6 C7 1D C7 8A D8 41 B1 0E A5 A3 E2 AE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33384; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0A FC 8D 3A 41 00 6B 01 1B D8 AE FC 01 56 1C B1 C3 1D 05 BC C1 05 AC B6 C7 1D C7 8A D8 41 B1 0E A5 A3 E2 AE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33383; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|7B A2 73 C4 68 DF C6 4D 13 A3 B3 C4 FA A8 98 16 56 24 AD AB C5 A3 8B 6B 98 11 CF F9 BE B4 87 EB 95 7A E0 8D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33382; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|7B A2 73 C4 68 DF C6 4D 13 A3 B3 C4 FA A8 98 16 56 24 AD AB C5 A3 8B 6B 98 11 CF F9 BE B4 87 EB 95 7A E0 8D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33381; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|70 AB 4E 6F CD 57 55 C0 DF F0 41 C1 A7 39 41 89 DB 5C 11 3C C3 74 E3 BB 90 9C 84 66 58 79 2B CC B5 4F 63 AA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33380; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|70 AB 4E 6F CD 57 55 C0 DF F0 41 C1 A7 39 41 89 DB 5C 11 3C C3 74 E3 BB 90 9C 84 66 58 79 2B CC B5 4F 63 AA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33379; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|BE DB EA EC 6A 22 61 47 43 05 B6 E3 B7 EA 44 14 98 D5 18 6E 5E 33 0F 65 07 A5 92 AC 2A 4F C2 29 9C 79 DA 60|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33378; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|BE DB EA EC 6A 22 61 47 43 05 B6 E3 B7 EA 44 14 98 D5 18 6E 5E 33 0F 65 07 A5 92 AC 2A 4F C2 29 9C 79 DA 60|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33377; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|8F 34 88 8B 87 B3 8F 4E 7F 7F 58 AE 6F 5D 7F FB 6F FC FA DF 50 B9 C7 A9 9C 6A BE 4D 2B 8E 1E 51 31 9B A0 81|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33376; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|8F 34 88 8B 87 B3 8F 4E 7F 7F 58 AE 6F 5D 7F FB 6F FC FA DF 50 B9 C7 A9 9C 6A BE 4D 2B 8E 1E 51 31 9B A0 81|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33375; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|80 25 B0 02 D6 C0 61 E7 83 BD 53 3E 18 EC CC 7D FA 62 30 B8 28 07 4D 39 58 FC A6 0F 32 3F CC 8B BC C9 CB 62|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33374; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|80 25 B0 02 D6 C0 61 E7 83 BD 53 3E 18 EC CC 7D FA 62 30 B8 28 07 4D 39 58 FC A6 0F 32 3F CC 8B BC C9 CB 62|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33373; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|BC A6 08 59 E4 F4 7B 08 DF 06 96 DC 76 C3 B4 76 C5 41 F1 89 26 82 0E 84 B6 34 5D 63 15 C1 5E 3B B9 31 1B AF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33372; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|BC A6 08 59 E4 F4 7B 08 DF 06 96 DC 76 C3 B4 76 C5 41 F1 89 26 82 0E 84 B6 34 5D 63 15 C1 5E 3B B9 31 1B AF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33371; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|63 04 D0 66 13 12 11 00 00 24 10 74 D5 24 40 74 D6 24 00 74 D7 24 38 74 63 04 D0 62 09 D0 66 23 A0 46 76 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33370; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|63 04 D0 66 13 12 11 00 00 24 10 74 D5 24 40 74 D6 24 00 74 D7 24 38 74 63 04 D0 62 09 D0 66 23 A0 46 76 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33369; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|57 6E 37 8E 56 56 BE 41 52 C9 65 88 B0 32 48 94 03 3B 49 E6 38 D7 CB D1 D5 DC 13 F3 C3 39 5B 74 7B 3E 57 BE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33368; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|57 6E 37 8E 56 56 BE 41 52 C9 65 88 B0 32 48 94 03 3B 49 E6 38 D7 CB D1 D5 DC 13 F3 C3 39 5B 74 7B 3E 57 BE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:33367; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-FLASH Adobe Flash Player byte array use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|12 2A 00 00 D0 5D 06 4A 06 00 68 05 D0 66 05 25 80 08 61 19 D0 66 05 26 61 21 D0 D0 66 22 66 23|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0312; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-03.html; classtype:attempted-user; sid:33478; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player byte array use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|12 2A 00 00 D0 5D 06 4A 06 00 68 05 D0 66 05 25 80 08 61 19 D0 66 05 26 61 21 D0 D0 66 22 66 23|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0312; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-03.html; classtype:attempted-user; sid:33477; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-FLASH Adobe Flash Player byte array use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|40 03 AB A8 96 FF 5B DD 40 5B 4A BF DF 7F 61 A9 D0 61 03 FE 9A F1 CB 0B 94 3C E6 CC E9 1F 3B D0|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0312; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-03.html; classtype:attempted-user; sid:33476; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player byte array use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|40 03 AB A8 96 FF 5B DD 40 5B 4A BF DF 7F 61 A9 D0 61 03 FE 9A F1 CB 0B 94 3C E6 CC E9 1F 3B D0|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0312; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-03.html; classtype:attempted-user; sid:33475; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|24 00 00 09 D0 D1 46 0B 00 4F 07 01 D2 D1 46 0C 01 85 D7 D0 66 05 5D 0D D0 D3 46 08 01 4A 0D 01 4F 0E 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72514; reference:cve,2015-0329; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33472; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|24 00 00 09 D0 D1 46 0B 00 4F 07 01 D2 D1 46 0C 01 85 D7 D0 66 05 5D 0D D0 D3 46 08 01 4A 0D 01 4F 0E 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72514; reference:cve,2015-0329; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33471; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player PCRE regex compilation memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"*(?1)"; fast_pattern:only; content:"(?x)"; nocase; content:"|06|RegExp"; nocase; content:"|08|toString"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72514; reference:cve,2015-0329; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33470; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player PCRE regex compilation memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"*(?1)"; fast_pattern:only; content:"(?x)"; nocase; content:"|06|RegExp"; nocase; content:"|08|toString"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72514; reference:cve,2015-0329; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33469; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player heap overflow using special characters with regex options attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|3B 1E F8 3C 36 85 00 E0 31 88 C2 14 C8 09 DA B5 58 14 DD 5D 2D 96 9F 52 12 D2 B2 A9 E7 AD DA FC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0323; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33468; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player heap overflow using special characters with regex options attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|3B 1E F8 3C 36 85 00 E0 31 88 C2 14 C8 09 DA B5 58 14 DD 5D 2D 96 9F 52 12 D2 B2 A9 E7 AD DA FC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0323; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33467; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player heap overflow using special characters with regex options attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"RegEx"; fast_pattern:only; content:"|7C 7C 7C 7C 7C 7C|"; content:"(?"; pcre:"/\(\?[gimxs]{1,5}\)/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0323; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33466; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player heap overflow using special characters with regex options attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"RegEx"; fast_pattern:only; content:"|7C 7C 7C 7C 7C 7C|"; content:"(?"; pcre:"/\(\?[gimxs]{1,5}\)/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0323; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33465; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|DE B1 8B 4A 3F 05 DA CA 06 80 62 82 95 1B D3 00 80 7E 71 0E 9E AC 4B B3 19 41 CF 8B 44 FE 98 D5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72429; reference:cve,2015-0313; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-02.html; classtype:attempted-user; sid:33463; rev:5;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|D0 66 10 66 11 46 12 01 61 03 D0 66 03 2C 01 60 01 4F 13 02 D0 D0 66 03 60 04 66 0F 46 14 01 61|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72429; reference:cve,2015-0313; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-02.html; classtype:attempted-user; sid:33462; rev:5;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0A FE 24 F5 05 E0 44 BB BE F1 85 98 16 41 8F 73 35 0E 95 24 8C 50 18 E7 3F 4D 2A 4C AD 44 FD 74 15 D6 FE D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72429; reference:cve,2015-0313; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-02.html; classtype:attempted-user; sid:33461; rev:6;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|DE B1 8B 4A 3F 05 DA CA 06 80 62 82 95 1B D3 00 80 7E 71 0E 9E AC 4B B3 19 41 CF 8B 44 FE 98 D5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72429; reference:cve,2015-0313; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-02.html; classtype:attempted-user; sid:33460; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D0 66 10 66 11 46 12 01 61 03 D0 66 03 2C 01 60 01 4F 13 02 D0 D0 66 03 60 04 66 0F 46 14 01 61|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72429; reference:cve,2015-0313; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-02.html; classtype:attempted-user; sid:33459; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0A FE 24 F5 05 E0 44 BB BE F1 85 98 16 41 8F 73 35 0E 95 24 8C 50 18 E7 3F 4D 2A 4C AD 44 FD 74 15 D6 FE D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72429; reference:cve,2015-0313; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-02.html; classtype:attempted-user; sid:33458; rev:7;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Compressed File object type confusion attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|5D 07 01 92 30 FD 54 47 3C 4E B7 47 09 48 DD C6 E9 87 B7 9E F3 B8 9C D1 0D 10 B8 48 23 F0 0F AA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0319; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33542; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Compressed File object type confusion attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|5D 07 01 92 30 FD 54 47 3C 4E B7 47 09 48 DD C6 E9 87 B7 9E F3 B8 9C D1 0D 10 B8 48 23 F0 0F AA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0319; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33541; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player object type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|52 17 96 0D 00 04 01 08|"; content:"|96 04 00 08|"; within:75; content:"|52 17 96 02 00|"; within:75; content:"__constructor__"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0319; reference:cve,2015-0334; reference:cve,2015-3086; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:33540; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player object type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|52 17 96 0D 00 04 01 08|"; content:"|96 04 00 08|"; within:75; content:"|52 17 96 02 00|"; within:75; content:"__constructor__"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0319; reference:cve,2015-0334; reference:cve,2015-3086; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:33539; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt"; flow:to_server,established; file_data; content:"|46 5C 1B 11 42 F7 34 FC 10 23 B4 B7 90 D4 06 4E 8D 44 DD B3 53 99 6C 71 00 B8 7D BB 52 BA 9E 1F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0318; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:denial-of-service; sid:33538; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player PCRE control character - possible denial of service attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|06|RegExp"; fast_pattern:only; content:"|01 5C|"; content:"|01|c"; content:"|D3 2C|"; distance:0; content:"|A0|"; within:1; distance:1; content:"|D3 2C|"; within:10; content:"|A0|"; within:1; distance:1; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0318; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:denial-of-service; sid:33537; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt"; flow:to_client,established; file_data; content:"|46 5C 1B 11 42 F7 34 FC 10 23 B4 B7 90 D4 06 4E 8D 44 DD B3 53 99 6C 71 00 B8 7D BB 52 BA 9E 1F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0318; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:denial-of-service; sid:33536; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player PCRE control character - possible denial of service attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|06|RegExp"; fast_pattern:only; content:"|01 5C|"; content:"|01|c"; content:"|D3 2C|"; distance:0; content:"|A0|"; within:1; distance:1; content:"|D3 2C|"; within:10; content:"|A0|"; within:1; distance:1; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0318; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:denial-of-service; sid:33535; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt"; flow:to_server,established; file_data; content:"|4E 1F A0 6F 50 36 5D F2 0A AC 58 B1 B1 93 D3 64 01 2B 56 6C E0 15 CC 8C 6C 9A 96 39 D2 9D 99 7B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0318; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:denial-of-service; sid:33534; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt"; flow:to_client,established; file_data; content:"|4E 1F A0 6F 50 36 5D F2 0A AC 58 B1 B1 93 D3 64 01 2B 56 6C E0 15 CC 8C 6C 9A 96 39 D2 9D 99 7B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0318; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:denial-of-service; sid:33533; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player PCRE library out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|02 D1 C7 03 E1 A5 82 6C 2D 56 CC 28 29 29 B0 D2 D7 4F 4C C9 4F 4A D5 4B|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0316; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:denial-of-service; sid:33530; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player PCRE library out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|02 D1 C7 03 E1 A5 82 6C 2D 56 CC 28 29 29 B0 D2 D7 4F 4C C9 4F 4A D5 4B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0316; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:denial-of-service; sid:33529; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player PCRE library out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|10 08 11 00 0C 07 02 0D 07 01 05 07 02 04 07 02 06 07 03 07 07 01 08 07|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0316; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:denial-of-service; sid:33528; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player PCRE library out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|10 08 11 00 0C 07 02 0D 07 01 05 07 02 04 07 02 06 07 03 07 07 01 08 07|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0316; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:denial-of-service; sid:33527; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player SWF buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|BB EF B5 B3 33 0D E0 23 D0 4E 23 DF A3 4F A3 28 E0 2C 54 FD 50 18 99 C4 E2 4D A5 85 74 3C 0D CF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0327; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33512; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player SWF buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"nextNameIndex"; fast_pattern; content:"|D1 24 10 0C 05 00 00 D1|"; distance:1; content:"|D1 2D 02 0C 05 00 00 D1|"; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0327; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33511; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SWF buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|BB EF B5 B3 33 0D E0 23 D0 4E 23 DF A3 4F A3 28 E0 2C 54 FD 50 18 99 C4 E2 4D A5 85 74 3C 0D CF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0327; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33510; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SWF buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"nextNameIndex"; fast_pattern; content:"|D1 24 10 0C 05 00 00 D1|"; distance:1; content:"|D1 2D 02 0C 05 00 00 D1|"; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0327; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33509; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player out of scope newclass memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|3D 89 C8 44 46 24 44 1B A1 CD D7 C5 30 D6 C9 A8 86 AB 18 9D 4E 3B 95 7C 8C 62 1C F1 F0 41 C8 CA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0322; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33508; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player out of scope newclass memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|3D 89 C8 44 46 24 44 1B A1 CD D7 C5 30 D6 C9 A8 86 AB 18 9D 4E 3B 95 7C 8C 62 1C F1 F0 41 C8 CA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0322; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33507; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player out of scope newclass memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|1D 1D 1D 1D 1D 1D 1D 68|"; content:"|1D 1D 1D 1D 1D 1D 1D 1D 58|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0322; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33506; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player out of scope newclass memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1D 1D 1D 1D 1D 1D 1D 68|"; content:"|1D 1D 1D 1D 1D 1D 1D 1D 58|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0322; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33505; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player MessageChannel use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|80 30 63 08 60 14 66 15 2C 35 46 31 01 80 2C D5 60 14 66 15 2C 30 46 31 01 80 06 D6 5D 32 25 80 02 25 80 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72514; reference:cve,2015-0320; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33504; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MessageChannel use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|80 30 63 08 60 14 66 15 2C 35 46 31 01 80 2C D5 60 14 66 15 2C 30 46 31 01 80 06 D6 5D 32 25 80 02 25 80 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72514; reference:cve,2015-0320; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33503; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player MessageChannel use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|23 AD 77 F3 88 3C 32 68 07 77 D7 31 C5 C3 29 6B 11 BB A3 7C CA FA C2 1E 44 93 08 2E 73 15 BA 3D B7 9D D6 EC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72514; reference:cve,2015-0320; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33502; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MessageChannel use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|23 AD 77 F3 88 3C 32 68 07 77 D7 31 C5 C3 29 6B 11 BB A3 7C CA FA C2 1E 44 93 08 2E 73 15 BA 3D B7 9D D6 EC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72514; reference:cve,2015-0320; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33501; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player extended BitmapFilter class denial of service attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|49 00 5D 04 4A 04 00 80 04 D5 5D 07 4A 07 00 80 07 D6 D2 D1 56 01 61 08 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72514; reference:cve,2015-0314; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-dos; sid:33500; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player extended BitmapFilter class denial of service attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|3A AC 89 0F 6B 1F 8E 21 1E 97 0F 7F DD 39 10 1D FF 92 7D E6 53 9B 85 1D C7 E5 2C 84 4F B7 7F 0B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72514; reference:cve,2015-0314; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-dos; sid:33499; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player extended BitmapFilter class denial of service attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|49 00 5D 04 4A 04 00 80 04 D5 5D 07 4A 07 00 80 07 D6 D2 D1 56 01 61 08 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72514; reference:cve,2015-0314; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-dos; sid:33498; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player extended BitmapFilter class denial of service attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|3A AC 89 0F 6B 1F 8E 21 1E 97 0F 7F DD 39 10 1D FF 92 7D E6 53 9B 85 1D C7 E5 2C 84 4F B7 7F 0B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72514; reference:cve,2015-0314; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-dos; sid:33497; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Ovector out of bounds stack corruption attempt"; flow:established,to_server; flowbits:isset,file.swf; file_data; content:"|6F 7D B0 E8 A1 5D A3 DA AD 77 6A BA 5A 2F 43 A5 5A 8D 55 61 B9 D7 51 E4 5A A5 77 58 EF 41 BD B2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0330; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33491; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Ovector out of bounds stack corruption attempt"; flow:established,to_client; flowbits:isset,file.swf; file_data; content:"|6F 7D B0 E8 A1 5D A3 DA AD 77 6A BA 5A 2F 43 A5 5A 8D 55 61 B9 D7 51 E4 5A A5 77 58 EF 41 BD B2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0330; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33490; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player URLRequestHeaders null pointer dereference denial of service attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|5D 04 4A 04 00 2A D5 68 03 D1 08 01 2F 01 61 0A D0 5D 06 D0 66 07 4A 06 01 2A D5 68 05 D1 08 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72514; reference:cve,2015-0326; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-dos; sid:33487; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player URLRequestHeaders null pointer dereference denial of service attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|91 D6 E5 7C FE BE 50 4E 66 59 B2 D2 62 7C 75 A3 66 BA 5A 96 56 1B 95 EA 75 E3 5D 71 0C 4D A7 52|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72514; reference:cve,2015-0326; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-dos; sid:33486; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player URLRequestHeaders null pointer dereference denial of service attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|5D 04 4A 04 00 2A D5 68 03 D1 08 01 2F 01 61 0A D0 5D 06 D0 66 07 4A 06 01 2A D5 68 05 D1 08 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72514; reference:cve,2015-0326; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-dos; sid:33485; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player URLRequestHeaders null pointer dereference denial of service attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|91 D6 E5 7C FE BE 50 4E 66 59 B2 D2 62 7C 75 A3 66 BA 5A 96 56 1B 95 EA 75 E3 5D 71 0C 4D A7 52|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72514; reference:cve,2015-0326; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-dos; sid:33484; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player XMLsocket connect arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 02 00 08 8A 53 87 01 00 02 17 96 1F 00 07 0F 27 00 00 08 8B 04 02 07 03 00 00 00 07 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72514; reference:cve,2015-0317; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33559; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player XMLsocket connect arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 00 FD EC F0 8C A1 A3 C3 DB 4C DC 5C 2D 8C A4 1C A8 E8 6E 68 B6 23 B6 B8 ED 06 F8 D1 01 67 89|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72514; reference:cve,2015-0317; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33558; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player XMLsocket connect arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 02 00 08 8A 53 87 01 00 02 17 96 1F 00 07 0F 27 00 00 08 8B 04 02 07 03 00 00 00 07 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72514; reference:cve,2015-0317; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33557; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player XMLsocket connect arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 00 FD EC F0 8C A1 A3 C3 DB 4C DC 5C 2D 8C A4 1C A8 E8 6E 68 B6 23 B6 B8 ED 06 F8 D1 01 67 89|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72514; reference:cve,2015-0317; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33556; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SWF use-after-free attempt"; flow:to_client,established,only_stream; flowbits:isset,file.swf; file_data; content:"STAGE_VIDEO_AVAILABILITY"; content:"StageVideoAvailabilityEvent"; content:"|66 08 60 01 66 09 D0 66 06|"; fast_pattern:only; detection_filter:track by_src, count 10, seconds 1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-0315; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33555; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SWF use-after-free attempt"; flow:to_client,established,only_stream; flowbits:isset,file.swf; file_data; content:"|04 99 AC 1A D5 D7 7E 13 0B 75 DD 70 A7 AA E7 BB 64 66 F0 9E 4C 6E 15 89 D7 25 C2 C2 9B 8D 6D 2B|"; fast_pattern:only; detection_filter:track by_src, count 10, seconds 1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-0315; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33554; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player addHeader null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|AD 24 6A BD 64 6C C1 84 7E 4D FF 84 5F C8 1F 51 19 1B 48 A0 53 D9 33 57|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0328; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:denial-of-service; sid:33552; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player addHeader null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|09 24 00 D0 66 04 4F 09 02 47 00 00 03 02 01 01 09 27 D0 30 65 00 60 0A|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0328; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:denial-of-service; sid:33551; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player addHeader null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|AD 24 6A BD 64 6C C1 84 7E 4D FF 84 5F C8 1F 51 19 1B 48 A0 53 D9 33 57|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0328; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:denial-of-service; sid:33550; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player addHeader null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|09 24 00 D0 66 04 4F 09 02 47 00 00 03 02 01 01 09 27 D0 30 65 00 60 0A|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0328; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:denial-of-service; sid:33549; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASnative command execution attempt"; flow:to_server,established; file_data; content:"|67 D0 01 93 1C A0 C9 80 7C 80 75 FD 46 21 43 C5 8B 25 8D 8B 07 0C 23 2F 67 07 0C 9D 8A BE 11 CF|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,32896; reference:cve,2008-5499; reference:url,www.adobe.com/support/security/bulletins/apsb08-24.html; classtype:attempted-user; sid:33585; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASnative command execution attempt"; flow:to_client,established; file_data; content:"|67 D0 01 93 1C A0 C9 80 7C 80 75 FD 46 21 43 C5 8B 25 8D 8B 07 0C 23 2F 67 07 0C 9D 8A BE 11 CF|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32896; reference:cve,2008-5499; reference:url,www.adobe.com/support/security/bulletins/apsb08-24.html; classtype:attempted-user; sid:33584; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player decompressing denial of service attempt"; flow:to_server,established; file_data; content:"|27 61 0A B4 C5 BA 95 76 44 43 42 41 A8 FD 36 B9 43 B5 B4 1B 13 48 27 51 B3 A3 A8 BB 93 32 EA 64|"; fast_pattern:only; metadata:service smtp; reference:cve,2010-0187; classtype:attempted-dos; sid:33635; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player decompressing denial of service attempt"; flow:to_client,established; file_data; content:"|27 61 0A B4 C5 BA 95 76 44 43 42 41 A8 FD 36 B9 43 B5 B4 1B 13 48 27 51 B3 A3 A8 BB 93 32 EA 64|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-0187; classtype:attempted-dos; sid:33634; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_server,established; file_data; content:"ebbb7a031dd67a519bc0853913485103f54b1b03"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-05.html; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:33824; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; content:"|D0 30 24 00 74 D5 20 85 D7 20 80 0B 63 04 D0 5D 06 4A 06 00 68 05 D0 49 00 2C 11 D6 D0 2C 12 4F 07 01 24 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,73088; reference:cve,2015-0339; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:33902; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; content:"|D0 30 24 00 74 D5 20 85 D7 20 80 0B 63 04 D0 5D 06 4A 06 00 68 05 D0 49 00 2C 11 D6 D0 2C 12 4F 07 01 24 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,73088; reference:cve,2015-0339; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:33901; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; content:"|83 67 B9 F1 33 31 CB A4 00 48 3E 3F FE F1 E8 EC E4 19 3B 3D 79 E7 E7 BB D3 7F 0D 06 CF EF 03 B1 4D 32 85 23|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,73088; reference:cve,2015-0339; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:33900; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; content:"|83 67 B9 F1 33 31 CB A4 00 48 3E 3F FE F1 E8 EC E4 19 3B 3D 79 E7 E7 BB D3 7F 0D 06 CF EF 03 B1 4D 32 85 23|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,73088; reference:cve,2015-0339; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:33899; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt"; flow:established,to_server; flowbits:isset,file.swf; file_data; content:"|EC F4 4F D8 C4 3F 49 8E AD 81 8F CB EF 10 00 CC 04 2D 17 77 49 09 A4 40 11 F8 D4 B1 00 C0 3A E0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0338; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:33926; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt"; flow:established,to_client; flowbits:isset,file.swf; file_data; content:"|EC F4 4F D8 C4 3F 49 8E AD 81 8F CB EF 10 00 CC 04 2D 17 77 49 09 A4 40 11 F8 D4 B1 00 C0 3A E0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0338; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:33925; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt"; flow:established,to_server; flowbits:isset,file.swf; file_data; content:"|0A|paletteMap"; fast_pattern:only; content:"|FF FF FF FF 07|"; content:"|60 07 4A 06 02 4F 08 03|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0338; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:33924; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt"; flow:established,to_client; flowbits:isset,file.swf; file_data; content:"|0A|paletteMap"; fast_pattern:only; content:"|FF FF FF FF 07|"; content:"|60 07 4A 06 02 4F 08 03|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0338; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:33923; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt"; flow:to_server,established; file_data; content:"|FF D1 24 00 25 D0 04 46 0A 02 85 D5 5D 0B 4A 0B 00 80 0B D6 24 00 74 D7 10 0A 00 00 09 D2 D3 D1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0341; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:33921; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt"; flow:to_server,established; file_data; content:"|BA BA AA 6A 65 B5 5C 5E 06 C4 B2 77 68 73 7A B0 6C 7B F3 8B D5 30 41 9D 79 BA 6B F6 B9 E9 D8 C5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0341; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:33920; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt"; flow:to_client,established; file_data; content:"|FF D1 24 00 25 D0 04 46 0A 02 85 D5 5D 0B 4A 0B 00 80 0B D6 24 00 74 D7 10 0A 00 00 09 D2 D3 D1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0341; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:33919; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt"; flow:to_client,established; file_data; content:"|BA BA AA 6A 65 B5 5C 5E 06 C4 B2 77 68 73 7A B0 6C 7B F3 8B D5 30 41 9D 79 BA 6B F6 B9 E9 D8 C5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0341; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:33918; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BrokerExtTextOutW invalid string and length parameter sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|10 68 58 54 01 10 E8 A5 07 00 00 C7 44 24 1C 00 00 00 00 C7 44 24 20 00 00 00 00 C7 44 24 24 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0333; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:33978; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BrokerExtTextOutW invalid string and length parameter sandbox escape attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|10 68 58 54 01 10 E8 A5 07 00 00 C7 44 24 1C 00 00 00 00 C7 44 24 20 00 00 00 00 C7 44 24 24 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0333; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:33977; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player SWF object type mismatch attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|36 92 AC 24 E5 EC 96 9C C9 CB 34 7F 34 79 2C 36 48 B7 0D 6B FB E0 85 92 87 91 62 41 7A CC C9 17|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0334; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:33976; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SWF object type mismatch attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|36 92 AC 24 E5 EC 96 9C C9 CB 34 7F 34 79 2C 36 48 B7 0D 6B FB E0 85 92 87 91 62 41 7A CC C9 17|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0334; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:33975; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player compressed file cross domain policy bypass attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|32 42 A6 3F 93 CC 0C 64 06 33 A9 A1 15 A1 57 C2 0A A8 62 2C DE D3 9B E8 BB 01 58 00 41 02 49 06|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0340; classtype:attempted-user; sid:33974; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player compressed file cross domain policy bypass attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|32 42 A6 3F 93 CC 0C 64 06 33 A9 A1 15 A1 57 C2 0A A8 62 2C DE D3 9B E8 BB 01 58 00 41 02 49 06|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0340; classtype:attempted-user; sid:33973; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player cross domain policy bypass attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|0C|Content-type|13|multipart/form-data|0E|requestHeaders"; fast_pattern:only; content:"|0C 3B| filename=|22|"; content:"|09|sendToURL"; distance:0; metadata:service smtp; reference:cve,2015-0340; classtype:attempted-user; sid:33972; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player cross domain policy bypass attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|0C|Content-type|13|multipart/form-data|0E|requestHeaders"; fast_pattern:only; content:"|0C 3B| filename=|22|"; content:"|09|sendToURL"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0340; classtype:attempted-user; sid:33971; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|BB 72 6D EF 99 AC C8 07 5D C7 B5 E5 5C 41 2B A2 CB CE 19 16 31 79 29 67 55 2D AF A8 9A A2 E5 F7 35 D5 D0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,73084; reference:cve,2015-0336; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:33970; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 0D 00 08 03 06 00 00 00 00 00 00 00 00 08 04 40 3C 96 02 00 08 01 1C 96 04 00 08 05 08 03 1C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,73084; reference:cve,2015-0336; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:33969; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|BB 72 6D EF 99 AC C8 07 5D C7 B5 E5 5C 41 2B A2 CB CE 19 16 31 79 29 67 55 2D AF A8 9A A2 E5 F7 35 D5 D0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,73084; reference:cve,2015-0336; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:33968; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 0D 00 08 03 06 00 00 00 00 00 00 00 00 08 04 40 3C 96 02 00 08 01 1C 96 04 00 08 05 08 03 1C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,73084; reference:cve,2015-0336; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:33967; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player mp4 trex tag heap corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; flowbits:isset,file.mp4; file_data; content:"trex"; content:"trex"; within:40; content:"trex"; within:40; content:"trex"; within:40; content:"trex"; within:40; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0335; classtype:attempted-user; sid:34021; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player mp4 trex tag heap corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; flowbits:isset,file.mp4; file_data; content:"trex"; content:"trex"; within:40; content:"trex"; within:40; content:"trex"; within:40; content:"trex"; within:40; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0335; classtype:attempted-user; sid:34020; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed mp4 tag memory corruption attempt"; flow:to_server,established; flowbits:isset,file.mp4; file_data; content:"|00 00 00 14|moov|00 00 00 0C|frma"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0332; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:33999; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed mp4 tag memory corruption attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"|00 00 00 14|moov|00 00 00 0C|frma"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0332; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:33998; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player domain security bypass attempt"; flow:to_server,established; file_data; content:"jar:"; nocase; content:"@"; within:200; distance:10; content:"!/"; within:200; distance:10; metadata:service smtp; reference:cve,2015-3044; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34177; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player domain security bypass attempt"; flow:to_client,established; file_data; content:"jar:"; nocase; content:"@"; within:200; distance:10; content:"!/"; within:200; distance:10; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3044; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34176; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TextField filter use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|22 08 D1 C2 C4 AF F4 2E 4D 54 1D C7 D2 0C C3 18 18 E7 CF EA F5 FE B9 3A 68 A8 EA 59 A3 AE 9F 0D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0358; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34175; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TextField filter use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|22 08 D1 C2 C4 AF F4 2E 4D 54 1D C7 D2 0C C3 18 18 E7 CF EA F5 FE B9 3A 68 A8 EA 59 A3 AE 9F 0D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0358; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34174; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TextField filter use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"tfield|00|filters"; fast_pattern:only; content:"createTextField|00|"; content:"filter|00|flash|00|"; within:60; content:"__Packages."; content:"_global|00|"; within:60; content:"flash|00|filters|00|"; within:50; content:"|96 04 00 08 0A 08 00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0358; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34173; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TextField filter use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"tfield|00|filters"; fast_pattern:only; content:"createTextField|00|"; content:"filter|00|flash|00|"; within:60; content:"__Packages."; content:"_global|00|"; within:60; content:"flash|00|filters|00|"; within:50; content:"|96 04 00 08 0A 08 00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0358; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34172; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player byte array double free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|70 2E 4F 16 FE 2D 20 4F 02 38 03 46 81 34 03 E6 81 3C 03 54 89 8F 76 B6 5D 20 C0 BC 5C 30 17 0A E6 62 C1 BC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,74067; reference:cve,2015-0359; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34169; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player byte array double free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|70 2E 4F 16 FE 2D 20 4F 02 38 03 46 81 34 03 E6 81 3C 03 54 89 8F 76 B6 5D 20 C0 BC 5C 30 17 0A E6 62 C1 BC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,74067; reference:cve,2015-0359; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34168; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player byte array double free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|65 01 40 02 80 22 6D 02 65 01 40 03 80 22 6D 03 60 0C 66 0F 66 23 12 2A 00 00 D0 5D 06 4A 06 00 68 05 D0 66|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,74067; reference:cve,2015-0359; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34167; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player byte array double free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|65 01 40 02 80 22 6D 02 65 01 40 03 80 22 6D 03 60 0C 66 0F 66 23 12 2A 00 00 D0 5D 06 4A 06 00 68 05 D0 66|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,74067; reference:cve,2015-0359; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34166; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player RegExp zero length assertion heap overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"FWS"; depth:3; content:"|28|?|28|?<"; content:">|29|?"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3042; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34165; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player RegExp zero length assertion heap overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"FWS"; depth:3; content:"|28|?|28|?<"; content:">|29|?"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3042; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34164; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player RegExp zero length assertion heap overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|BE 43 AD 01 1B EA 81 D2 30 54 A0 82 1B 50 AF 37 95 E6 3B CD BD E6 7E F3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3042; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34163; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player RegExp zero length assertion heap overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|BE 43 AD 01 1B EA 81 D2 30 54 A0 82 1B 50 AF 37 95 E6 3B CD BD E6 7E F3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3042; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34162; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player EAC3 memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|F1 C4 C4 02 8B 2C B2 C4 02 99 61 62 9D D5 26 4B 3C FF D2 E5 E9 6D 4A DC 07 FC 14 F1 84 B1 26 9E 64 B8 FE 3D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0353; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34159; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player EAC3 memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|F1 C4 C4 02 8B 2C B2 C4 02 99 61 62 9D D5 26 4B 3C FF D2 E5 E9 6D 4A DC 07 FC 14 F1 84 B1 26 9E 64 B8 FE 3D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0353; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34158; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player EAC3 memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|66 1A 20 13 14 00 00 D0 66 14 2C D7 01 4F 95 01 01 D0 66 1A D0 66 18 4F A5 01 01 D0 66 14 2C D9 01 4F 95 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0353; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34157; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player EAC3 memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|66 1A 20 13 14 00 00 D0 66 14 2C D7 01 4F 95 01 01 D0 66 1A D0 66 18 4F A5 01 01 D0 66 14 2C D9 01 4F 95 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0353; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34156; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player sound class type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"class|00|Sound|00|prototype"; fast_pattern:only; content:"_global|00|"; content:"|00|ASSetPropFlags|00|"; within:50; content:"|00|valueOf|00|"; content:"|00|call|00|"; within:100; content:"prototype|00|ASSetPropFlags|00|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0356; classtype:attempted-user; sid:34154; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player sound class type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"class|00|Sound|00|prototype"; fast_pattern:only; content:"_global|00|"; content:"|00|ASSetPropFlags|00|"; within:50; content:"|00|valueOf|00|"; content:"|00|call|00|"; within:100; content:"prototype|00|ASSetPropFlags|00|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0356; classtype:attempted-user; sid:34153; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player sound class type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|F5 FA A4 22 3B C6 16 2D 2C 52 E0 44 A1 86 7E 3E C5 0C 5E 8C 7F 11 0F 19 D5 FB 22 24 39 F6 5F 2E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0356; classtype:attempted-user; sid:34152; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player sound class type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|F5 FA A4 22 3B C6 16 2D 2C 52 E0 44 A1 86 7E 3E C5 0C 5E 8C 7F 11 0F 19 D5 FB 22 24 39 F6 5F 2E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0356; classtype:attempted-user; sid:34151; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ConvolutionFilter heap information disclosure attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 02 00 08 04 53 3C 96 18 00 08 05 07 14 00 00 00 07 90|"; fast_pattern:only; content:"|96 07 00 07 01 00 00 00 08 06 1C 96 02 00 08 0C 52 17|"; metadata:service smtp; reference:cve,2015-0357; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34150; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ConvolutionFilter heap information disclosure attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|91 86 5F 30 5C 85 5C 2A 1E 18 37 69 D1 E4 D2 EB|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0357; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34149; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ConvolutionFilter heap information disclosure attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 02 00 08 04 53 3C 96 18 00 08 05 07 14 00 00 00 07 90|"; fast_pattern:only; content:"|96 07 00 07 01 00 00 00 08 06 1C 96 02 00 08 0C 52 17|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0357; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34148; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ConvolutionFilter heap information disclosure attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|91 86 5F 30 5C 85 5C 2A 1E 18 37 69 D1 E4 D2 EB|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0357; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34147; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|68 03 D0 5D 06 4A 06 00 68 05 D0 66 05 40 01 61 0D D0 5D 08 4A 08 00 68 07 D0 66 03 D0 66 05|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0349; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34193; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0B DB B6 69 3B 03 E3 D2 DB 3C 33 81 D1 21 E9 92 CE 4C F9 E6 05 36 F5 80 F5 42 33 1B 48 53 7F EC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0349; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34192; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|68 03 D0 5D 06 4A 06 00 68 05 D0 66 05 40 01 61 0D D0 5D 08 4A 08 00 68 07 D0 66 03 D0 66 05|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0349; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34191; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0B DB B6 69 3B 03 E3 D2 DB 3C 33 81 D1 21 E9 92 CE 4C F9 E6 05 36 F5 80 F5 42 33 1B 48 53 7F EC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0349; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34190; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AuthorizedFeaturesLoader object memory corruption attempt"; flow:to_server,established; file_data; content:"|F8 76 43 0C 70 DC 3B 9B 5F EC 1C 83 DF 5E AD 75 AB D1 38 F7 52 CB B7 B7 72 1C 29 89 24 D5 05 6D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0347; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34189; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AuthorizedFeaturesLoader object memory corruption attempt"; flow:to_server,established; file_data; content:"|21 02 D0 5D 0C D0 4A 0C 01 68 0B 5D 22 4A 22 00 80 22 D6 D2 4F 23 00 D2 66 24 20 14 08 00 00 D0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0347; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34188; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AuthorizedFeaturesLoader object memory corruption attempt"; flow:to_client,established; file_data; content:"|F8 76 43 0C 70 DC 3B 9B 5F EC 1C 83 DF 5E AD 75 AB D1 38 F7 52 CB B7 B7 72 1C 29 89 24 D5 05 6D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0347; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34187; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AuthorizedFeaturesLoader object memory corruption attempt"; flow:to_client,established; file_data; content:"|21 02 D0 5D 0C D0 4A 0C 01 68 0B 5D 22 4A 22 00 80 22 D6 D2 4F 23 00 D2 66 24 20 14 08 00 00 D0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0347; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34186; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Sound.extract integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|B5 BF 6A 98 BE 6B D1 93 C4 BE EB 99 9C 65 62 70 C0 0C 93 2A FB 4E 60 1B 13 24 E0 A6 E5 A7 EE 9D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0348; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34279; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Sound.extract integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|B5 BF 6A 98 BE 6B D1 93 C4 BE EB 99 9C 65 62 70 C0 0C 93 2A FB 4E 60 1B 13 24 E0 A6 E5 A7 EE 9D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0348; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34278; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Sound.extract integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|D3 25 80 08 25 80 08 A2 15 E9 FF FF D1 D2 25 80 01 25 80 08 A2 4F 08 02 D1 D2 24 01 2F 01 4F 09|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0348; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34277; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Sound.extract integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D3 25 80 08 25 80 08 A2 15 E9 FF FF D1 D2 25 80 01 25 80 08 A2 4F 08 02 D1 D2 24 01 2F 01 4F 09|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0348; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34276; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash malformed pixel bytecode attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|21 4B 0C D9 5D 30 F4 9A E4 BA BE A0 06 32 80 D1 64 63 48 D0 8B 53 DC 81 23 0F A5 1D 5F C6 23 3C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3041; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34275; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash malformed pixel bytecode attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|21 4B 0C D9 5D 30 F4 9A E4 BA BE A0 06 32 80 D1 64 63 48 D0 8B 53 DC 81 23 0F A5 1D 5F C6 23 3C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3041; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34274; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash malformed pixel bytecode attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|5E 01 2B 61 01 D0 49 00 5D 06 5D 01 4A 01 00 4A 06 01 80 06 D5 D1 66 07 66 08 5D 09 25 80 02 25|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3041; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34273; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash malformed pixel bytecode attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|5E 01 2B 61 01 D0 49 00 5D 06 5D 01 4A 01 00 4A 06 01 80 06 D5 D1 66 07 66 08 5D 09 25 80 02 25|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3041; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34272; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player FLV tag datasize buffer overflow attempt"; flow:to_server,established; file_data; content:"|27 6E EE 72 87 1B 47 F7 41 A0 00 00 00 3A 1B 08 00 04 41 00 00 0F 00 00 00 00 68 EE EE EE EE EE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3043; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34271; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player FLV tag datasize buffer overflow attempt"; flow:to_client,established; file_data; content:"|27 6E EE 72 87 1B 47 F7 41 A0 00 00 00 3A 1B 08 00 04 41 00 00 0F 00 00 00 00 68 EE EE EE EE EE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3043; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34270; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AVC parser integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"LoadMP4"; fast_pattern:only; content:"|24 64 2A 4A 0A 02 68 09 D0 49 00 60 0E 66 0F 66 10 85 D5 5D 11 D1 2C 17 46 12 01 24 01 66 13 4A 11 01 80 11 D6 D0 D2 66 14|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0352; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34267; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AVC parser integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|2F F8 C4 7F 4F 3F F4 89 F5 E8 CB 7B F0 EB CC 94 04 C0 21 B0 03 D2 A5 55 D0 A0 12 33 CB 20 9D FB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0352; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34266; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AVC parser integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"LoadMP4"; fast_pattern:only; content:"|24 64 2A 4A 0A 02 68 09 D0 49 00 60 0E 66 0F 66 10 85 D5 5D 11 D1 2C 17 46 12 01 24 01 66 13 4A 11 01 80 11 D6 D0 D2 66 14|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0352; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34265; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AVC parser integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|2F F8 C4 7F 4F 3F F4 89 F5 E8 CB 7B F0 EB CC 94 04 C0 21 B0 03 D2 A5 55 D0 A0 12 33 CB 20 9D FB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0352; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34264; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player flash settings manager double free attempt"; flow:established,to_server; flowbits:isset,file.swf; file_data; content:"|C1 9F F2 74 AF EA F2 CC C4 CD A9 D1 91 E1 76 7F ED 91 A3 29 4B 07 44 85 83 37 CC 92 A3 0B A5 53|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0346; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34260; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player flash settings manager double free attempt"; flow:established,to_server; flowbits:isset,file.swf; file_data; content:"flash.system|08|Security|0D|SecurityPanel|10|SETTINGS_MANAGER"; fast_pattern:only; content:"openManager"; content:"LSO_PATH"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0346; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34259; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player flash settings manager double free attempt"; flow:established,to_server; file_data; content:".writeLSO"; content:".openManager()"; within:150; content:".writeLSO"; within:150; content:".setTimeout(reload"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0346; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34258; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player flash settings manager double free attempt"; flow:established,to_client; flowbits:isset,file.swf; file_data; content:"|C1 9F F2 74 AF EA F2 CC C4 CD A9 D1 91 E1 76 7F ED 91 A3 29 4B 07 44 85 83 37 CC 92 A3 0B A5 53|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0346; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34257; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player flash settings manager double free attempt"; flow:established,to_client; flowbits:isset,file.swf; file_data; content:"flash.system|08|Security|0D|SecurityPanel|10|SETTINGS_MANAGER"; fast_pattern:only; content:"openManager"; content:"LSO_PATH"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0346; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34256; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player flash settings manager double free attempt"; flow:established,to_client; file_data; content:".writeLSO"; content:".openManager()"; within:150; content:".writeLSO"; within:150; content:".setTimeout(reload"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0346; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34255; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed CEA-708 packet denial of service attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:".m3u8"; fast_pattern:only; content:"captionsEnabled"; nocase; content:"708"; within:10; nocase; content:"DATA"; within:10; nocase; metadata:service smtp; reference:cve,2015-0354; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-dos; sid:34254; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed CEA-708 packet denial of service attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:".m3u8"; fast_pattern:only; content:"captionsEnabled"; nocase; content:"708"; within:10; nocase; content:"DATA"; within:10; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0354; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-dos; sid:34253; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed CEA-708 packet denial of service attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|7B FB E5 CB 97 DB 2E EF 6B CB E6 A6 DA F7 1C 3A 74 A8 BD 63 6F FB DE BD AD A0 68 75 AE 66 F2 B1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service smtp; reference:cve,2015-0354; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-dos; sid:34252; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed CEA-708 packet denial of service attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|7B FB E5 CB 97 DB 2E EF 6B CB E6 A6 DA F7 1C 3A 74 A8 BD 63 6F FB DE BD AD A0 68 75 AE 66 F2 B1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0354; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-dos; sid:34251; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player text field mask use after free attempt"; flow:to_server,established; file_data; content:"|F5 8E 49 D7 6E DA 4D 76 55 5A 47 46 57 3D 64 8A 3A D5 8C 0E 31 49 E7 B9 61 36 FB 82 AF 9E 08 D7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0351; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34250; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player text field mask use after free attempt"; flow:to_client,established; file_data; content:"|F5 8E 49 D7 6E DA 4D 76 55 5A 47 46 57 3D 64 8A 3A D5 8C 0E 31 49 E7 B9 61 36 FB 82 AF 9E 08 D7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0351; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34249; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player text field mask use after free attempt"; flow:to_server,established; file_data; content:"|D2 24 01 4F 1A 01 D0 24 01 46 0B 01 80 03 D5 D1 24 58 24 1F 26 4F 1B 03 47 00 00 04 02 01 01 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0351; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34248; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player text field mask use after free attempt"; flow:to_client,established; file_data; content:"|D2 24 01 4F 1A 01 D0 24 01 46 0B 01 80 03 D5 D1 24 58 24 1F 26 4F 1B 03 47 00 00 04 02 01 01 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0351; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34247; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player thread write double-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|FD 9E 83 BF FC B3 1F 45 C8 BD 64 59 8A 7C 4D 56 BE C8 AF 82 FA ED 9F FD 3E 33 74 F6 59 6A FD 4E E4 BF FF EC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,74067; reference:cve,2015-0359; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34245; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player thread write double-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|FD 9E 83 BF FC B3 1F 45 C8 BD 64 59 8A 7C 4D 56 BE C8 AF 82 FA ED 9F FD 3E 33 74 F6 59 6A FD 4E E4 BF FF EC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,74067; reference:cve,2015-0359; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34244; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player thread write double-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|14 92 FF AD 90 45 28 35 39 D2 42 95 48 58 EC 5F F1 F9 57 FB 7C 99 BA 0A ED FD 0F 25 F7 CD 2D 16 66 AB 15 FA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,74067; reference:cve,2015-0359; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34243; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player thread write double-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|14 92 FF AD 90 45 28 35 39 D2 42 95 48 58 EC 5F F1 F9 57 FB 7C 99 BA 0A ED FD 0F 25 F7 CD 2D 16 66 AB 15 FA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,74067; reference:cve,2015-0359; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34242; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player thread write double-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|D0 66 12 4F 01 02 02 5D 0D 4A 0D 00 82 63 02 D0 4A 09 00 82 82 63 03 D0 4F 14 00 D0 62 02 62 02 2C 02 66 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,74067; reference:cve,2015-0359; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34241; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player thread write double-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D0 66 12 4F 01 02 02 5D 0D 4A 0D 00 82 63 02 D0 4A 09 00 82 82 63 03 D0 4F 14 00 D0 62 02 62 02 2C 02 66 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,74067; reference:cve,2015-0359; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34240; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player potential information disclosure attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|46 15 02 5E 05 2B 61 05 60 05 62 04 24 00 24 03 4F 16 03 60 12 60 17 53 01 D0 24 00 24 01 24 02|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-3040; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34235; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player potential information disclosure attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|46 15 02 5E 05 2B 61 05 60 05 62 04 24 00 24 03 4F 16 03 60 12 60 17 53 01 D0 24 00 24 01 24 02|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3040; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34234; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player potential information disclosure attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|6E 26 31 D9 22 FF C8 4F 8C DC FA F2 96 C2 3A C1 50 4E F1 E8 8C 33 3E F8 86 B7 31 EC F6 0E 25 F4|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-3040; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34233; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player potential information disclosure attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|6E 26 31 D9 22 FF C8 4F 8C DC FA F2 96 C2 3A C1 50 4E F1 E8 8C 33 3E F8 86 B7 31 EC F6 0E 25 F4|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3040; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34232; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed CEA-708 packet arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|66 9A 01 85 63 05 D0 66 16 2C C8 01 D2 A0 2C C9 01 A0 62 04 A0 62 05 4F 9B 01 02 47 00 00 02 05|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0355; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34231; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed CEA-708 packet arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|1A AA 1A 6A 1A CC 86 DA C6 26 55 6A D8 DC B0 A5 61 47 E3 CE C6 F6 86 3B 1B 77 37 76 EA 5D 0D 07|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0355; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34230; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed CEA-708 packet arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|66 9A 01 85 63 05 D0 66 16 2C C8 01 D2 A0 2C C9 01 A0 62 04 A0 62 05 4F 9B 01 02 47 00 00 02 05|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0355; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34229; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed CEA-708 packet arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1A AA 1A 6A 1A CC 86 DA C6 26 55 6A D8 DC B0 A5 61 47 E3 CE C6 F6 86 3B 1B 77 37 76 EA 5D 0D 07|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0355; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34228; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player shared byte array memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|54 2D 56 AB E8 23 82 15 A2 68 04 EB 44 25 44 CF 92 4C 8E 90 3C 21 05 82 57 48 76 95 E0 32 C1 6B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3038; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34305; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player shared byte array memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|4A 06 00 61 05 D0 66 05 24 01 61 13|"; content:"|80 15 D5 D1 2C 0A D0 66 05 4F 1B 02 D0 66 05 2D 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3038; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34304; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player shared byte array memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|54 2D 56 AB E8 23 82 15 A2 68 04 EB 44 25 44 CF 92 4C 8E 90 3C 21 05 82 57 48 76 95 E0 32 C1 6B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3038; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34303; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player shared byte array memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|4A 06 00 61 05 D0 66 05 24 01 61 13|"; content:"|80 15 D5 D1 2C 0A D0 66 05 4F 1B 02 D0 66 05 2D 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3038; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34302; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|D0 66 05 62 01 62 04 66 01 66 01 80 08 61 03 10 8C 00 00 02 D0 2A 66 03 D0 66 05 62 01 62 04 66 01 66 01 D0 66 02 2C 02 66 01 A2 A0 74 61 03 D0 2A 66 06 D0 66 03 D0 66 04 A5 A9 74 61 06 D0 2A 66 04 D0 66 03 25 FF 3F A8 24 58 AF 12 06 00 00 24 0D 10 03 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,73084; reference:cve,2015-0336; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:34357; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|A9 7F 6B 6E 78 BF FA DE 9C DD EB F9 FC 0D 87 97 40 5A BF 34 C4 6F 11 12 76 06 E1 0C 9D 6F 1C BB C5 AD 36 F6 00 F9 66 F2 EE CB 3B AE E2 25 53 CF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,73084; reference:cve,2015-0336; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:34356; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D0 66 05 62 01 62 04 66 01 66 01 80 08 61 03 10 8C 00 00 02 D0 2A 66 03 D0 66 05 62 01 62 04 66 01 66 01 D0 66 02 2C 02 66 01 A2 A0 74 61 03 D0 2A 66 06 D0 66 03 D0 66 04 A5 A9 74 61 06 D0 2A 66 04 D0 66 03 25 FF 3F A8 24 58 AF 12 06 00 00 24 0D 10 03 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,73084; reference:cve,2015-0336; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:34355; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|A9 7F 6B 6E 78 BF FA DE 9C DD EB F9 FC 0D 87 97 40 5A BF 34 C4 6F 11 12 76 06 E1 0C 9D 6F 1C BB C5 AD 36 F6 00 F9 66 F2 EE CB 3B AE E2 25 53 CF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,73084; reference:cve,2015-0336; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:34354; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player object type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|16 0C 22 87 22 7C 75 72 61 F6 F6 AC 87 3E 8B 89 EF D0 87 76 0D 13 25 CF 73 2D 43 6B 18 B6 AD 9B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0319; reference:cve,2015-0334; reference:cve,2015-3086; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34478; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player object type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|16 0C 22 87 22 7C 75 72 61 F6 F6 AC 87 3E 8B 89 EF D0 87 76 0D 13 25 CF 73 2D 43 6B 18 B6 AD 9B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0319; reference:cve,2015-0334; reference:cve,2015-3086; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34477; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt"; flow:to_client,established; file_data; content:"|9E 4E B0 BC 2D 9D 36 A9 41 6A 09 70 18 09 A5 C9 70 0B A7 11 F8 80 B2 86 45 56 F1 91 2E E0 7C D4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0502; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-07.html; classtype:attempted-user; sid:32359; rev:7;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|39 D7 B9 4D F6 E4 1C 4A 67 00 6D 8B DE D2 DF 77|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0502; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-07.html; classtype:attempted-user; sid:29931; rev:6;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|16 08 18 0A 16 0C 16 14 16 1D 17 06 05 00 05 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0502; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-07.html; classtype:attempted-user; sid:29930; rev:6;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|39 D7 B9 4D F6 E4 1C 4A 67 00 6D 8B DE D2 DF 77|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0502; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-07.html; classtype:attempted-user; sid:29929; rev:6;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|16 08 18 0A 16 0C 16 14 16 1D 17 06 05 00 05 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0502; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-07.html; classtype:attempted-user; sid:29928; rev:6;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player integer underflow attempt"; flow:to_client,established; file_data; content:"|17 2C 11 64 D8 27 80 D3 C2 F8 C5 C4 0E 77 7F 0A E5 95 E0 C3 B9 80 36 C6 09 3E CB 05 92 20 49 B2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0497; classtype:attempted-user; sid:29634; rev:6;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player integer underflow attempt"; flow:to_server,established; file_data; content:"|17 2C 11 64 D8 27 80 D3 C2 F8 C5 C4 0E 77 7F 0A E5 95 E0 C3 B9 80 36 C6 09 3E CB 05 92 20 49 B2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0497; classtype:attempted-user; sid:29633; rev:6;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player integer underflow attempt"; flow:to_server,established; file_data; content:"|04 5B 04 05 F6 08 E0 B6 D1 7E 31 B9 C5 33 90 46 7A 35 34 E1 5C 40 19 C3 84 26 5B 06 49 90 24 45|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0497; classtype:attempted-user; sid:29632; rev:6;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player integer underflow attempt"; flow:to_client,established; file_data; content:"|04 5B 04 05 F6 08 E0 B6 D1 7E 31 B9 C5 33 90 46 7A 35 34 E1 5C 40 19 C3 84 26 5B 06 49 90 24 45|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0497; classtype:attempted-user; sid:29631; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Matrix3D copyRawDataTo integer overflow attempt"; flow:to_server,established; file_data; content:"__AS3__.vec|06|Number|0D|copyRawDataTo|07|poc/poc|0D|flash"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,55691; reference:cve,2012-5054; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; classtype:attempted-user; sid:28745; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Matrix3D copyRawDataTo integer overflow attempt"; flow:to_client,established; file_data; content:"__AS3__.vec|06|Number|0D|copyRawDataTo|07|poc/poc|0D|flash"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,55691; reference:cve,2012-5054; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; classtype:attempted-user; sid:28744; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash OpenType font memory corruption attempt"; flow:to_server,established; file_data; content:"|8A 31 5B D0 1A 53 E3 71 60 46 4F 0E B7 5F 45 7C C5 31 35 B0 25 D6 5E D8 FC BF D2 04 78 07|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,55009; reference:cve,2012-1535; reference:url,www.adobe.com/support/security/bulletins/apsb12-18.html; classtype:attempted-user; sid:28708; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash OpenType font memory corruption attempt"; flow:to_client,established; file_data; content:"|8A 31 5B D0 1A 53 E3 71 60 46 4F 0E B7 5F 45 7C C5 31 35 B0 25 D6 5E D8 FC BF D2 04 78 07|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,55009; reference:cve,2012-1535; reference:url,www.adobe.com/support/security/bulletins/apsb12-18.html; classtype:attempted-user; sid:28707; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash OpenType font memory corruption attempt"; flow:to_server,established; file_data; content:"|63 51 A3 14 70 D7 42 BB 72 07 92 11 3A E5 7B C1 2F DA 86 FB B0 33 1B F3 FF 02 FB 91 38 93|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,55009; reference:cve,2012-1535; reference:url,www.adobe.com/support/security/bulletins/apsb12-18.html; classtype:attempted-user; sid:28706; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash OpenType font memory corruption attempt"; flow:to_client,established; file_data; content:"|63 51 A3 14 70 D7 42 BB 72 07 92 11 3A E5 7B C1 2F DA 86 FB B0 33 1B F3 FF 02 FB 91 38 93|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,55009; reference:cve,2012-1535; reference:url,www.adobe.com/support/security/bulletins/apsb12-18.html; classtype:attempted-user; sid:28705; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt"; flow:to_server,established; file_data; content:"|6B 27 78 42 86 2E 09 60 48 C0 2A B6 45 88 DC 57 DE CD 5F 96 1F 1E CE ED F0 0B 24 B4 69 6D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-2110; reference:url,www.adobe.com/support/security/bulletins/apsb11-18.html; classtype:attempted-user; sid:28704; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt"; flow:to_client,established; file_data; content:"|6B 27 78 42 86 2E 09 60 48 C0 2A B6 45 88 DC 57 DE CD 5F 96 1F 1E CE ED F0 0B 24 B4 69 6D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2110; reference:url,www.adobe.com/support/security/bulletins/apsb11-18.html; classtype:attempted-user; sid:28703; rev:7;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_server,established; file_data; content:"|FC 96 56 84 F6 07 6F 04 D2 E8 B4 3F 78 27 90 F8 AB 5E CD 12 E2 2B DF 68 FF 05 E4 69 98 C9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,57787; reference:cve,2013-0634; reference:url,www.adobe.com/support/security/bulletins/apsb13-04.html; classtype:attempted-user; sid:28702; rev:6;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_server,established; file_data; content:"|C9 6F 69 45 68 7F F0 46 20 8D 4E FB 83 77 02 89 BF EA D5 22 21 BE F2 8D F6 5F B7 70 AA F7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,57787; reference:cve,2013-0634; reference:url,www.adobe.com/support/security/bulletins/apsb13-04.html; classtype:attempted-user; sid:28701; rev:6;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_client,established; file_data; content:"|FC 96 56 84 F6 07 6F 04 D2 E8 B4 3F 78 27 90 F8 AB 5E CD 12 E2 2B DF 68 FF 05 E4 69 98 C9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57787; reference:cve,2013-0634; reference:url,www.adobe.com/support/security/bulletins/apsb13-04.html; classtype:attempted-user; sid:28700; rev:6;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_client,established; file_data; content:"|C9 6F 69 45 68 7F F0 46 20 8D 4E FB 83 77 02 89 BF EA D5 22 21 BE F2 8D F6 5F B7 70 AA F7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57787; reference:cve,2013-0634; reference:url,www.adobe.com/support/security/bulletins/apsb13-04.html; classtype:attempted-user; sid:28699; rev:6;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt"; flow:to_server,established; file_data; content:"|9A 00 EF 36 69 D1 BC B4 ED AB 5D F6 03 F1 AC 7A B4 44 DE FA 75 50 71 E4 FF 00 75 AE 44 E2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:28698; rev:5;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt"; flow:to_server,established; file_data; content:"|68 08 AC 3B A5 39 FD E2 C6 6F B6 1A 0F 07 13 D1 A3 59 42 4B 37 20 8A 2B FF 17 3C 81 5D 70|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:28697; rev:5;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt"; flow:to_client,established; file_data; content:"|9A 00 EF 36 69 D1 BC B4 ED AB 5D F6 03 F1 AC 7A B4 44 DE FA 75 50 71 E4 FF 00 75 AE 44 E2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:28696; rev:5;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt"; flow:to_client,established; file_data; content:"|68 08 AC 3B A5 39 FD E2 C6 6F B6 1A 0F 07 13 D1 A3 59 42 4B 37 20 8A 2B FF 17 3C 81 5D 70|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:28695; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_server,established; file_data; content:"|B3 9F FB 7A F6 92 EF FC CB 25 DF BE F8 D2 4B BE 73 71 E0 4B 81 F2 BF FF 05 AE EB 05 87 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,46860; reference:cve,2011-0609; classtype:attempted-user; sid:28694; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; file_data; content:"|B3 9F FB 7A F6 92 EF FC CB 25 DF BE F8 D2 4B BE 73 71 E0 4B 81 F2 BF FF 05 AE EB 05 87 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46860; reference:cve,2011-0609; classtype:attempted-user; sid:28693; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_server,established; file_data; content:"|F9 CB B2 5F F8 7A F6 D2 EF FC CB A5 DF BE E4 B2 4B BF 73 49 E0 1F 29 F5 7F 01 0A E7 FC 22|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,46860; reference:cve,2011-0609; classtype:attempted-user; sid:28692; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; file_data; content:"|F9 CB B2 5F F8 7A F6 D2 EF FC CB A5 DF BE E4 B2 4B BF 73 49 E0 1F 29 F5 7F 01 0A E7 FC 22|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46860; reference:cve,2011-0609; classtype:attempted-user; sid:28691; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_server,established; file_data; content:"|A5 9C EC D7 B0 81 F3 EC FD 23 0B A9 30 49 CA 91 93 87 E3 AF C2 E9 70 1D EC 0F AD ED 42 7D|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:28690; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_server,established; file_data; content:"|71 8D F1 61 C0 22 78 6D EC E6 CD 6A 1F 7E D4 3B A7 D5 0F F8 7E 70 B8 31 D9 27 5C 16 71 B7|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:28689; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_client,established; file_data; content:"|A5 9C EC D7 B0 81 F3 EC FD 23 0B A9 30 49 CA 91 93 87 E3 AF C2 E9 70 1D EC 0F AD ED 42 7D|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:28688; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_client,established; file_data; content:"|71 8D F1 61 C0 22 78 6D EC E6 CD 6A 1F 7E D4 3B A7 D5 0F F8 7E 70 B8 31 D9 27 5C 16 71 B7|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:28687; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASnative command execution attempt"; flow:to_client,established; file_data; content:"|A8 AE 9F FC DD 34 E7 24 FF 71 36 DB 9A 32 40 27 DD 18 C9 F7 D3 CB E2 5C C3 6F 8F 41 75 7F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32896; reference:cve,2008-5499; reference:url,www.adobe.com/support/security/bulletins/apsb08-24.html; classtype:attempted-user; sid:28685; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASnative command execution attempt"; flow:to_server,established; file_data; content:"|EA F9 C9 DF 4D 73 4E F2 1F 67 B3 AD 09 03 F4 BB 1B 23 F9 7E 7A 59 9C 6A F8 05 5E 81 75 F8|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,32896; reference:cve,2008-5499; reference:url,www.adobe.com/support/security/bulletins/apsb08-24.html; classtype:attempted-user; sid:28684; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASnative command execution attempt"; flow:to_client,established; file_data; content:"|EA F9 C9 DF 4D 73 4E F2 1F 67 B3 AD 09 03 F4 BB 1B 23 F9 7E 7A 59 9C 6A F8 05 5E 81 75 F8|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32896; reference:cve,2008-5499; reference:url,www.adobe.com/support/security/bulletins/apsb08-24.html; classtype:attempted-user; sid:28683; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASnative command execution attempt"; flow:to_server,established; file_data; content:"|A4 EB C5 BF 9F 90 EF 24 9F 38 AB 6D 6E 36 40 D7 D9 18 C9 FB 53 CD A2 A9 E0 17 3E D2 69 48|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,32896; reference:cve,2008-5499; reference:url,www.adobe.com/support/security/bulletins/apsb08-24.html; classtype:attempted-user; sid:28682; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASnative command execution attempt"; flow:to_client,established; file_data; content:"|A4 EB C5 BF 9F 90 EF 24 9F 38 AB 6D 6E 36 40 D7 D9 18 C9 FB 53 CD A2 A9 E0 17 3E D2 69 48|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32896; reference:cve,2008-5499; reference:url,www.adobe.com/support/security/bulletins/apsb08-24.html; classtype:attempted-user; sid:28681; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASnative command execution attempt"; flow:to_server,established; file_data; content:"|62 99 B5 A1 ED 70 C6 6B 74 3D 08 66 D0 21 30 D8 40 F5 1F 00 00 00 FF FF 03 00 91 59 C1 F2|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,32896; reference:cve,2008-5499; reference:url,www.adobe.com/support/security/bulletins/apsb08-24.html; classtype:attempted-user; sid:28680; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASnative command execution attempt"; flow:to_client,established; file_data; content:"|62 99 B5 A1 ED 70 C6 6B 74 3D 08 66 D0 21 30 D8 40 F5 1F 00 00 00 FF FF 03 00 91 59 C1 F2|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32896; reference:cve,2008-5499; reference:url,www.adobe.com/support/security/bulletins/apsb08-24.html; classtype:attempted-user; sid:28679; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player newfunction memory corruption attempt"; flow:to_server,established; file_data; content:"|0B 47 2E 1C D9 E2 DA 33 AB CF 15 76 BD ED 31 D3 90 39 FD BE 7B 50 4A 94 BE 58 F0 05 EB 73|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:28676; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player newfunction memory corruption attempt"; flow:to_client,established; file_data; content:"|0B 47 2E 1C D9 E2 DA 33 AB CF 15 76 BD ED 31 D3 90 39 FD BE 7B 50 4A 94 BE 58 F0 05 EB 73|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:28675; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player newfunction memory corruption attempt"; flow:to_server,established; file_data; content:"|BC 56 54 D3 2D 96 1D 9E DA 39 5A 20 62 52 14 8F 23 6E 91 04 37 1A C1 2D 12 8C AC A7 1D 24|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:28674; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player newfunction memory corruption attempt"; flow:to_client,established; file_data; content:"|BC 56 54 D3 2D 96 1D 9E DA 39 5A 20 62 52 14 8F 23 6E 91 04 37 1A C1 2D 12 8C AC A7 1D 24|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:28673; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash frame type identifier memory corruption attempt"; flow:to_server,established; file_data; content:"|0B 25 C9 92 0D 21 ED 48 87 65 30 3B 6D E1 D8 B4 00 00 86 06 06 01 00 01 00 00 40 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15332; reference:cve,2005-2628; classtype:attempted-user; sid:28672; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash frame type identifier memory corruption attempt"; flow:to_server,established; file_data; content:"|BC 8A 6F 3D DA 53 0D AC 73 1F DE D8 C2 C0 D0 C6 C6 C6 08 54 C7 E0 00 94 05 00 53 50 10 B8|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15332; reference:cve,2005-2628; classtype:attempted-user; sid:28671; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash frame type identifier memory corruption attempt"; flow:to_client,established; file_data; content:"|BC 8A 6F 3D DA 53 0D AC 73 1F DE D8 C2 C0 D0 C6 C6 C6 08 54 C7 E0 00 94 05 00 53 50 10 B8|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15332; reference:cve,2005-2628; classtype:attempted-user; sid:28670; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash ActionDefineFunction memory access exploit attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"FWS|06|"; depth:4; content:"|43 02|"; within:27; byte_test:1,<,64,3,relative; content:"|03|"; within:1; distance:4; pcre:"/^(\x9B|\x8E)/R"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15334; reference:cve,2005-2628; classtype:attempted-user; sid:28669; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash ActionDefineFunction memory access exploit attempt"; flow:to_server,established; file_data; content:"|C0 C0 C0 C3 C8 E0 CC F4 9F 81 C1 86 79 B6 39 83 23 79 80 81 C1 81 81 81 01 00 F8 1C 12 25|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15334; reference:cve,2005-2628; classtype:attempted-user; sid:28668; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash ActionDefineFunction memory access exploit attempt"; flow:to_client,established; file_data; content:"|C0 C0 C0 C3 C8 E0 CC F4 9F 81 C1 86 79 B6 39 83 23 79 80 81 C1 81 81 81 01 00 F8 1C 12 25|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15334; reference:cve,2005-2628; classtype:attempted-user; sid:28667; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH RealNetworks RealPlayer SWF flash file buffer overflow attempt"; flow:to_server,established; file_data; content:"|45 1C 8C 0C 40 C0 C8 C4 00 A2 99 98 19 98 80 14 0B 0B 03 33 90 E2 60 60 00 00 CF 20 4F 02|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,17202; reference:cve,2006-0323; classtype:attempted-user; sid:28666; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH RealNetworks RealPlayer SWF flash file buffer overflow attempt"; flow:to_client,established; file_data; content:"|45 1C 8C 0C 40 C0 C8 C4 00 A2 99 98 19 98 80 14 0B 0B 03 33 90 E2 60 60 00 00 CF 20 4F 02|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,17202; reference:cve,2006-0323; classtype:attempted-user; sid:28665; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH RealNetworks RealPlayer SWF flash file buffer overflow attempt"; flow:to_server,established; file_data; content:"|46 57 53 05 CF 00 00 00 60 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,17202; reference:cve,2006-0323; classtype:attempted-user; sid:28664; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_server,established; file_data; content:"|DB BD 13 B7 93 13 DF EC A7 F9 32 92 4D 4C 86 B3 A1 F0 89 86 6F AC F7 64 7F 02 B6 EC 12 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-1862; classtype:attempted-user; sid:28661; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; file_data; content:"|DB BD 13 B7 93 13 DF EC A7 F9 32 92 4D 4C 86 B3 A1 F0 89 86 6F AC F7 64 7F 02 B6 EC 12 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-1862; classtype:attempted-user; sid:28660; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH RealNetworks RealPlayer SWF frame handling buffer overflow attempt"; flow:to_server,established; file_data; content:"|D5 DA E7 D5 CD 47 FA 57 75 38 2C 65 0E 37 00 34 7F 10 9A 1A 40 46 0F 00 FF 02 64 6E 6A 6E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30370; reference:cve,2007-5400; classtype:attempted-user; sid:28641; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH RealNetworks RealPlayer SWF frame handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|D5 DA E7 D5 CD 47 FA 57 75 38 2C 65 0E 37 00 34 7F 10 9A 1A 40 46 0F 00 FF 02 64 6E 6A 6E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30370; reference:cve,2007-5400; classtype:attempted-user; sid:28640; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player multimedia file DefineSceneAndFrameLabelData code execution attempt"; flow:to_server,established; file_data; content:"|FF AE E4 AB 67 DA E3 A4 A7 68 42 D1 59 0D 1A 58 BF 2C 00 A8 85 BF 27 C8 FF 00 A4 FF 5C 18|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,28695; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; classtype:attempted-user; sid:28637; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player multimedia file DefineSceneAndFrameLabelData code execution attempt"; flow:to_client,established; file_data; content:"|FF AE E4 AB 67 DA E3 A4 A7 68 42 D1 59 0D 1A 58 BF 2C 00 A8 85 BF 27 C8 FF 00 A4 FF 5C 18|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28695; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; classtype:attempted-user; sid:28636; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player embedded JPG image height overflow attempt"; flow:to_server,established; file_data; content:"|03 83 82 89 EA 81 D6 82 85 31 E2 DB 79 DF 30 B4 B2 01 D3 2C 13 83 03 30 50 00 83 12 ED 1D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26951; reference:cve,2007-6242; classtype:attempted-user; sid:28632; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player embedded JPG image height overflow attempt"; flow:to_client,established; file_data; content:"|03 83 82 89 EA 81 D6 82 85 31 E2 DB 79 DF 30 B4 B2 01 D3 2C 13 83 03 30 50 00 83 12 ED 1D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26951; reference:cve,2007-6242; classtype:attempted-user; sid:28631; rev:5;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_server,established; file_data; content:"|85 83 F2 B6 D6 39 71 DC B0 00 D5 DA 5C 93 73 BF A0 EB ED 76 3B DB 5E CA 7A 41 43 CF AD AC AC E8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,57787; reference:cve,2013-0634; reference:url,www.adobe.com/support/security/bulletins/apsb13-04.html; classtype:attempted-user; sid:28620; rev:6;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_client,established; file_data; content:"|85 83 F2 B6 D6 39 71 DC B0 00 D5 DA 5C 93 73 BF A0 EB ED 76 3B DB 5E CA 7A 41 43 CF AD AC AC E8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57787; reference:cve,2013-0634; reference:url,www.adobe.com/support/security/bulletins/apsb13-04.html; classtype:attempted-user; sid:28619; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|4F 78 41 41 41 44 73 51 42 6C 53 73 4F 47 77 41 41 42 73 42 4A 52 45 46 55 65 46 37 74 30 30 45|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:28453; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|50 33 49 41 56 51 67 42 56 67 67 42 42 68 5A 6F 42 44 39 79 41 41 41 50 41 32 6F 41 41 41 41 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:28452; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|1D 00 10 00 25 00 00 00 82 A0 1E 02 FF FF FF FF FE FF FF FF 40 01 00 00 02 00 FF FF FE FF FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:28451; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malicious swf file download attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|CB 74 5E 0D BD 47 57 13 3F E7 55 4F 02 D4 3F D9 8E D3 C4 6E D4 07 3E 41 FD FB E1 4F 63 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:27187; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malicious swf file download attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|E5 8C 2E 73 DC 35 EE 09 13 9E 09 87 C3 E9 76 8E C8 1B B9 F2 84 4A 53 90 EB F5 D5 5A 60 BC|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:27186; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malicious swf file download attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|AE D7 46 41 60 D2 E4 25 52 2F 88 38 EA B9 BC D1 1B F2 95 52 B8 2C 8E C7 B4 21 A9 2F 62 26|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:27185; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malicious swf file download attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|CB 74 5E 0D BD 47 57 13 3F E7 55 4F 02 D4 3F D9 8E D3 C4 6E D4 07 3E 41 FD FB E1 4F 63 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:27184; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malicious swf file download attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|E5 8C 2E 73 DC 35 EE 09 13 9E 09 87 C3 E9 76 8E C8 1B B9 F2 84 4A 53 90 EB F5 D5 5A 60 BC|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:27183; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malicious swf file download attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|AE D7 46 41 60 D2 E4 25 52 2F 88 38 EA B9 BC D1 1B F2 95 52 B8 2C 8E C7 B4 21 A9 2F 62 26|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:27182; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_server,established; file_data; content:"|33 0D 0A 43 57 53 0D 0A 31 0D 0A 0A 0D 0A 33 0D|"; content:"|0D 0A 34 0D 0A FE B3 6F 7D 0D 0A 33 0D 0A FC F1|"; within:16; distance:320; content:"|32 0D 0A F5 CB 0D 0A 33 0D 0A 4B 7C F1 0D 0A 34|"; within:16; distance:320; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:26112; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_server,established; file_data; content:"|64 BF B2 5C 3B 6C 01 CC 94 D8 86 75 E0 13 57 80|"; content:"|00 1C 84 81 C9 80 77 6F 72 6B 50 6F 73 5F 6D 63|"; within:16; distance:320; content:"|FD 8D AD 6D 92 AB 5A B5 AF EC 90 2F 1A 4C 2A 01|"; within:16; distance:320; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:26111; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|D7 F3 DB DF 19 6F DB FC E6 F7 5F CF 2F BF 99 BE|"; content:"|78 F9 BB 3F 7D FD 27 7C F9 FE AB F9 7A 7C E5 D3|"; within:16; distance:336; content:"|27 5F FD FC 7D 7D F7 FE 1F FC 7A 6B BF 7C 3F DF|"; within:16; distance:288; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:26110; rev:6;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player CFF FeatureCount integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf.cff; file_data; content:"|00 7E 00 E2|"; content:"|00 01 00 00|"; within:4; distance:-10; byte_jump:2,0,relative,post_offset 2; byte_jump:2,0,relative,post_offset 2; content:"|FF FF|"; within:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0633; reference:url,www.adobe.com/support/security/bulletins/apsb13-04.html; classtype:attempted-user; sid:25681; rev:8;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_server,established; file_data; content:"|81 26 B3 45 C4 3F 7F 7F FF AE FD 47 3F 59 BA FD 67 FE ED D7 5E B5 55 6F 3D C2 B7 5E F9 00 BF FD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,57787; reference:cve,2013-0634; reference:url,www.adobe.com/support/security/bulletins/apsb13-04.html; classtype:attempted-user; sid:25679; rev:9;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf|file.ole; content:"RegEx"; fast_pattern:only; pcre:"/RegExp?\x23.{0,5}\x28\x3f[^\x29]{0,4}i.*?\x28\x3f\x2d[^\x29]{0,4}i.{0,50}\x7c\x7c/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,57787; reference:cve,2013-0634; reference:url,www.adobe.com/support/security/bulletins/apsb13-04.html; classtype:attempted-user; sid:25678; rev:9;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_client,established; file_data; content:"|81 26 B3 45 C4 3F 7F 7F FF AE FD 47 3F 59 BA FD 67 FE ED D7 5E B5 55 6F 3D C2 B7 5E F9 00 BF FD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57787; reference:cve,2013-0634; reference:url,www.adobe.com/support/security/bulletins/apsb13-04.html; classtype:attempted-user; sid:25677; rev:10;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf|file.ole; content:"RegEx"; fast_pattern:only; pcre:"/RegExp?\x23.{0,5}\x28\x3f[^\x29]{0,4}i.*?\x28\x3f\x2d[^\x29]{0,4}i.{0,50}\x7c\x7c/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57787; reference:cve,2013-0634; reference:url,www.adobe.com/support/security/bulletins/apsb13-04.html; classtype:attempted-user; sid:25676; rev:10;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|01 09 0A 2E D0 30 D0 5D 04 4A 04 00 68 01 D0 94 90 4E|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24877; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|01 09 0A 2E D0 30 D0 5D 04 4A 04 00 68 01 D0 94 90 4E|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24876; rev:8;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|01 09 0A 2E D0 30 D0 5D 04 4A 04 00 68 01 D0 92 90 4E|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24875; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|01 09 0A 2E D0 30 D0 5D 04 4A 04 00 68 01 D0 92 90 4E|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24874; rev:8;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"E9308C77A627681188C6AF05AC521652"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-01.html; classtype:attempted-user; sid:24688; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"E9308C77A627681188C6AF05AC521652"; fast_pattern:only; content:"Knockout-HTF50-Welterweight"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-01.html; classtype:attempted-user; sid:24687; rev:8;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|1D 1D 1D 1D 1D 1D 1D 6D|"; content:"|00 00 01 02|"; within:4; distance:2; byte_extract:1,0,local_count,relative; content:"|D0 49 00|"; within:3; distance:3; content:"|94|"; distance:0; byte_test:1,!&,128,0,relative; byte_test:1,>,local_count,0,relative; content:"|47 00 00|"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24431; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1D 1D 1D 1D 1D 1D 1D 6D|"; content:"|00 00 01 02|"; within:4; distance:2; byte_extract:1,0,local_count,relative; content:"|D0 49 00|"; within:3; distance:3; content:"|94|"; distance:0; byte_test:1,!&,128,0,relative; byte_test:1,>,local_count,0,relative; content:"|47 00 00|"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24430; rev:9;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|1D 1D 1D 1D 1D 1D 1D 6D|"; content:"|00 00 01 02|"; within:4; distance:2; byte_extract:1,0,local_count,relative; content:"|D0 49 00|"; within:3; distance:3; content:"|92|"; distance:0; byte_test:1,!&,128,0,relative; byte_test:1,>,local_count,0,relative; content:"|47 00 00|"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24429; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1D 1D 1D 1D 1D 1D 1D 6D|"; content:"|00 00 01 02|"; within:4; distance:2; byte_extract:1,0,local_count,relative; content:"|D0 49 00|"; within:3; distance:3; content:"|92|"; distance:0; byte_test:1,!&,128,0,relative; byte_test:1,>,local_count,0,relative; content:"|47 00 00|"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24428; rev:9;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Matrix3D copyRawDataTo integer overflow attempt"; flow:to_server,established; file_data; content:"|A3 9D 7B C7 44 71 75 DD F0 26 8A 1F 78 66 64 50 4F 16 95 4A 8A EF 97 C4 12 7E 34 74 EC 70|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,55691; reference:cve,2012-5054; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; classtype:attempted-user; sid:24245; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Matrix3D copyRawDataTo integer overflow attempt"; flow:to_client,established; file_data; content:"|A3 9D 7B C7 44 71 75 DD F0 26 8A 1F 78 66 64 50 4F 16 95 4A 8A EF 97 C4 12 7E 34 74 EC 70|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,55691; reference:cve,2012-5054; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; classtype:attempted-user; sid:24244; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player object confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1E 3E 95 0F 29 8B 36 33 45 A4 1C F6 43 97 12 71 58 FF 44|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:attempted-user; sid:24142; rev:7;) # alert tcp $EXTERNAL_NET 1935 -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash malformed RTMP response attempt"; flow:to_client,established; content:"|02 00 06|_error|00|"; isdataat:9,relative; content:!"|05|"; within:1; distance:8; content:!"|03|"; within:1; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service rtmp; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:protocol-command-decode; sid:24140; rev:9;) # alert tcp $EXTERNAL_NET 1935 -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash malformed RTMP response attempt"; flow:to_client,established; content:"|02 00 06|_error|00|"; content:"|05|"; within:1; distance:8; byte_test:1,>,0x11,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service rtmp; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:protocol-command-decode; sid:24139; rev:12;) # alert tcp $EXTERNAL_NET 1935 -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash malformed RTMP response attempt"; flow:to_client,established; content:"|02 00 06|_error|00|"; content:"|03|"; within:1; distance:8; byte_jump:2,0,relative; content:"|09|"; distance:0; isdataat:1,relative; content:!"|03|"; within:1; content:!"|05|"; within:1; metadata:policy max-detect-ips drop, policy security-ips drop, service rtmp; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:protocol-command-decode; sid:24138; rev:9;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|44 04 17 14 95 CB 8B 04 AF 15 74 5D D7 FB 64 5D|"; fast_pattern:only; content:"|FF 7B 55 93 A2 93 FF FE 77 F9 D0 DD EF 57 EF 5B|"; content:"|66 30 12 CE C6 06 B5 C6 48 C2 9C 36 6E 5C B2 D5|"; within:16; distance:96; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-2110; reference:url,www.adobe.com/support/security/bulletins/apsb11-18.html; classtype:attempted-user; sid:23997; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|44 04 17 14 95 CB 8B 04 AF 15 74 5D D7 FB 64 5D|"; fast_pattern:only; content:"|FF 7B 55 93 A2 93 FF FE 77 F9 D0 DD EF 57 EF 5B|"; content:"|66 30 12 CE C6 06 B5 C6 48 C2 9C 36 6E 5C B2 D5|"; within:16; distance:96; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2110; reference:url,www.adobe.com/support/security/bulletins/apsb11-18.html; classtype:attempted-user; sid:23996; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash OpenType font memory corruption attempt - compressed"; flow:to_client,established; file_data; content:"|1D 27 2F 72 E1 98 12 1D 13 1E AA 63 66 F7 1F 53 A6 FF 5A 82 B6 31 57 6A F7 40 FB 43 CE 7D C7 0D 1F 64 7F 41 F2 D2 7B A6 C6 A0 DD 60 B4 6E 31 FF 07 50 9B 47 3E|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,55009; reference:cve,2012-1535; reference:url,www.adobe.com/support/security/bulletins/apsb12-18.html; classtype:attempted-user; sid:23967; rev:10;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH string heapspray flash file - likely attack"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"heapspray"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:attempted-user; sid:23856; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH string heapspray flash file - likely attack"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"heapspray"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:23855; rev:8;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash OpenType font memory corruption attempt"; flow:to_server,established; file_data; content:"FWS"; content:""; distance:0; content:"kern"; within:500; byte_extract:4,4,kern_offset,relative; content:"OTTO"; byte_test:4,>=,0x10000000,kern_offset,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,55009; reference:cve,2012-1535; reference:url,www.adobe.com/support/security/bulletins/apsb12-18.html; classtype:attempted-user; sid:23854; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash OpenType font memory corruption attempt"; flow:to_client,established; file_data; content:"FWS"; content:""; distance:0; content:"kern"; within:500; byte_extract:4,4,kern_offset,relative; content:"OTTO"; byte_test:4,>=,0x10000000,kern_offset,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,55009; reference:cve,2012-1535; reference:url,www.adobe.com/support/security/bulletins/apsb12-18.html; classtype:attempted-user; sid:23853; rev:9;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player newfunction memory corruption attempt"; flow:to_server,established; file_data; content:"|93 1A|FirstCircleBBBBBBBBBBBBBBBBBBBBBBB|06 A6 17 30|BBBBBBBBBBBBBBBBBBBB|90 90 90 90|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:23265; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player newfunction memory corruption attempt"; flow:to_client,established; file_data; content:"|93 1A|FirstCircleBBBBBBBBBBBBBBBBBBBBBBB|06 A6 17 30|BBBBBBBBBBBBBBBBBBBB|90 90 90 90|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:23264; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player object confusion attempt"; flow:to_client,established; file_data; content:"|E2 41 76 26 4F 70 65 72 61 74 65 64 20 62 79 20 44 6F 53 57 46|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:attempted-user; sid:22916; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player object confusion attempt"; flow:to_client,established; file_data; content:"|74 F2 37 35 34 31 32 32 37 8C 4C 8C A3 B1 E3 E8 F0 22 70 3A|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:attempted-user; sid:22915; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player object confusion attempt"; flow:to_client,established; file_data; content:"|FF 0F AA 70 2A B7 17 2A C1 3B 77 35 50 B9 6B 07 17 16 1D 92|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:attempted-user; sid:22070; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player object confusion attempt"; flow:to_client,established; file_data; content:"|11 B3 38 36 87 2D C0 BB 20 72 7C 49 54 35 83 87 FA C3 48 10|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:attempted-user; sid:22069; rev:9;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption"; flow:to_server,established; file_data; content:"|0B 6F 21 00 00 78 9C ED 59 7D 6C 1B C7 95 9F 59|"; depth:16; offset:3; content:"|9A 85 C1 70 78 7E 7E BE 6B BE BB 4B D3 67 C2 91|"; within:16; distance:160; content:"|B1 1B 88 2D BA F6 4C 5B 75 82 9A 52 46 32 A5 2D|"; within:16; distance:144; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-2110; reference:url,www.adobe.com/support/security/bulletins/apsb11-18.html; classtype:attempted-user; sid:21458; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption"; flow:to_client,established; file_data; content:"|77 3C F6 F5 23 0F E7 BD 49 F6 E1 DD 38 E4 41 1C|"; depth:16; offset:18; content:"|A7 15 35 3B 00 AB 23 1D 29 C3 C8 0C 04 83 F3 F3|"; within:16; distance:128; content:"|9A 9E 16 8C 21 21 93 51 64 51 60 E6 82 F9 40 36|"; within:16; distance:80; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2110; reference:url,www.adobe.com/support/security/bulletins/apsb11-18.html; classtype:attempted-user; sid:21457; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MP4 zero length atom attempt"; flow:to_client,established; file_data; content:"|4E 65 74 53 74 72 65 61 6D 09 72 65 70 72 6F 2E 6D 70 34 04 70 6C 61 79 0E 61 64 64 46 72 61 6D|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21338; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash ASConstructor insecure calling attempt"; flow:to_client,established; file_data; content:"|83 E3 E3 B6 37 E6 3A B3 C7 AA 56 19 5D 3A 63 B9 59 67 DA 1E 44 C1 8B 16 4C BA 94 26 03 21 AF 0E|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0753; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21336; rev:11;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt"; flow:to_server,established; file_data; content:"|01 00 00 00 08 1C 99 02 00 C4 FE 96 05 00 07 0C F5 4E 15 4C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20803; rev:9;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt"; flow:to_server,established; file_data; content:"charAt|08|parseInt|09|writeByte|05|Array"; content:"4657530ACC0500007800055F00000FA000001801004"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20785; rev:7;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - namelist.xls"; flow:to_server,established; file_data; content:"Q1dTCswFAAB4nE1UbWxTZRQ+t73t+3btKN0YnawgU"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20784; rev:7;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - dear chu.rar"; flow:to_server,established; file_data; content:"Rar!"; content:"dear chu.doc"; within:12; distance:48; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20783; rev:7;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - economy.rar"; flow:to_server,established; file_data; content:"Rar!"; content:"Economy.doc"; within:11; distance:48; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20782; rev:7;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt"; flow:to_client,established; file_data; content:"charAt|08|parseInt|09|writeByte|05|Array"; content:"4657530ACC0500007800055F00000FA000001801004"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20781; rev:8;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - namelist.xls"; flow:to_client,established; file_data; content:"Q1dTCswFAAB4nE1UbWxTZRQ+t73t+3btKN0YnawgU"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20780; rev:8;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - dear chu.rar"; flow:to_client,established; file_data; content:"Rar!"; content:"dear chu.doc"; within:12; distance:48; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20779; rev:8;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - economy.rar"; flow:to_client,established; file_data; content:"Rar!"; content:"Economy.doc"; within:11; distance:48; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20778; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt"; flow:to_client,established; file_data; content:"|77 3C F6 F5 23 0F E7 BD 49 F6 E1 DD 38 E4 41 1C|"; depth:16; offset:18; content:"|A7 15 35 3B 00 AB 23 1D 29 C3 C8 0C 04 83 F3 F3|"; within:16; distance:128; content:"|9A 9E 16 8C 21 21 93 51 64 51 60 E6 82 F9 40 36|"; within:16; distance:80; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2110; reference:url,www.adobe.com/support/security/bulletins/apsb11-18.html; classtype:attempted-user; sid:20777; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption"; flow:to_client,established; file_data; content:"|0B 6F 21 00 00 78 9C ED 59 7D 6C 1B C7 95 9F 59|"; depth:16; offset:3; content:"|9A 85 C1 70 78 7E 7E BE 6B BE BB 4B D3 67 C2 91|"; within:16; distance:160; content:"|B1 1B 88 2D BA F6 4C 5B 75 82 9A 52 46 32 A5 2D|"; within:16; distance:144; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2110; reference:url,www.adobe.com/support/security/bulletins/apsb11-18.html; classtype:attempted-user; sid:20767; rev:13;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt"; flow:to_client,established; file_data; content:"|01 00 00 00 08 1C 99 02 00 C4 FE 96 05 00 07 0C F5 4E 15 4C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20131; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption"; flow:to_client,established; file_data; content:"|64 62 01 2D 01 66 0B 41 01 29 47 00 00 02 03 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2110; reference:url,www.adobe.com/support/security/bulletins/apsb11-18.html; classtype:attempted-user; sid:20031; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash ActionStoreRegister instruction length invalidation attempt"; flow:to_client,established; file_data; content:"|00 04 03 08 61 4E 12 12 9D 02 00 4D 02 96 06 00 04 03 08 61 05 01 4F 96 02 00 08 12 1C 96 02 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2414; reference:url,www.adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-admin; sid:19687; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player newfunction memory corruption exploit attempt"; flow:to_client,established; file_data; content:"CWS|09|"; content:"|3D BF CF FB CF 8B D6 E9 EE EA EA EA AA EA EA EA|"; within:16; distance:94; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0197; reference:cve,2010-1297; classtype:attempted-admin; sid:19408; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption"; flow:to_client,established; file_data; content:"|8E 1D FE E9 F1 B8 EE D3 C3 FB F2 8E 75 9D DD AB|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2110; reference:url,www.adobe.com/support/security/bulletins/apsb11-18.html; classtype:attempted-user; sid:19264; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption"; flow:to_client,established; file_data; content:"|67 D9 C1 1F 1F 8D EB 3E 3D B8 27 F7 48 E7 E9 DD|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2110; reference:url,www.adobe.com/support/security/bulletins/apsb11-18.html; classtype:attempted-user; sid:19263; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption"; flow:to_client,established; file_data; content:"|79 76 E8 C7 47 E3 BA CF 0E EE C9 3B D2 75 7A B7|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2110; reference:url,www.adobe.com/support/security/bulletins/apsb11-18.html; classtype:attempted-user; sid:19262; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player newfunction memory corruption attempt"; flow:to_client,established; file_data; content:"|D2 60 3B 40 C1 03 AB 12 E5 00 00 60 E8 03 24 00|"; content:"|46 FF 04 02 75 63 07 60 97 01 24 02 A1 62 04 0E|"; within:16; distance:16; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:19145; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 1935 (msg:"FILE-FLASH Adobe Flash Media Server memory exhaustion"; flow:to_server,established; content:"|0D|eval.toString|00|"; content:"-9999999999"; distance:12; metadata:policy max-detect-ips drop; reference:cve,2009-3791; classtype:misc-activity; sid:19111; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; file_data; content:"|33 0D 0A 43 57 53 0D 0A 31 0D 0A 0A 0D 0A 33 0D|"; content:"|0D 0A 34 0D 0A FE B3 6F 7D 0D 0A 33 0D 0A FC F1|"; within:16; distance:320; content:"|32 0D 0A F5 CB 0D 0A 33 0D 0A 4B 7C F1 0D 0A 34|"; within:16; distance:320; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19083; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; file_data; content:"|64 BF B2 5C 3B 6C 01 CC 94 D8 86 75 E0 13 57 80|"; content:"|00 1C 84 81 C9 80 77 6F 72 6B 50 6F 73 5F 6D 63|"; within:16; distance:320; content:"|FD 8D AD 6D 92 AB 5A B5 AF EC 90 2F 1A 4C 2A 01|"; within:16; distance:320; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19080; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D7 F3 DB DF 19 6F DB FC E6 F7 5F CF 2F BF 99 BE|"; content:"|78 F9 BB 3F 7D FD 27 7C F9 FE AB F9 7A 7C E5 D3|"; within:16; distance:336; content:"|27 5F FD FC 7D 7D F7 FE 1F FC 7A 6B BF 7C 3F DF|"; within:16; distance:288; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19071; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH RealNetworks RealPlayer FLV integer overflow attempt"; flow:to_client,established; file_data; content:"FLV|01|"; depth:4; content:"|12|"; within:1; distance:9; byte_jump:2,11,relative; byte_test:1,>=,0x08,0,relative; byte_test:1,<=,0x0a,0,relative; byte_test:4,>,0x7507507,1,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,42775; reference:cve,2010-3000; classtype:attempted-user; sid:19002; rev:14;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH embedded Shockwave dropper in email attachment"; flow:to_server,established; file_data; content:"FWS|09 47 CB 00 00 48 01 40 00 5A 00 00 19 01 00 44 11 08 00 00 00 BF 14 1C CB 00 00 00 00 00 00 00 10 00 2E 00 06 00 80 80 40 94 A8 D0 A0 01 80 80 04 10 00 02 00 00 00 12 12 12 E2 41 30 F0 09|1414141414141414"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-05.html; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:18544; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; file_data; content:"ebbb7a031dd67a519bc0853913485103f54b1b03"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-05.html; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:18543; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash frame type identifier memory corruption attempt"; flow:to_client,established; file_data; content:"|0B 25 C9 92 0D 21 ED 48 87 65 30 3B 6D E1 D8 B4 00 00 86 06 06 01 00 01 00 00 40 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15332; reference:cve,2005-2628; classtype:attempted-user; sid:17658; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASnative command execution attempt"; flow:to_client,established; file_data; content:"|A3 D9 86 B1 D3 6F 07 ED BF 7D EB C4 59 9B 2E C0 84 E8 1F 00 00 00 FF FF 03 00 89 17 52 74|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32896; reference:cve,2008-5499; reference:url,www.adobe.com/support/security/bulletins/apsb08-24.html; classtype:attempted-user; sid:17606; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash ActionDefineFunction memory access exploit attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"FWS|06|"; depth:4; content:"|43 02|"; within:27; byte_test:1,<,64,3,relative; content:"|03|"; within:1; distance:4; pcre:"/^(\x9B|\x8E)/R"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15334; reference:cve,2005-2628; classtype:attempted-user; sid:17457; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH RealNetworks RealPlayer SWF flash file buffer overflow attempt"; flow:to_client,established; file_data; content:"|46 57 53 05 CF 00 00 00 60 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,17202; reference:cve,2006-0323; classtype:attempted-user; sid:17334; rev:20;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player navigateToURL cross-site scripting attempt"; flow:to_client,established; file_data; content:"|11 BA EE 66 DA B8 6C D6 A9 D7 D9 C2 DB F0 26 7D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26960; reference:cve,2007-6244; classtype:misc-activity; sid:17223; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash use-after-free attack attempt"; flow:to_client,established; file_data; content:"|53 68 68 68 20 64 6F 6E 27 74 20 74 65 6C 6C 20 61 6E 79 20 6F 6E 65 20 74 68 69 73 20 69 73 20 61 20 73 65 63 72 65 74 20 6B 65 79 21 16 54 68 65 20 74 72 75 74 68 20 69 73 20 6F 75 74 20 74 68 65 72 65 08 43 4F 4D 50 4C 45 54 45 0B 72 65 6D 6F 76 65 43 68 69 6C 64 0A 55 52 4C 52 65 71 75 65 73 74 30 68 74 74 70|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1297; classtype:attempted-user; sid:16634; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player JPEG parsing heap overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|FF D8 FF E0|"; content:"JFIF|00|"; within:5; distance:2; content:"|FF C0|"; within:2; distance:9; byte_test:2,>,0x7fff,3,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-3794; classtype:attempted-user; sid:16331; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript intrf_count integer overflow attempt"; flow:to_client,established; file_data; content:"|01 01 02 09 03 80 80 80 80 01 01 02 01 01 04 01 00 03 00 01 01 09|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35907; reference:cve,2009-1869; classtype:attempted-user; sid:15993; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASnative command execution attempt"; flow:to_client,established; file_data; content:"|00|airappinstaller|00|ASnative|00|"; pcre:"/\x00([\x3b\x7c\x26\x60][^\x00]+\x00airappinstaller\x00ASnative\x00|airappinstaller\x00ASnative\x00\x3b)/smi"; content:"|99 08|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32896; reference:cve,2008-5499; reference:url,www.adobe.com/support/security/bulletins/apsb08-24.html; classtype:attempted-user; sid:15869; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player invalid object reference code execution attempt"; flow:to_client,established; file_data; content:"|43 57 53 06 40 F3 14 00 78 DA 44 7C 05 58 54 DB F7 F6 1A 66 80 A1 87 54 86 EE EE A1 86 9A A1 41 10 10 A4 2C 44 3A 2C 10 0B 61 08 15 41 10 15 95 52 4A 01 11 15 05 F4 9A A0 A2 5E 95 10 30 08 03|"; depth:64; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33880; reference:cve,2009-0520; reference:url,adobe.com/support/security/bulletins/apsb09-01.html; classtype:attempted-user; sid:15478; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SWF scene and label data memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|A8 15|"; content:"|BF 15 0C 00 00 00|"; within:6; distance:45; content:"|BF 14 7F 01 00 00|"; within:6; distance:12; content:"?|13 19 00 00 00|"; within:6; distance:383; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28695; reference:bugtraq,29386; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; classtype:attempted-user; sid:13820; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player embedded JPG image height overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"FWS"; content:"|FF D8|"; distance:0; content:"JFIF"; distance:0; content:"|FF C0|"; within:256; pcre:"/^...(..)?[\x80-\xff]/R"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26951; reference:cve,2007-6242; classtype:attempted-admin; sid:13300; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe FLV long string script data buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.flv; file_data; content:"|12|"; content:"|00 00 00 02|"; within:4; distance:7; byte_jump:2,0,relative,big; content:"|0C|"; within:1; byte_test:4,>,0x80000000,0,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24856; reference:cve,2007-3456; classtype:attempted-admin; sid:12183; rev:18;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player asynchronous shader changes memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|AF 4A BA 8E 45 7D DA A3 01 8F AD 72 A9 2C 0A B9 CE 6A 3B 64 3D C2 AB 24 8A 7C CF 21 B2 9C 35 2C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3090; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34564; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player asynchronous shader changes memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|AF 4A BA 8E 45 7D DA A3 01 8F AD 72 A9 2C 0A B9 CE 6A 3B 64 3D C2 AB 24 8A 7C CF 21 B2 9C 35 2C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3090; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34563; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player asynchronous shader changes memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|61 07 5D 08 25 80 08 25 80 08 4A 08 02 80 08 D6 5D 09 4A 09 00 80 09 D7 5D 0A 4A 0A 00 80 0A 2A 63 04 D1 61 0B D3 D2 61 0C D3 62 04 61 0D D3 27 4F 0E 01 D3 25 E9 F4 01 61 0F 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3090; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34562; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player asynchronous shader changes memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|61 07 5D 08 25 80 08 25 80 08 4A 08 02 80 08 D6 5D 09 4A 09 00 80 09 D7 5D 0A 4A 0A 00 80 0A 2A 63 04 D1 61 0B D3 D2 61 0C D3 62 04 61 0D D3 27 4F 0E 01 D3 25 E9 F4 01 61 0F 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3090; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34561; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player integer overflow attempt"; flow:to_server,established; file_data; content:"|35 8F 63 B6 68 3E 68 F6 37 F9 85 7A 2D D1 E2 70 53 A8 5F 7A 26 D5 D9 ED 20 99 B9 A9 48 C2 3C 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3087; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34556; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player integer overflow attempt"; flow:to_client,established; file_data; content:"|35 8F 63 B6 68 3E 68 F6 37 F9 85 7A 2D D1 E2 70 53 A8 5F 7A 26 D5 D9 ED 20 99 B9 A9 48 C2 3C 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3087; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34555; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player integer overflow attempt"; flow:to_server,established; file_data; content:"|02 03 02 09 0A 1B D0 30 D0 49 00 5D 09 4A 09 00 80 09 D5 D1 2F 01 61 0A D0 66 06 D0 D1 4F 0B 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3087; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34554; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player integer overflow attempt"; flow:to_client,established; file_data; content:"|02 03 02 09 0A 1B D0 30 D0 49 00 5D 09 4A 09 00 80 09 D5 D1 2F 01 61 0A D0 66 06 D0 D1 4F 0B 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3087; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34553; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player GIF sprite kernel memory leak attempt"; flow:to_server,established; file_data; content:"|F3 D5 0B EB 76 FF E1 5A DF 1F C7 7F F7 77 FF 71 EC C4 F7 5B FE E5 5B 80 B9 7F FB FA AD BF 29 BE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3093; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-admin; sid:34545; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player GIF sprite kernel memory leak attempt"; flow:to_server,established; file_data; content:"|9A 37 B4 CC 23 D5 4E 5A 98 87 4D 3D B2 38 39 EE 43 A6 D1 F5 93 6B 1E 35 E2 87 52 F7 60 CB C3 F4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3093; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-admin; sid:34544; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player GIF sprite kernel memory leak attempt"; flow:to_client,established; file_data; content:"|F3 D5 0B EB 76 FF E1 5A DF 1F C7 7F F7 77 FF 71 EC C4 F7 5B FE E5 5B 80 B9 7F FB FA AD BF 29 BE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3093; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-admin; sid:34543; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player GIF sprite kernel memory leak attempt"; flow:to_client,established; file_data; content:"|9A 37 B4 CC 23 D5 4E 5A 98 87 4D 3D B2 38 39 EE 43 A6 D1 F5 93 6B 1E 35 E2 87 52 F7 60 CB C3 F4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3093; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-admin; sid:34542; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"ByteArray"; content:"writeByte"; within:10; content:"Shader"; within:100; content:"|4F 05 01 D1 24 00 4F 05 01 D1 24 00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,74617; reference:bugtraq,75086; reference:cve,2015-3091; reference:cve,2015-3105; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:attempted-recon; sid:34539; rev:5;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ByteArray"; content:"writeByte"; within:10; content:"Shader"; within:100; content:"|4F 05 01 D1 24 00 4F 05 01 D1 24 00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,74617; reference:bugtraq,75086; reference:cve,2015-3091; reference:cve,2015-3105; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:attempted-recon; sid:34538; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|80 EB FF 43 72 2B A9 D1 93 E8 8C 57 1F 45 AF A8 4E 98 C9 8F 89 1C 52 F6 D4 1E 51 47 4A 16 22 13|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-3091; classtype:attempted-recon; sid:34537; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|80 EB FF 43 72 2B A9 D1 93 E8 8C 57 1F 45 AF A8 4E 98 C9 8F 89 1C 52 F6 D4 1E 51 47 4A 16 22 13|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3091; classtype:attempted-recon; sid:34536; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Button.filters type confusion remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|69 C3 E1 B0 34 7C 54 22 C9 A1 66 54 AB 55 4D 37 35 D3 54 19 42 A5 C7 51 8A 46 6A 44 1F 14 EB 8A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3077; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34523; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Button.filters type confusion remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|69 C3 E1 B0 34 7C 54 22 C9 A1 66 54 AB 55 4D 37 35 D3 54 19 42 A5 C7 51 8A 46 6A 44 1F 14 EB 8A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3077; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34522; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Button.filters type confusion remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"filters|00|BlurFilter|00|blurX|00|e|00|ConvolutionFilter"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3077; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34521; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Button.filters type confusion remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"filters|00|BlurFilter|00|blurX|00|e|00|ConvolutionFilter"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3077; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34520; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player setSubscribedTagsForBackgroundManifest memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 00 EF FC 0F C9 DD 24 C7 CE A2 81 6E 3F 89 5E 51 9E 72 43 CC 04 9E 86 C1 04 79 88 22 0B 87 96|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3088; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34509; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player setSubscribedTagsForBackgroundManifest memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 00 EF FC 0F C9 DD 24 C7 CE A2 81 6E 3F 89 5E 51 9E 72 43 CC 04 9E 86 C1 04 79 88 22 0B 87 96|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3088; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34508; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player setCuePointTags memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|06 0F F4 B6 61 3C D4 47 91 65 73 CB DD 5A 33 D1 49 4D 68 EB C5 7E 7A 4F B5 0F 3D 71 6C 2D 97 05|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3088; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34507; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player setCuePointTags memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|06 0F F4 B6 61 3C D4 47 91 65 73 CB DD 5A 33 D1 49 4D 68 EB C5 7E 7A 4F B5 0F 3D 71 6C 2D 97 05|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3088; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34506; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player setSubscribedTags memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|E1 7D BD 63 18 87 FA 38 B6 1D 6E 7B 3B 6B 36 BA 99 0D 6D BD 38 C8 EE 99 F6 23 5F 6C 5B DB 63 E1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3088; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34505; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player setSubscribedTags memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|E1 7D BD 63 18 87 FA 38 B6 1D 6E 7B 3B 6B 36 BA 99 0D 6D BD 38 C8 EE 99 F6 23 5F 6C 5B DB 63 E1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3088; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34504; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript AVSS memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|5D 06 4A 06 00 80 06 6D 01 65 01 5D 07 4A 07 00 80 07 6D 02 65 01 6C 02 40 01 61 08 65 01 65 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3088; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34503; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript AVSS memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|5D 06 4A 06 00 80 06 6D 01 65 01 5D 07 4A 07 00 80 07 6D 02 65 01 6C 02 40 01 61 08 65 01 65 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3088; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34502; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player same origin policy security bypass attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|10 E1 A9 F8 F3 40 AA A4 2A E9 0D 49 38 95 7E 0D 7B 89 EF DB 32 1C 76 50 2F 89 53 C3 CA 14 4E 1F 64 36 32 E0|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,69705; reference:cve,2014-0548; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:34495; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player same origin policy security bypass attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|10 E1 A9 F8 F3 40 AA A4 2A E9 0D 49 38 95 7E 0D 7B 89 EF DB 32 1C 76 50 2F 89 53 C3 CA 14 4E 1F 64 36 32 E0|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,69705; reference:cve,2014-0548; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:34494; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player same origin policy security bypass attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|80 03 D6 5D 04 2C 09 2C 0A 4A 04 02 80 04 D7 D2 66 05 D3 4F 06 01 D2 60 07 66 08 61 09 D2 2C 11 61 0A 5D 0B|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,69705; reference:cve,2014-0548; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:34493; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player same origin policy security bypass attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|80 03 D6 5D 04 2C 09 2C 0A 4A 04 02 80 04 D7 D2 66 05 D3 4F 06 01 D2 60 07 66 08 61 09 D2 2C 11 61 0A 5D 0B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,69705; reference:cve,2014-0548; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:34492; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|A0 48 66 01 10 F3 0F 7E 05 40 66 01 10 88 45 E4 8D 45 F4 50 6A 01 6A 11 66 0F D6 45 DC 89 75 F8|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-3081; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-admin; sid:34588; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|A0 48 66 01 10 F3 0F 7E 05 40 66 01 10 88 45 E4 8D 45 F4 50 6A 01 6A 11 66 0F D6 45 DC 89 75 F8|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3081; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-admin; sid:34587; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|6A 00 8D 44 24 1C 50 68 04 01 00 00 FF 73 08 FF 15 28 10 41 00 6A 00 6A 00 FF 73 04 E8 ED 1E 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-3081; reference:cve,2015-3083; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-admin; sid:34586; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|6A 00 8D 44 24 1C 50 68 04 01 00 00 FF 73 08 FF 15 28 10 41 00 6A 00 6A 00 FF 73 04 E8 ED 1E 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3081; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-admin; sid:34585; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player invalid BitmapData use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"DisplacementMapFilter|00|"; fast_pattern:only; content:"mapBitmap|00|"; content:"valueOf|00|"; content:"|40 3C 96 02 00 08|"; content:"|1C 96 02 00 08|"; within:5; distance:1; content:"|8E 08 00 00 00 00|"; within:6; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3080; reference:cve,2015-5127; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:34583; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player invalid BitmapData use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"DisplacementMapFilter|00|"; fast_pattern:only; content:"mapBitmap|00|"; content:"valueOf|00|"; content:"|40 3C 96 02 00 08|"; content:"|1C 96 02 00 08|"; within:5; distance:1; content:"|8E 08 00 00 00 00|"; within:6; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3080; reference:cve,2015-5127; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:34582; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player uninitialized register memory leak attempt"; flow:to_server,established; file_data; content:"|80 04 D6 5D 07 4A 07 00 80 07 D7 5D 08 4A 08 00 80 08 2A 63 04 D1 61 09 D3 D2 61 0A D3 24 01 61 0B D3 24 01|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,74617; reference:cve,2015-3092; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-recon; sid:34580; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player uninitialized register memory leak attempt"; flow:to_client,established; file_data; content:"|80 04 D6 5D 07 4A 07 00 80 07 D7 5D 08 4A 08 00 80 08 2A 63 04 D1 61 09 D3 D2 61 0A D3 24 01 61 0B D3 24 01|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,74617; reference:cve,2015-3092; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-recon; sid:34579; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player uninitialized register memory leak attempt"; flow:to_server,established; file_data; content:"|A7 3A E6 2E 8E A9 16 8E A7 D3 4E 5E 4F B5 F3 70 92 37 D2 9D 82 9E DE 2F 40 7E 3E 08 F1 B3 5A 3D D1 28 E8 2E|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,74617; reference:cve,2015-3092; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-recon; sid:34578; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player uninitialized register memory leak attempt"; flow:to_client,established; file_data; content:"|A7 3A E6 2E 8E A9 16 8E A7 D3 4E 5E 4F B5 F3 70 92 37 D2 9D 82 9E DE 2F 40 7E 3E 08 F1 B3 5A 3D D1 28 E8 2E|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,74617; reference:cve,2015-3092; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-recon; sid:34577; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|68 98 E9 01 10 8D 85 F8 F7 FF FF 50 FF 15 58 40 02 10 3B F4 E8 EE C9 FF FF 8B F4 8D 85 E4 EF FF|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-3081; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-admin; sid:34576; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|68 98 E9 01 10 8D 85 F8 F7 FF FF 50 FF 15 58 40 02 10 3B F4 E8 EE C9 FF FF 8B F4 8D 85 E4 EF FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3081; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-admin; sid:34575; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 6A FF 68 E2 52 42 00 64 A1 00 00 00 00 50 81 EC 74 04 00 00 53 56 57 8D BD 80 FB FF FF|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-3081; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-admin; sid:34574; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 6A FF 68 E2 52 42 00 64 A1 00 00 00 00 50 81 EC 74 04 00 00 53 56 57 8D BD 80 FB FF FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3081; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-admin; sid:34573; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionPush overflow attempt"; flow:established,to_client; flowbits:isset,file.swf; content:"|96 00 96 07 00 08 0D 07 01 00 00 00 1D 96 02 00 08 12 1C 96|"; fast_pattern:only; metadata:service http; reference:cve,2011-0608; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; classtype:attempted-user; sid:18505; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionConstantPool overflow attempt"; flow:established,to_client; flowbits:isset,file.swf; content:"|61 79 00 70 75 73 68 00 6E 20 6D 65 00 76 61 6C 75 65 00 3F|"; fast_pattern:only; metadata:service http; reference:cve,2011-0607; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; classtype:attempted-user; sid:18504; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript Actionlf out of range negative offset attempt"; flow:to_client,established; flowbits:isset,file.swf; content:"|3F 03 07 00 00 00 12 9D 02 00 12 B1 00|"; fast_pattern:only; metadata:service http; reference:cve,2011-0560; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; classtype:attempted-user; sid:18502; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player forged atom type attempt"; flow:to_client,established; flowbits:isset,file.swf; content:"|3A|MainTimeline|01|c|03|foo|06|frame1|08|restrict|03|Foo|0E|addFrameScript|06|"; fast_pattern:only; reference:cve,2011-0574; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; classtype:attempted-user; sid:18444; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript beginGradientFill memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; content:"Matrix|00|"; content:"beginGradientFill|00|"; distance:0; content:"|96 13 00 05 00 04 05 04 03 04 04 08 03 07 05 00 00 00 04 01 08 04 52|"; distance:0; metadata:service http; reference:cve,2011-0561; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; classtype:attempted-user; sid:18421; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript remote code execution attempt"; flow:to_client,established; content:"|3F 03 4E 00 00 00 88 26 00 04 00 66 6C 61 73 68 00 64 69 73 70 6C 61 79 00 42 69 74 6D 61 70 44 61 74 61 00 6C 6F 61 64 42 69 74 6D 61 70 00 8B 02 00 72 00 96 09 00 08 00 07 01 00 00 00 08 00 1C 96 02 00 08 01 4E 96 02 00 08 02 4E 96 02 00 08 03 52|"; fast_pattern:only; metadata:service http; reference:bugtraq,44684; reference:cve,2010-3648; reference:url,www.adobe.com/support/security/bulletins/apsb10-26.html; classtype:attempted-user; sid:18180; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player directory traversal attempt"; flow:to_server,established; content:"rtmpt|3A|//"; pcre:"/^[^\x00]+\x2f\x2e\x2e\x2f/R"; metadata:service http; reference:bugtraq,37420; reference:cve,2009-3792; reference:url,www.adobe.com/support/security/bulletins/apsb09-18.html; classtype:attempted-admin; sid:16337; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BitmapData shader bit information disclosure attempt"; flow:to_server,established; file_data; content:"|ED 4E F5 F3 FA E3 E2 A8 EF 7A 51 95 79 0F 36 7A 94 06 55 5D 1F 0E 87 E5 E1 BD B2 1F 76 F5 AD ED|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-3108; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:misc-attack; sid:34861; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BitmapData shader bit information disclosure attempt"; flow:to_server,established; file_data; content:"|08 D7 5D 09 4A 09 00 80 09 2A 63 04 D1 61 0A D3 D2 61 0B D3 25 80 01 61 0C D3 25 80 01 61 0D D3|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-3108; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:misc-attack; sid:34860; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BitmapData shader bit information disclosure attempt"; flow:to_client,established; file_data; content:"|ED 4E F5 F3 FA E3 E2 A8 EF 7A 51 95 79 0F 36 7A 94 06 55 5D 1F 0E 87 E5 E1 BD B2 1F 76 F5 AD ED|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3108; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:misc-attack; sid:34859; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BitmapData shader bit information disclosure attempt"; flow:to_client,established; file_data; content:"|08 D7 5D 09 4A 09 00 80 09 2A 63 04 D1 61 0A D3 D2 61 0B D3 25 80 01 61 0C D3 25 80 01 61 0D D3|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3108; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:misc-attack; sid:34858; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt"; flow:to_server,established; file_data; content:"|0B 90 2D 4A 10 D8 D2 EE 9C 1B 04 34 17 8D E6 92 D1 CC 19 CD 65 A3 B9 62 34 45 F6 FB 0A AC C7 57 47 60 D4 1B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,75086; reference:cve,2015-3105; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:attempted-user; sid:34856; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt"; flow:to_client,established; file_data; content:"|0B 90 2D 4A 10 D8 D2 EE 9C 1B 04 34 17 8D E6 92 D1 CC 19 CD 65 A3 B9 62 34 45 F6 FB 0A AC C7 57 47 60 D4 1B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,75086; reference:cve,2015-3105; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:attempted-user; sid:34855; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash custom TextField filter use after free attempt"; flow:to_server,established; file_data; content:"|04 00 04 01 08 06 4E 96 0B 00 08 03 06 00 00 00 00 00 00 00 00 42 4F 96 09 00 06 00 00 00 00 00 00 00 00 87 01 00 02 17 96|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3106; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:attempted-user; sid:34854; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash custom TextField filter use after free attempt"; flow:to_client,established; file_data; content:"|04 00 04 01 08 06 4E 96 0B 00 08 03 06 00 00 00 00 00 00 00 00 42 4F 96 09 00 06 00 00 00 00 00 00 00 00 87 01 00 02 17 96|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3106; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:attempted-user; sid:34853; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Shader Channel integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|71 9C 00 93 84 29 9F AA C7 2A 98 A8 F7 4C E5 02 27 0D A5 B3 D4 59 2E 4E F6 71 6A 7E 5C 89 8F 2F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3104; reference:url,helpx.adobe.com/security/products/reader/apsb15-11.html; classtype:attempted-user; sid:34851; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Shader Channel integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|71 9C 00 93 84 29 9F AA C7 2A 98 A8 F7 4C E5 02 27 0D A5 B3 D4 59 2E 4E F6 71 6A 7E 5C 89 8F 2F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3104; reference:url,helpx.adobe.com/security/products/reader/apsb15-11.html; classtype:attempted-user; sid:34850; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Shader Channel integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|62 04 25 80 20 15 EA FF FF 5D 08 4A 08 00 80 08 63 05 5D 09 4A 09 00 80 09 2A 63 06 D1 61 0A 62|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3104; reference:url,helpx.adobe.com/security/products/reader/apsb15-11.html; classtype:attempted-user; sid:34849; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Shader Channel integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|62 04 25 80 20 15 EA FF FF 5D 08 4A 08 00 80 08 63 05 5D 09 4A 09 00 80 09 2A 63 06 D1 61 0A 62|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3104; reference:url,helpx.adobe.com/security/products/reader/apsb15-11.html; classtype:attempted-user; sid:34848; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player invalid URL encoding exploit attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|7C 59 3F 6A DF A2 46 CA 90 8D B2 6E 0D 57 F3 6F 5B B8 B7 D6 76 F7 53 BB 89 DD 97 29 90 83 F2 BA 5C|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-3102; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:attempted-user; sid:34839; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player invalid URL encoding exploit attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|5D 06 66 06 2C 11 2C 12 42 02 80 06 D6 F0 15 D2 D1 46 07 01 5D 08 66 08 87 80 08 D7 F0 16 D3 76 12 0B 00 00 F0|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-3102; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:attempted-user; sid:34838; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player invalid URL encoding exploit attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|7C 59 3F 6A DF A2 46 CA 90 8D B2 6E 0D 57 F3 6F 5B B8 B7 D6 76 F7 53 BB 89 DD 97 29 90 83 F2 BA 5C|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3102; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:attempted-user; sid:34837; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player invalid URL encoding exploit attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|5D 06 66 06 2C 11 2C 12 42 02 80 06 D6 F0 15 D2 D1 46 07 01 5D 08 66 08 87 80 08 D7 F0 16 D3 76 12 0B 00 00 F0|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3102; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:attempted-user; sid:34836; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player concurrent worker thread terminate use-after-free attempt"; flow:to_server,established; file_data; content:"|CB E0 D4 E0 EA 7B CA DE 10 96 8D 58 FE C4 0F 88 93 8C 62 C8 1D D9 F6 6B 3A 58 0D 86 FC 8C 32 2E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3103; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:attempted-user; sid:34822; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player concurrent worker thread terminate use-after-free attempt"; flow:to_client,established; file_data; content:"|CB E0 D4 E0 EA 7B CA DE 10 96 8D 58 FE C4 0F 88 93 8C 62 C8 1D D9 F6 6B 3A 58 0D 86 FC 8C 32 2E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3103; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:attempted-user; sid:34821; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player concurrent worker thread terminate use-after-free attempt"; flow:to_server,established; file_data; content:"|66 09 66 10 12 13 00 00 D0 4F 07 00 10 01 00 00 09 24 01 11 F9 FF FF 10 04 00 00 D0 4F 06 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3103; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:attempted-user; sid:34820; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player concurrent worker thread terminate use-after-free attempt"; flow:to_client,established; file_data; content:"|66 09 66 10 12 13 00 00 D0 4F 07 00 10 01 00 00 09 24 01 11 F9 FF FF 10 04 00 00 D0 4F 06 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3103; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:attempted-user; sid:34819; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash FPU stack corruption attempt"; flow:to_server,established; file_data; content:"|60 01 66 0B 82 D5 60 01 66 0C 82 D6 60 01 66 0D 82 D7 60 01 66 0E 82 63 04 60 01 66 0F 82 63 05 60 01 66|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3100; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:attempted-user; sid:34817; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash FPU stack corruption attempt"; flow:to_client,established; file_data; content:"|60 01 66 0B 82 D5 60 01 66 0C 82 D6 60 01 66 0D 82 D7 60 01 66 0E 82 63 04 60 01 66 0F 82 63 05 60 01 66|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3100; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:attempted-user; sid:34816; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Security.allowDomain cross domain policy bypass attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"Security|0B|allowDomain"; fast_pattern:only; content:"|D0 30 64 60 12 30 60 0D 30 60 0B 30 60 0A 30 60 08 30 60 09 30 60 06 2A 30 58 00|"; metadata:service smtp; reference:cve,2015-3099; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:policy-violation; sid:34815; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Security.allowDomain cross domain policy bypass attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"Security|0B|allowDomain"; fast_pattern:only; content:"|D0 30 64 60 12 30 60 0D 30 60 0B 30 60 0A 30 60 08 30 60 09 30 60 06 2A 30 58 00|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3099; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:policy-violation; sid:34814; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Security.allowDomain cross domain policy bypass attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|A8 A2 01 D2 10 01 C4 1E DC 58 9E 5D B5 EC 75 CB 2E 58 F6 9A 65 33 CB CE 5B B6 FE D0 FA 80 6A 59|"; metadata:service smtp; reference:cve,2015-3099; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:policy-violation; sid:34813; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Security.allowDomain cross domain policy bypass attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|A8 A2 01 D2 10 01 C4 1E DC 58 9E 5D B5 EC 75 CB 2E 58 F6 9A 65 33 CB CE 5B B6 FE D0 FA 80 6A 59|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3099; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:policy-violation; sid:34812; rev:2;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player assumed trust URI reference to child file attempt"; flow:to_server,established; content:".swf?"; nocase; http_uri; content:"http"; within:10; nocase; http_uri; content:".swf"; within:50; nocase; http_uri; metadata:service http; reference:cve,2015-3098; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:attempted-user; sid:34811; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetConnection and NetStream type confusion exploit attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|01 25 91 17 1C 7B 9E 53 AB 33 94 D4 72 48 D8 93 1E 07 5E 87 86 21 CA 13 47 6A 1E 3D 90 8A 52 7B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service smtp; reference:cve,2015-3084; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34810; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetConnection and NetStream type confusion exploit attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|01 25 91 17 1C 7B 9E 53 AB 33 94 D4 72 48 D8 93 1E 07 5E 87 86 21 CA 13 47 6A 1E 3D 90 8A 52 7B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3084; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34809; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetConnection and NetStream type confusion exploit attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 0C 00 04 02 04 01 07 02 00 00 00 04 03 03 52 17 96 02 00 08 07 26 96 02 00 04 04 3E 96 06 00 04 01 08 08 08 09|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3084; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34808; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetConnection and NetStream type confusion exploit attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 0C 00 04 02 04 01 07 02 00 00 00 04 03 03 52 17 96 02 00 08 07 26 96 02 00 04 04 3E 96 06 00 04 01 08 08 08 09|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3084; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34807; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player thread write double-free attempt"; flow:to_server,established; flowbits:isset,file.swf; content:"|61 40 60 12 46 3F 00 60 0F 87 2C 47 46 41 01 80 42 63 07 60 43 64 62 07 24 00 66 2B 41 01 60 07 87 74 63 09|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,74067; reference:cve,2015-0359; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34806; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player thread write double-free attempt"; flow:to_client,established; flowbits:isset,file.swf; content:"|61 40 60 12 46 3F 00 60 0F 87 2C 47 46 41 01 80 42 63 07 60 43 64 62 07 24 00 66 2B 41 01 60 07 87 74 63 09|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,74067; reference:cve,2015-0359; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34805; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player thread write double-free attempt"; flow:to_server,established; flowbits:isset,file.swf; content:"|B1 47 42 68 90 6B 66 27 62 42 5B C2 29 46 99 63 BD 8C 5B 17 2F 24 AA E0 B8 27 BF 48 E5 00 F3 DA 58 5E 93 56|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,74067; reference:cve,2015-0359; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34804; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player thread write double-free attempt"; flow:to_client,established; flowbits:isset,file.swf; content:"|B1 47 42 68 90 6B 66 27 62 42 5B C2 29 46 99 63 BD 8C 5B 17 2F 24 AA E0 B8 27 BF 48 E5 00 F3 DA 58 5E 93 56|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,74067; reference:cve,2015-0359; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34803; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player JSON stringify memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|60 05 D3 4F 06 01 5D 07 4A 07 00 80 07 2A 63 04 2C 0D 61 08 5D 09 62 04 4F 09 01 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72514; reference:cve,2015-0324; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:34797; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player JSON stringify memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|4F 06 01 5D 07 4A 07 00 80 07|"; fast_pattern:only; content:"|61 08 5D 09|"; content:"|4F 09 01 47|"; within:10; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72514; reference:cve,2015-0324; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:34796; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player JSON stringify memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D5 4C 23 ED C7 B8 6D BA 74 27 93 B9 56 55 95 99 A8 E5 DA 7A 20 A9 2A 12 D1 49 9F 18 D4 91 0A F9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72514; reference:cve,2015-0324; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:34795; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player JSON stringify memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|4F 06 01 5D 07 4A 07 00 80 07|"; fast_pattern:only; content:"|61 08 5D 09|"; content:"|4F 09 01 47|"; within:10; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72514; reference:cve,2015-0324; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:34794; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"FILE-FLASH Adobe Flash Player malformed FLV file buffer overflow attempt"; flow:to_server,established; file_data; content:"FLV"; depth:3; byte_test:1,&,0x4,1,relative; content:"|08|"; distance:0; byte_test:3,>,1024,0,relative; content:"|00|"; within:1; distance:3; content:"|00 00 00|"; within:3; distance:3; byte_test:1,!&,2,0,relative; isdataat:50,relative; content:!"|00|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3113; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-14.html; classtype:attempted-user; sid:34989; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed FLV file buffer overflow attempt"; flow:to_client,established; file_data; content:"FLV"; depth:3; byte_test:1,&,0x4,1,relative; content:"|08|"; distance:0; byte_test:3,>,1024,0,relative; content:"|00|"; within:1; distance:3; content:"|00 00 00|"; within:3; distance:3; byte_test:1,!&,2,0,relative; isdataat:50,relative; content:!"|00|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3113; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-14.html; classtype:attempted-user; sid:34988; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|7E C9 C8 CF 0F 3D D6 A1 38 2F AB 7C 0C C6 A2 7E 60 6D C7 B9 53 D1 5A DB 7E 13 25 5D B0 45 D5 9C F3 3B 57 7D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:35049; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|7E C9 C8 CF 0F 3D D6 A1 38 2F AB 7C 0C C6 A2 7E 60 6D C7 B9 53 D1 5A DB 7E 13 25 5D B0 45 D5 9C F3 3B 57 7D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:35048; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|25 80 22 61|"; content:"|10 16 00 00 09 60|"; within:6; distance:2; fast_pattern; content:"|D1 60|"; within:2; distance:2; content:"|53 01 25 F0 07 42 01|"; within:7; distance:4; content:"|15 DF FF FF 24 40 48|"; within:7; distance:12; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5119; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-03.html; reference:url,www.virustotal.com/en/file/a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8/analysis/; classtype:attempted-admin; sid:35089; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|54 6A 8F 24 F4 26 DE 58 A3 26 FE AB 65 09 F0 79 DF D4 D5 A1 7C 72 96 83 7A 81 9F 2B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5119; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-03.html; reference:url,www.virustotal.com/en/file/a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8/analysis/; classtype:attempted-admin; sid:35088; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|25 80 22 61|"; content:"|10 16 00 00 09 60|"; within:6; distance:2; fast_pattern; content:"|D1 60|"; within:2; distance:2; content:"|53 01 25 F0 07 42 01|"; within:7; distance:4; content:"|15 DF FF FF 24 40 48|"; within:7; distance:12; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5119; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-03.html; reference:url,www.virustotal.com/en/file/a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8/analysis/; classtype:attempted-admin; sid:35087; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|54 6A 8F 24 F4 26 DE 58 A3 26 FE AB 65 09 F0 79 DF D4 D5 A1 7C 72 96 83 7A 81 9F 2B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5119; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-03.html; reference:url,www.virustotal.com/en/file/a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8/analysis/; classtype:attempted-admin; sid:35086; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|7E CA DC 4F 99 FB 29 73 7F 9B 36 5A E2 E5 57 30 DA E8 C9 9C 76 5D F3 F2 0B F2 1E 7D 02 23 5D 0A 3A E4|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5119; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-03.html; reference:url,www.virustotal.com/en/file/a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8/analysis/; classtype:attempted-admin; sid:35096; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|7E CA DC 4F 99 FB 29 73 7F 9B 36 5A E2 E5 57 30 DA E8 C9 9C 76 5D F3 F2 0B F2 1E 7D 02 23 5D 0A 3A E4|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5119; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-03.html; reference:url,www.virustotal.com/en/file/a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8/analysis/; classtype:attempted-admin; sid:35095; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BitmapData use-after-free attempt"; flow:to_server,established; file_data; content:"|6E 5E 5B 68 E2 52 62 51 65 04 66 4F 31 81 E7 26 42 C4 7F 51 EA 33 FA 06 5F 21 E4 FF 82 17 03 DD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5123; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-user; sid:35220; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BitmapData use-after-free attempt"; flow:to_client,established; file_data; content:"|6E 5E 5B 68 E2 52 62 51 65 04 66 4F 31 81 E7 26 42 C4 7F 51 EA 33 FA 06 5F 21 E4 FF 82 17 03 DD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5123; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-user; sid:35219; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BitmapData use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"valueOf"; content:"BitmapData"; nocase; content:"|25 FF 01 15 CB FF FF|"; content:"|25 FF 01|"; within:25; content:"|25 FF 01|"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5123; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-user; sid:35218; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BitmapData use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"valueOf"; content:"BitmapData"; nocase; content:"|25 FF 01 15 CB FF FF|"; content:"|25 FF 01|"; within:25; content:"|25 FF 01|"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5123; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-user; sid:35217; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|56 00 68 0E D0 49 00 5D 28 2C 32 4A 28 01 80 28 D5 D0 5D 0C D1 4A 0C 01 68 0B D0 66 0B 60 29 66 2A 61 2B|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2416; reference:cve,2015-2417; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-075; classtype:attempted-user; sid:35189; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|46 28 95 56 F3 EB 13 E1 43 41 AA 63 99 56 DA 98 8C 26 B3 9A E1 4F A4 8D 1D FF 88 3F 7A A8 CF A4|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2416; reference:cve,2015-2417; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-075; classtype:attempted-user; sid:35188; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|56 00 68 0E D0 49 00 5D 28 2C 32 4A 28 01 80 28 D5 D0 5D 0C D1 4A 0C 01 68 0B D0 66 0B 60 29 66 2A 61 2B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2416; reference:cve,2015-2417; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-075; classtype:attempted-user; sid:35187; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|46 28 95 56 F3 EB 13 E1 43 41 AA 63 99 56 DA 98 8C 26 B3 9A E1 4F A4 8D 1D FF 88 3F 7A A8 CF A4|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2416; reference:cve,2015-2417; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-075; classtype:attempted-user; sid:35186; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Microsoft Internet Explorer IDataObject bitmap data conversion integer overflow attempt"; flow:to_server,established; file_data; content:"|52 24 D8 F2 20 80 26 76 F7 41 94 CD 1C E2 5B 38 24 C0 0F 49 F1 04 87 A4 36 0E 91 93 1C 92 DB 39|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2364; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-072; classtype:attempted-user; sid:35163; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Microsoft Internet Explorer IDataObject bitmap data conversion integer overflow attempt"; flow:to_client,established; file_data; content:"|52 24 D8 F2 20 80 26 76 F7 41 94 CD 1C E2 5B 38 24 C0 0F 49 F1 04 87 A4 36 0E 91 93 1C 92 DB 39|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2364; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-072; classtype:attempted-user; sid:35162; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Microsoft Internet Explorer IDataObject bitmap data conversion integer overflow attempt"; flow:to_server,established; file_data; content:"|30 5D 4A 60 44 30 60 06 30 60 1F 30 60 1F 58 03 1D 1D 1D 68 21 47 00 00 15 01 01 01 02 03 D0 30|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2364; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-072; classtype:attempted-user; sid:35161; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Microsoft Internet Explorer IDataObject bitmap data conversion integer overflow attempt"; flow:to_client,established; file_data; content:"|30 5D 4A 60 44 30 60 06 30 60 1F 30 60 1F 58 03 1D 1D 1D 68 21 47 00 00 15 01 01 01 02 03 D0 30|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2364; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-072; classtype:attempted-user; sid:35160; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player SharedObject type confusion attempt"; flow:to_server,established; file_data; content:"|4E C7 69 6E 73 9A FF 0F B4 15 EB 82 76 22 82 F3 40 1F D9 35 D4 5A CB 72 5A 5E B5 55 2B 7B F5 19|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3121; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35299; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SharedObject type confusion attempt"; flow:to_client,established; file_data; content:"|4E C7 69 6E 73 9A FF 0F B4 15 EB 82 76 22 82 F3 40 1F D9 35 D4 5A CB 72 5A 5E B5 55 2B 7B F5 19|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3121; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35298; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player SharedObject type confusion attempt"; flow:to_server,established; file_data; content:"|08 02 1C 96 02 00 08 03 52 3C 96 02 00 08 04 1C 96 09 00 08 05 07 02 00 00 00 08 01 1C 96 02 00 08 06|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3121; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35297; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SharedObject type confusion attempt"; flow:to_client,established; file_data; content:"|08 02 1C 96 02 00 08 03 52 3C 96 02 00 08 04 1C 96 09 00 08 05 07 02 00 00 00 08 01 1C 96 02 00 08 06|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3121; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35296; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player SharedObject array.prototype.push use after free attempt"; flow:to_server,established; file_data; content:"|FB F7 65 A2 F9 4C 32 10 89 E4 1F 1C 8E 24 63 FE 11 D5 0D 9F B5 69 27 E9 64 94 EE 1B 3D 70 EA D0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3127; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35295; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SharedObject array.prototype.push use after free attempt"; flow:to_client,established; file_data; content:"|FB F7 65 A2 F9 4C 32 10 89 E4 1F 1C 8E 24 63 FE 11 D5 0D 9F B5 69 27 E9 64 94 EE 1B 3D 70 EA D0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3127; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35294; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player SharedObject array.prototype.push use after free attempt"; flow:to_server,established; file_data; content:"|96 09 00 06 00 00 00 00 00 00 00 00 42 3C|"; content:"|96 02 00 08 09 4E 96 05 00 07 02 00 00 00 96 02 00 08|"; within:50; content:"|4E 96 02 00 08 03 52|"; within:15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3127; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35293; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SharedObject array.prototype.push use after free attempt"; flow:to_client,established; file_data; content:"|96 09 00 06 00 00 00 00 00 00 00 00 42 3C|"; content:"|96 02 00 08 09 4E 96 05 00 07 02 00 00 00 96 02 00 08|"; within:50; content:"|4E 96 02 00 08 03 52|"; within:15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3127; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35292; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player SharedObject array.prototype.push use after free attempt"; flow:to_server,established; file_data; content:"|EC 7E DC 90 37 9C EA C6 F6 20 6F DB FB 77 ED 2C 19 7D 62 DF 3F C0 CD CF D4 4F 0F 64 F8 65 F1 E7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3127; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35291; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SharedObject array.prototype.push use after free attempt"; flow:to_client,established; file_data; content:"|EC 7E DC 90 37 9C EA C6 F6 20 6F DB FB 77 ED 2C 19 7D 62 DF 3F C0 CD CF D4 4F 0F 64 F8 65 F1 E7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3127; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35290; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player universal allowDomain command proxying attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|4D 06 C8 9B 12 C7 2D 9B 76 E6 2A BF FD 6C 82 99 07 BF FB DD C7 6B 64 45 90 95 22 5C C3 B2 03 57|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-3116; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:policy-violation; sid:35289; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player universal allowDomain command proxying attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|4D 06 C8 9B 12 C7 2D 9B 76 E6 2A BF FD 6C 82 99 07 BF FB DD C7 6B 64 45 90 95 22 5C C3 B2 03 57|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3116; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:policy-violation; sid:35288; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player universal allowDomain command proxying attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"System|00|security|00|*|00|allowDomain"; fast_pattern:only; content:"|96 04 00 08 10 08 0B 1C|"; metadata:service smtp; reference:cve,2015-3116; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:policy-violation; sid:35287; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player universal allowDomain command proxying attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"System|00|security|00|*|00|allowDomain"; fast_pattern:only; content:"|96 04 00 08 10 08 0B 1C|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3116; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:policy-violation; sid:35286; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player cross-site information disclosure attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|66 0B 65 01 6C 02 4F 1A 01 10 20 00 00 D0 30 D1 30 5A 00 2A D6 2A 30 2B 6D 01 5D 14 2C 28 65 02|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-0578; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35285; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player cross-site information disclosure attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|5D 41 52 1A 49 57 91 74 0D 49 A3 48 CA 20 78 1D C1 1B 08 8E C9 37 21 42 0F 10 1C 47 F0 11 82 13|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-0578; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35284; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player cross-site information disclosure attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|66 0B 65 01 6C 02 4F 1A 01 10 20 00 00 D0 30 D1 30 5A 00 2A D6 2A 30 2B 6D 01 5D 14 2C 28 65 02|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-0578; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35283; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player cross-site information disclosure attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|5D 41 52 1A 49 57 91 74 0D 49 A3 48 CA 20 78 1D C1 1B 08 8E C9 37 21 42 0F 10 1C 47 F0 11 82 13|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-0578; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35282; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetConnection type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|D4 D8 78 F7 18 85 22 09 AC EC 0C 6A 3E 7C 67 08 16 22 E2 42 08 44 45 44 72 F5 51 74 8B B5 51 CC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3119; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35278; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetConnection type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D4 D8 78 F7 18 85 22 09 AC EC 0C 6A 3E 7C 67 08 16 22 E2 42 08 44 45 44 72 F5 51 74 8B B5 51 CC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3119; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35277; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetConnection type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 04 00 04 01 08 09 4E 96 04 00 08 11 08 0B 1C 96 02 00 08 0C 4E 96 02 00 08 0D|"; fast_pattern:only; content:"|96 0B 00 06 00 00 00 00 00 00 00 00 08 04 40|"; content:"|96 0B 00 08 02 07 02 00 00 00 04 01 08 06 52|"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3119; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35276; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetConnection type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 04 00 04 01 08 09 4E 96 04 00 08 11 08 0B 1C 96 02 00 08 0C 4E 96 02 00 08 0D|"; fast_pattern:only; content:"|96 0B 00 06 00 00 00 00 00 00 00 00 08 04 40|"; content:"|96 0B 00 08 02 07 02 00 00 00 04 01 08 06 52|"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3119; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35275; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player buildTraitsBindings null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|5B C6 B5 00 36 34 9B B6 51 0A B3 78 43 C7 C6 8D 2F A9 12 1F 93 F2 2C 2E 6C 7F F6 B0 73 C5 ED CF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3117; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-dos; sid:35274; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player buildTraitsBindings null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|5B C6 B5 00 36 34 9B B6 51 0A B3 78 43 C7 C6 8D 2F A9 12 1F 93 F2 2C 2E 6C 7F F6 B0 73 C5 ED CF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3117; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-dos; sid:35273; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player buildTraitsBindings null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|03 2D 00 AF 02 F2 04 2D 00 B0 02 11 03 70 B1 02 11 04 71 B2 02 00 05 12 00 B4 01 00 B7 01 00 BA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3117; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-dos; sid:35272; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player buildTraitsBindings null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|03 2D 00 AF 02 F2 04 2D 00 B0 02 11 03 70 B1 02 11 04 71 B2 02 00 05 12 00 B4 01 00 B7 01 00 BA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3117; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-dos; sid:35271; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player textfield filter use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|67 B0 AC D2 62 FC 24 B5 B7 2A 44 9B BE 07 CA FA 87 0E 5B 11 2B 3C C5 46 8A B1 05 E5 5E AA 1D 6D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3118; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35270; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player textfield filter use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|67 B0 AC D2 62 FC 24 B5 B7 2A 44 9B BE 07 CA FA 87 0E 5B 11 2B 3C C5 46 8A B1 05 E5 5E AA 1D 6D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3118; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35269; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player textfield filter use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 24 00 08 09 07 04 00 00 00 07 03 00 00 00 07 02 00 00 00 07 01 00 00 00 07 01 00 00 00 08 00 07 06 00 00 00 08 02 3D|"; fast_pattern:only; content:"|4E 96 02 00 08 02|"; content:"|96 04 00 08 15 08 11|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3118; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35268; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player textfield filter use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 24 00 08 09 07 04 00 00 00 07 03 00 00 00 07 02 00 00 00 07 01 00 00 00 07 01 00 00 00 08 00 07 06 00 00 00 08 02 3D|"; fast_pattern:only; content:"|4E 96 02 00 08 02|"; content:"|96 04 00 08 15 08 11|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3118; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35267; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|65 01 24 00 6D 01|"; content:"|25 90 03 24 04 A3 24 02 A1|"; fast_pattern:only; content:"|53 01 24 08 42 01|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-admin; sid:35266; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|54 32 9B 93 23 47 9F 9C CA 0D BB A8 F8 9D A3 D8 7F 7A E8 57 BF DC B0 96 58 6E|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-admin; sid:35265; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|03 90 36 3A 1A C8 F8 E5 45 D9 03 11 1F 7B 45 CB 3B E4 CD BF EA 11 1F AF 2C C9|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-admin; sid:35264; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|65 01 24 00 6D 01|"; content:"|25 90 03 24 04 A3 24 02 A1|"; fast_pattern:only; content:"|53 01 24 08 42 01|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-admin; sid:35263; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; content:"|54 32 9B 93 23 47 9F 9C CA 0D BB A8 F8 9D A3 D8 7F 7A E8 57 BF DC B0 96 58 6E|"; file_data; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-admin; sid:35262; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; content:"|03 90 36 3A 1A C8 F8 E5 45 D9 03 11 1F 7B 45 CB 3B E4 CD BF EA 11 1F AF 2C C9|"; file_data; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-admin; sid:35261; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player valueOf and toString use after free attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|C5 7E 6C 65 08 99 AF 00 AF 7F 03 BC 4B 41 E3 CD 2E 00 7C 7F BB 9B 01 A8 44 6E C7 6E 37 9A EA D0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3128; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35238; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player valueOf and toString use after free attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|C5 7E 6C 65 08 99 AF 00 AF 7F 03 BC 4B 41 E3 CD 2E 00 7C 7F BB 9B 01 A8 44 6E C7 6E 37 9A EA D0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3128; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35237; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player valueOf and toString use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 02 00 08 02 52 87 01 00 01 17 96 0D 00 06 00 00 00 00 00 00 00 00 04 01 08 03 52|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3128; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35236; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player valueOf and toString use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 02 00 08 02 52 87 01 00 01 17 96 0D 00 06 00 00 00 00 00 00 00 00 04 01 08 03 52|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3128; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35235; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player valueOf and toString use after free attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|52 49 CE 64 E5 6C 36 C5 10 29 7F E0 04 B8 9F 72 FC A3 64 45 12 0A 35 E2 EB 9E E9 06 26 75 24 7E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3128; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35234; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player valueOf and toString use after free attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|52 49 CE 64 E5 6C 36 C5 10 29 7F E0 04 B8 9F 72 FC A3 64 45 12 0A 35 E2 EB 9E E9 06 26 75 24 7E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3128; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35233; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player valueOf and toString use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 02 00 08 02 52 87 01 00 01 17 96 02 00 04 01 26 96 0D 00 06 00 00 00 00 00 00 00 00 04 01 08 03 52 17 96 05 00 07 09 03|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3128; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35232; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player valueOf and toString use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 02 00 08 02 52 87 01 00 01 17 96 02 00 04 01 26 96 0D 00 06 00 00 00 00 00 00 00 00 04 01 08 03 52 17 96 05 00 07 09 03|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3128; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35231; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player valueOf and toString use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 02 00 08 03 52 87 01 00 02 17 96 02 00 04 02 26 96 0D 00 06 00 00 00 00 00 00 00 00 04 02 08 04 52|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3128; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35230; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player valueOf and toString use after free attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|CF 62 A3 8D 7B 64 2B 93 99 CA 0E 5D FF 54 D6 0B 73 86 85 DB 28 67 62 57 18 1A BE 20 E5 44 81 E9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3128; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35229; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player valueOf and toString use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 02 00 08 03 52 87 01 00 02 17 96 02 00 04 02 26 96 0D 00 06 00 00 00 00 00 00 00 00 04 02 08 04 52|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3128; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35228; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player valueOf and toString use after free attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|CF 62 A3 8D 7B 64 2B 93 99 CA 0E 5D FF 54 D6 0B 73 86 85 DB 28 67 62 57 18 1A BE 20 E5 44 81 E9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3128; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35227; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player valueOf and toString use after free attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|52 4D 1A 8C 82 D0 93 74 AD DE 44 97 BD 2B 34 62 65 77 4B 53 D4 7A 4D C9 7E FB 7D 55 31 D4 86 51|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3128; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35226; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player valueOf and toString use after free attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|52 4D 1A 8C 82 D0 93 74 AD DE 44 97 BD 2B 34 62 65 77 4B 53 D4 7A 4D C9 7E FB 7D 55 31 D4 86 51|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3128; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35225; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player valueOf and toString use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 02 00 08 02 52 3C 96 0D 00 08 03 06 00 00 00 00 00 00 00 00 08 04 40 3C 96 02 00 08 03 1C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3128; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35224; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player valueOf and toString use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 02 00 08 02 52 3C 96 0D 00 08 03 06 00 00 00 00 00 00 00 00 08 04 40 3C 96 02 00 08 03 1C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3128; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35223; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player cross-site file download attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|D0 30 D0 5D 0F 4A 0F 00 68 0E D0 D0 66 0E 4F 11 01 D0 66 0E D0 66 0B D0 66 0D 4F 2B 02 47 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-3114; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35379; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player cross-site file download attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|70 01 C0 41 F0 85 81 8F 00 8E 02 3F 04 42 1C F8 04 F0 C3 20 8C 00 3F 0A FC 18 F0 49 E0 C7 81 9F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-3114; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35378; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player cross-site file download attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|D0 30 D0 5D 0F 4A 0F 00 68 0E D0 D0 66 0E 4F 11 01 D0 66 0E D0 66 0B D0 66 0D 4F 2B 02 47 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3114; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35377; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player cross-site file download attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|70 01 C0 41 F0 85 81 8F 00 8E 02 3F 04 42 1C F8 04 F0 C3 20 8C 00 3F 0A FC 18 F0 49 E0 C7 81 9F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3114; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:35376; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player thread write double-free attempt"; flow:to_server,established; flowbits:isset,file.swf; content:"|D6 24 00 D7 24 00 D6 D0 60 0C 66 3B 2C 11 46 48 01 61 0D D0 60 0C 66 3B 2C 0B 46 48 01 61 09 D0 60 0C 66 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0359; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:35367; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player thread write double-free attempt"; flow:to_client,established; flowbits:isset,file.swf; content:"|D6 24 00 D7 24 00 D6 D0 60 0C 66 3B 2C 11 46 48 01 61 0D D0 60 0C 66 3B 2C 0B 46 48 01 61 09 D0 60 0C 66 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0359; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:35366; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player thread write double-free attempt"; flow:to_server,established; flowbits:isset,file.swf; content:"|7D 0E B3 39 51 B1 9A DD A0 46 C4 19 30 81 E3 1A 1A 5D 8C 23 31 7B CD AD 01 26 8C 54 A4 6C 16 83 2F 66 7B DA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0359; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:35365; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player thread write double-free attempt"; flow:to_client,established; flowbits:isset,file.swf; content:"|7D 0E B3 39 51 B1 9A DD A0 46 C4 19 30 81 E3 1A 1A 5D 8C 23 31 7B CD AD 01 26 8C 54 A4 6C 16 83 2F 66 7B DA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0359; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:35364; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe flash player BitmapData.paletteMap use after free attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|D3 95 A4 13 3A CF 4E F8 B1 58 71 7D 9E 74 36 AD 0B A1 AA 91 9E F4 45 75 AB 1D B6 44 B1 EE 8B D3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5123; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-user; sid:35466; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe flash player BitmapData.paletteMap use after free attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|D3 95 A4 13 3A CF 4E F8 B1 58 71 7D 9E 74 36 AD 0B A1 AA 91 9E F4 45 75 AB 1D B6 44 B1 EE 8B D3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5123; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-user; sid:35465; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe flash player BitmapData.paletteMap use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|15 E9 FF FF F0 19 D1 25 FF 01 D0 42 00 61 04|"; content:"|4A 07 00 5D 08 4A 08 00 D1|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5123; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-user; sid:35464; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe flash player BitmapData.paletteMap use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|15 E9 FF FF F0 19 D1 25 FF 01 D0 42 00 61 04|"; content:"|4A 07 00 5D 08 4A 08 00 D1|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5123; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-user; sid:35463; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"FilePrivateNS"; fast_pattern:only; content:"opaqueBackground"; content:"recreateTextLine"; within:25; content:"TextBlock"; content:"createTextLine"; within:500; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,75712; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-18.html; classtype:attempted-user; sid:35454; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"FilePrivateNS"; fast_pattern:only; content:"opaqueBackground"; content:"recreateTextLine"; within:25; content:"TextBlock"; content:"createTextLine"; within:500; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,75712; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-18.html; classtype:attempted-user; sid:35453; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|18 3A 8F E8 31 75 F7 A2 24 97 CE 5C BA BC D4 49 95 9B 7C C3 C7 FF 94 39 68 BA 08 D9 CF 3B F9 AA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-user; sid:35452; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|66 67 03 67 5B C9 BA E3 B4 37 34 ED F4 F4 34 7D BA 9A B6 EC 9A 96 C9 E5 72 9A 9E D5 B2 D9 15 44|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-user; sid:35451; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|18 3A 8F E8 31 75 F7 A2 24 97 CE 5C BA BC D4 49 95 9B 7C C3 C7 FF 94 39 68 BA 08 D9 CF 3B F9 AA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-user; sid:35450; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|66 67 03 67 5B C9 BA E3 B4 37 34 ED F4 F4 34 7D BA 9A B6 EC 9A 96 C9 E5 72 9A 9E D5 B2 D9 15 44|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-user; sid:35449; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|C9 6B C8 5D 8C BB B6 EA D1 A2 A2 81 73 D5 02 D7 89 F5 0C ED AF E7 5F 5D 53 F3 49 AA 13 43 B9 D7|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:35548; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|F4 CF 61 97 D6 34 9F 37 3E 6B FC A9 24 4A 39 CE 4D C1 10 EC DF 93 83 92 C0 B9 4A 2C 1E D8 54 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:35547; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|1D 80 B8 88 46 3A 6D BB 62 E1 96 D0 5F A4 74 10 16 87 58 40 9B AE DA 23 AD FA BE 23 3F 87 FA 8C|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:35546; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D1 D0 66 0D 66 10 66 38 93 0E 05 00 00 D1 D1 A0 85 D5 D3 2A 63 05 D0 66 0D|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:35545; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D0 30 21 82 D7 D0 2A 63 04 D0 66 02 66 08 66 06 62 04 D0 66 02 66 07 D0|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:35544; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D0 66 23 66 10 66 39 62 06 62 04 41 01 08 06 AA 41 01 29 08 05 C2 04|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:35543; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player slow script invalid pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|FF 09 92 04 00 00 82 00 37 00 93 06 06 01 00 80 00 C5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,76283; reference:cve,2015-5545; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35619; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player slow script invalid pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|FF 09 92 04 00 00 82 00 37 00 93 06 06 01 00 80 00 C5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,76283; reference:cve,2015-5545; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35618; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player CreateTextField use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|5E 78 FA 78 22 3A 04 07 1E FC 3C 58 A9 00 8A 30 CB 82 02 27 B3 7D D8 85 C5 A5 64 8E E4 C7 6C EF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5556; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35610; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player CreateTextField use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|5E 78 FA 78 22 3A 04 07 1E FC 3C 58 A9 00 8A 30 CB 82 02 27 B3 7D D8 85 C5 A5 64 8E E4 C7 6C EF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5556; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35609; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player CreateTextField use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|00 9B|"; content:"|96 02 00 08|"; within:50; content:"|26 96 0B 00 06 00 00 00 00 00 00 00 00 08|"; within:14; distance:1; fast_pattern; content:"|1C 96 02 00 08|"; within:5; distance:1; content:"|52 17 96 02 00 08|"; within:6; distance:1; content:"|3E 96|"; within:3; distance:1; content:"|07 01 00 00 00 08|"; within:10; distance:2; content:"|07 02 00 00 00 08|"; within:6; distance:1; content:"|1C 96 02 00 08|"; within:5; distance:1; content:"|52|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5556; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35608; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player CreateTextField use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|00 9B|"; content:"|96 02 00 08|"; within:50; content:"|26 96 0B 00 06 00 00 00 00 00 00 00 00 08|"; within:14; distance:1; fast_pattern; content:"|1C 96 02 00 08|"; within:5; distance:1; content:"|52 17 96 02 00 08|"; within:6; distance:1; content:"|3E 96|"; within:3; distance:1; content:"|07 01 00 00 00 08|"; within:10; distance:2; content:"|07 02 00 00 00 08|"; within:6; distance:1; content:"|1C 96 02 00 08|"; within:5; distance:1; content:"|52|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5556; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35607; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player setAdvancedAntialiasingTable type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|D2 C7 A6 67 4D C9 48 E2 FD D3 33 33 D2 33 13 B2 52 D2 C7 DA F1 BE 69 69 7C 54 CA A8 E4 AC F1 7C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5555; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35606; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player setAdvancedAntialiasingTable type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D2 C7 A6 67 4D C9 48 E2 FD D3 33 33 D2 33 13 B2 52 D2 C7 DA F1 BE 69 69 7C 54 CA A8 E4 AC F1 7C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5555; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35605; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player setAdvancedAntialiasingTable type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 24 00 08 13 08 14 07 0A 00 00 00 08 15 06 8F C2 F9 3F C3 F5 28 5C 08 16 06 A3 70 0B C0 71 3D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5555; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35604; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player setAdvancedAntialiasingTable type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 24 00 08 13 08 14 07 0A 00 00 00 08 15 06 8F C2 F9 3F C3 F5 28 5C 08 16 06 A3 70 0B C0 71 3D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5555; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35603; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetConnection use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|3E DB A3 CD EB D1 FE C1 99 4B A5 3D EA 3B 6D 4F A7 08 5F 1D BE 30 8D 86 BA 6D FB 8C D8 3A DD D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3107; reference:cve,2015-5565; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35602; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetConnection use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|3E DB A3 CD EB D1 FE C1 99 4B A5 3D EA 3B 6D 4F A7 08 5F 1D BE 30 8D 86 BA 6D FB 8C D8 3A DD D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3107; reference:cve,2015-5565; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35601; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetConnection use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|40 3C 96 06 00 08 0F 08 10 08 0D 1C 96 05 00 07 01 00 00 00 43 3C 96 02 00 08 0F 1C 96 04 00 08 11 08 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3107; reference:cve,2015-5565; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35600; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetConnection use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|40 3C 96 06 00 08 0F 08 10 08 0D 1C 96 05 00 07 01 00 00 00 43 3C 96 02 00 08 0F 1C 96 04 00 08 11 08 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3107; reference:cve,2015-5565; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35599; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player tag length buffer overflow attempt"; flow:to_server,established; file_data; content:"|C0 34 00 78 00 05 5F 00 00 0F A0 00 00 1E 32 00 BF 03 99 0A 00 00 09 00 26 2D 2F 00 00 7D 06 FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5131; classtype:attempted-user; sid:35593; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player tag length buffer overflow attempt"; flow:to_client,established; file_data; content:"|C0 34 00 78 00 05 5F 00 00 0F A0 00 00 1E 32 00 BF 03 99 0A 00 00 09 00 26 2D 2F 00 00 7D 06 FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5131; classtype:attempted-user; sid:35592; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Google Chrome pepflashplayer SurfaceFilterList use-after-free attempt"; flow:to_server,established; file_data; content:"|96 06 00 08 1F 08 20 08 16 1C 96 04 00 08 21 08 1C 1C 96 04 00 08 22 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5563; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-xxx.html; classtype:attempted-user; sid:35591; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Google Chrome pepflashplayer SurfaceFilterList use-after-free attempt"; flow:to_server,established; file_data; content:"|18 7E C1 C6 C8 71 ED D8 4E 13 A7 2D 6E 54 9C 5E 9A 01 7D 80 4C D1 60 6A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5563; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-xxx.html; classtype:attempted-user; sid:35590; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Google Chrome pepflashplayer SurfaceFilterList use-after-free attempt"; flow:to_client,established; file_data; content:"|96 06 00 08 1F 08 20 08 16 1C 96 04 00 08 21 08 1C 1C 96 04 00 08 22 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5563; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-xxx.html; classtype:attempted-user; sid:35589; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Google Chrome pepflashplayer SurfaceFilterList use-after-free attempt"; flow:to_client,established; file_data; content:"|18 7E C1 C6 C8 71 ED D8 4E 13 A7 2D 6E 54 9C 5E 9A 01 7D 80 4C D1 60 6A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5563; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-xxx.html; classtype:attempted-user; sid:35588; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BitmapData object use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|8E A1 65 76 55 BA 6D 28 99 FE 73 C7 EF 05 FD CE D3 00 72 3A 4B 8B 1F C8 4D CA 2D D0 C3 D9 C1 12 5A 28 1D 36|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,76288; reference:cve,2015-5559; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35587; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BitmapData object use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|8E A1 65 76 55 BA 6D 28 99 FE 73 C7 EF 05 FD CE D3 00 72 3A 4B 8B 1F C8 4D CA 2D D0 C3 D9 C1 12 5A 28 1D 36|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,76288; reference:cve,2015-5559; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35586; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BitmapData object use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|4E 96 02 00 08 05 53 3C 96 07 00 07 00 00 00 00 08 06 40 87 01 00 02 17 96 04 00 04 02 08 07 8E 08 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,76288; reference:cve,2015-5559; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35585; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BitmapData object use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|4E 96 02 00 08 05 53 3C 96 07 00 07 00 00 00 00 08 06 40 87 01 00 02 17 96 04 00 04 02 08 07 8E 08 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,76288; reference:cve,2015-5559; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35584; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player button pointer exploit attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|24 04 16 A1 FF FF 60 92 08 60 E3 07 66 E4 07 60 9A 08 4F 8F 08 02 D0 66 8D 08 60 E3 07 66 E4 07|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5547; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35583; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player button pointer exploit attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|24 04 16 A1 FF FF 60 92 08 60 E3 07 66 E4 07 60 9A 08 4F 8F 08 02 D0 66 8D 08 60 E3 07 66 E4 07|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5547; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35582; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BitmapData applyFilter heap overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|B6 4C BF 46 BC 7C C3 7E 61 3B 4D 3B 44 5D 7B 39 46 F7 08 A6 CE 87 88 4B 1F DF B7 B0 5D 6D E0 2A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5541; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35581; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BitmapData applyFilter heap overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"BitmapData"; nocase; content:"BlurFilter"; within:60; nocase; content:"writeUnsignedInt"; within:50; nocase; content:"applyFilter"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5541; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35580; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BitmapData applyFilter heap overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|B6 4C BF 46 BC 7C C3 7E 61 3B 4D 3B 44 5D 7B 39 46 F7 08 A6 CE 87 88 4B 1F DF B7 B0 5D 6D E0 2A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5541; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35579; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BitmapData applyFilter heap overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"BitmapData"; nocase; content:"BlurFilter"; within:60; nocase; content:"writeUnsignedInt"; within:50; nocase; content:"applyFilter"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5541; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35578; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player secret cookie location disclosure attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|06 13 07 05 14 07 01 15 07 01 16 07 01 17 07 01 19 07 01 1A 09 0D 01 07 01 21 1B 02 07 01 23 07|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5125; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-recon; sid:35577; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player secret cookie location disclosure attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|06 13 07 05 14 07 01 15 07 01 16 07 01 17 07 01 19 07 01 1A 09 0D 01 07 01 21 1B 02 07 01 23 07|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5125; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-recon; sid:35576; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player secret cookie location disclosure attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|D0 13 EA 24 42 F8 03 E2 18 36 F5 D0 10 8D 24 9B 9A 2C 42 FA CC 3D B6 3E A3 11 62 18 3B 6D CB 36|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5125; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-recon; sid:35575; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player secret cookie location disclosure attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D0 13 EA 24 42 F8 03 E2 18 36 F5 D0 10 8D 24 9B 9A 2C 42 FA CC 3D B6 3E A3 11 62 18 3B 6D CB 36|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5125; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-recon; sid:35574; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player SWF dereference attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|80 09 01 60 94 07 60 8E 07 4F 80 09 01 D0 60 FE 08 25 A0 06 25 80 05 46 FF 08 02 4F 80 09 01 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5546; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35572; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SWF dereference attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|80 09 01 60 94 07 60 8E 07 4F 80 09 01 D0 60 FE 08 25 A0 06 25 80 05 46 FF 08 02 4F 80 09 01 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5546; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35571; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASnative previously set SharedObject variable set attempt"; flow:to_server,established; file_data; content:"|C6 33 21 BA 89 4A D5 89 69 4A 1F ED D9 94 29 08 D5 C7 C6 50 B1 05 49 22 0F EF 00 78 A3 DB 48 7D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5557; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35696; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASnative previously set SharedObject variable set attempt"; flow:to_client,established; file_data; content:"|C6 33 21 BA 89 4A D5 89 69 4A 1F ED D9 94 29 08 D5 C7 C6 50 B1 05 49 22 0F EF 00 78 A3 DB 48 7D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5557; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35695; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASnative previously set SharedObject variable set attempt"; flow:to_server,established; file_data; content:"|9C 60 3F 63 77 A5 22 D3 50 08 0D 25 68 A5 02 E4 E7 20 CD 2E 67 AA AD 24 5D B2 26 81 08 E4 CC 4C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5557; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35694; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASnative previously set SharedObject variable set attempt"; flow:to_client,established; file_data; content:"|9C 60 3F 63 77 A5 22 D3 50 08 0D 25 68 A5 02 E4 E7 20 CD 2E 67 AA AD 24 5D B2 26 81 08 E4 CC 4C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5557; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35693; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASnative previously set SharedObject variable set attempt"; flow:to_server,established; file_data; content:"|96 06 00 08 09 08 0A 08 0B 1C 96 04 00 08 0C 08 0B 1C 96 05 00 07 02 00 00 00 43 3C 96 02 00 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5557; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35692; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASnative previously set SharedObject variable set attempt"; flow:to_client,established; file_data; content:"|96 06 00 08 09 08 0A 08 0B 1C 96 04 00 08 0C 08 0B 1C 96 05 00 07 02 00 00 00 43 3C 96 02 00 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5557; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35691; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player incorrect reference to IExternalizable object attempt"; flow:to_server,established; file_data; content:"|51 45 68 BC 4F D0 7A A9 8C D0 A4 64 0A A6 E8 8A AE 34 76 C9 BE 40 D6 27 65 A0 12|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5553; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35674; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player incorrect reference to IExternalizable object attempt"; flow:to_client,established; file_data; content:"|51 45 68 BC 4F D0 7A A9 8C D0 A4 64 0A A6 E8 8A AE 34 76 C9 BE 40 D6 27 65 A0 12|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5553; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35673; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player incorrect reference to IExternalizable object attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|0B|ObjectInput"; fast_pattern:only; content:"|0B|flash.utils"; content:"|07|readInt"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5553; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35672; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player incorrect reference to IExternalizable object attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0B|ObjectInput"; fast_pattern:only; content:"|0B|flash.utils"; content:"|07|readInt"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5553; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35671; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player bitmap handling memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|D1 66 B5 02 D1 66 F6 01 D1 66 91 2D 4A 4A 03 80 4A D6 5D 12 24 00 2A 24 01 D1 66 F6 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5544; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35667; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player bitmap handling memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D1 66 B5 02 D1 66 F6 01 D1 66 91 2D 4A 4A 03 80 4A D6 5D 12 24 00 2A 24 01 D1 66 F6 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5544; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35666; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player DefineVideoStream out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|3F 0F 01 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-5552; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35665; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player DefineVideoStream out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|3F 0F 01 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-5552; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35664; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player corrupt glyph array out of bounds attempt"; flow:to_server,established; file_data; content:"|D2 60 0B 2D 03 46 16 01 A0 85 D6 25 FF 01 74 D7 10 0F 00 00 09 D2 60 0B D3 46 16 01 A0 85 D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5133; classtype:attempted-user; sid:35663; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player corrupt glyph array out of bounds attempt"; flow:to_client,established; file_data; content:"|D2 60 0B 2D 03 46 16 01 A0 85 D6 25 FF 01 74 D7 10 0F 00 00 09 D2 60 0B D3 46 16 01 A0 85 D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5133; classtype:attempted-user; sid:35662; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player FileReference constructor type confusion attempt"; flow:to_server,established; file_data; content:"|D9 F0 05 48 EB 48 1A C0 FF E2 55 06 1F 33 10 60 2E 10 A6 98 57 10 6C 51 47 8F 4F 9E 07 D3 0D 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5558; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35661; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player FileReference constructor type confusion attempt"; flow:to_client,established; file_data; content:"|D9 F0 05 48 EB 48 1A C0 FF E2 55 06 1F 33 10 60 2E 10 A6 98 57 10 6C 51 47 8F 4F 9E 07 D3 0D 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5558; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35660; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player FileReference constructor type confusion attempt"; flow:to_server,established; file_data; content:"|96 04 00 04 01 08 05 4E 96 04 00 08 06 08 0B 1C 96 02 00 08 0C 4E 96 02 00 08 0D 4E 4F 96 0C 00 06 00 00 00 00 00 00 00 00 04 02 03|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5558; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35659; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player FileReference constructor type confusion attempt"; flow:to_client,established; file_data; content:"|96 04 00 04 01 08 05 4E 96 04 00 08 06 08 0B 1C 96 02 00 08 0C 4E 96 02 00 08 0D 4E 4F 96 0C 00 06 00 00 00 00 00 00 00 00 04 02 03|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5558; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35658; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player XML property delete out of bounds memory write attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"XMLList"; fast_pattern:only; content:""; content:""; distance:0; content:"|29 D0 66 05|"; content:"|29 D0 66 05|"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5549; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35657; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player XML property delete out of bounds memory write attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"XMLList"; fast_pattern:only; content:""; content:""; distance:0; content:"|29 D0 66 05|"; content:"|29 D0 66 05|"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5549; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35656; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player XML property delete out of bounds memory write attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|27 A0 00 21 BA 21 A7 D6 E3 DC 65 94 6E A7 56 7A 04 E9 AF FA 9D F5 9F 74 32 A6 69 EA 52 B7 3C 56|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5549; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35655; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player XML property delete out of bounds memory write attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|27 A0 00 21 BA 21 A7 D6 E3 DC 65 94 6E A7 56 7A 04 E9 AF FA 9D F5 9F 74 32 A6 69 EA 52 B7 3C 56|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5549; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35654; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TextField filters use-after-free attempt"; flow:to_server,established; file_data; content:"|96 09 00 08 0C 07 03 00 00 00 08 0E 1C 96 02 00 08 0F 4E 96 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5561; reference:cve,2015-8450; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:35653; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TextField filters use-after-free attempt"; flow:to_server,established; file_data; content:"|14 BD 36 10 9C 4D 76 93 CD 56 4A AB B2 92 95 6C 55 A9 11 D8 63 70 02 16|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5561; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35652; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TextField filters use-after-free attempt"; flow:to_client,established; file_data; content:"|96 09 00 08 0C 07 03 00 00 00 08 0E 1C 96 02 00 08 0F 4E 96 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5561; reference:cve,2015-8450; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:35651; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TextField filters use-after-free attempt"; flow:to_client,established; file_data; content:"|14 BD 36 10 9C 4D 76 93 CD 56 4A AB B2 92 95 6C 55 A9 11 D8 63 70 02 16|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5561; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35650; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player XML pointer wrong parent reference"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|2C 05 42 01|"; content:"|32 04 03 11 EB FF FF 08 04 08 03 D0|"; content:"|47|"; within:5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5548; reference:cve,2015-8443; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:35649; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player XML pointer wrong parent reference"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|2C 05 42 01|"; content:"|32 04 03 11 EB FF FF 08 04 08 03 D0|"; content:"|47|"; within:5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5548; reference:cve,2015-8443; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:35648; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player XML pointer wrong parent reference"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|63 6E 67 5D EA D8 DC 17 4C 15 89 4D 59 EE D1 14 9B AE 0F 2F 0B E8 F4 8F 10 9A AC 4B CD CF 9C C3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5548; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35647; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player XML pointer wrong parent reference"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|63 6E 67 5D EA D8 DC 17 4C 15 89 4D 59 EE D1 14 9B AE 0F 2F 0B E8 F4 8F 10 9A AC 4B CD CF 9C C3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5548; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35646; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASnative previously set SharedObject variable set attempt"; flow:to_server,established; file_data; content:"|B9 1A C0 C9 EF 3C BC 00 DB E0 26 A4 77 A5 A4 74 83 AF 21 56 AE 95 05 6A 89 4D 80 74 93 DB 3C E2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5134; classtype:attempted-user; sid:35645; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASnative previously set SharedObject variable set attempt"; flow:to_client,established; file_data; content:"|B9 1A C0 C9 EF 3C BC 00 DB E0 26 A4 77 A5 A4 74 83 AF 21 56 AE 95 05 6A 89 4D 80 74 93 DB 3C E2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5134; classtype:attempted-user; sid:35644; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASnative previously set SharedObject variable set attempt"; flow:to_server,established; file_data; content:"|96 16 00 07 01 00 00 00 07 01 00 00 00 07 FC 00 00 00 07 02 00 00 00 08 02 3D 96 02 00 08 03 52 17 96 0B 00 08 04 08 05 07 01 00 00 00 08 06|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3131; reference:cve,2015-5134; classtype:attempted-user; sid:35643; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASnative previously set SharedObject variable set attempt"; flow:to_client,established; file_data; content:"|96 16 00 07 01 00 00 00 07 01 00 00 00 07 FC 00 00 00 07 02 00 00 00 08 02 3D 96 02 00 08 03 52 17 96 0B 00 08 04 08 05 07 01 00 00 00 08 06|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3131; reference:cve,2015-5134; classtype:attempted-user; sid:35642; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player childNodes XML object use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"watch"; nocase; content:"XML"; nocase; content:"display"; nocase; content:"BitmapData"; within:11; nocase; content:"removeNode"; fast_pattern:only; content:"appendChild"; nocase; metadata:service smtp; reference:cve,2015-5540; classtype:attempted-user; sid:35641; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player childNodes XML object after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|F9 EC 34 D3 65 2C 28 EB 7A BF DF CF F5 0F 73 24 BC D1 8D 52 A9 A4 E7 4D DD 34 B3 3C 22 4B 87 3E|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-5540; classtype:attempted-user; sid:35640; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player childNodes XML object use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"watch"; nocase; content:"XML"; nocase; content:"display"; nocase; content:"BitmapData"; within:11; nocase; content:"removeNode"; fast_pattern:only; content:"appendChild"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-5540; classtype:attempted-user; sid:35639; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player childNodes XML object use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|F9 EC 34 D3 65 2C 28 EB 7A BF DF CF F5 0F 73 24 BC D1 8D 52 A9 A4 E7 4D DD 34 B3 3C 22 4B 87 3E|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-5540; classtype:attempted-user; sid:35638; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,2525,567] (msg:"FILE-FLASH Adobe Flash invalid swf tag parsing buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|3F 8E 56 FA 1B 00 13 E3 85 00 0C 54 72 65 62 75 63 68 65 74 20 4D 53|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-5132; classtype:attempted-dos; sid:35637; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash invalid swf tag parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|3F 8E 56 FA 1B 00 13 E3 85 00 0C 54 72 65 62 75 63 68 65 74 20 4D 53|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-5132; classtype:attempted-dos; sid:35636; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|16 C4 38 82 B4 76 E1 5E C2 68 6C 17 06 8C 93 BB E8 1E C2 1C 5F 47 1C 26 F3 75 44 30 1F AB 23 1E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5124; reference:cve,2015-5566; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35635; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|16 C4 38 82 B4 76 E1 5E C2 68 6C 17 06 8C 93 BB E8 1E C2 1C 5F 47 1C 26 F3 75 44 30 1F AB 23 1E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5124; reference:cve,2015-5566; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35634; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|EF 01 21 01 28 F0 27 5D 18 4A 18 00 80 18 D5 F0 28 D0 D1 46 19 01 80 1A D6 D1 2C 26 D2 27 2F 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5124; reference:cve,2015-5566; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35633; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|EF 01 21 01 28 F0 27 5D 18 4A 18 00 80 18 D5 F0 28 D0 D1 46 19 01 80 1A D6 D1 2C 26 D2 27 2F 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5124; reference:cve,2015-5566; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35632; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player XMLSocket destroy function type confusion attempt"; flow:to_server,established; file_data; content:"|83 A7 1F 3D 7A FD E2 AE B5 CB C1 E0 37 80 A5 F7 7F 7D 7D F6 E7 77 C2 4F 5B 3B 2F 5E FE 98 FC E3|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service smtp; reference:cve,2015-5554; classtype:attempted-user; sid:35762; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player XMLSocket destroy function type confusion attempt"; flow:to_client,established; file_data; content:"|83 A7 1F 3D 7A FD E2 AE B5 CB C1 E0 37 80 A5 F7 7F 7D 7D F6 E7 77 C2 4F 5B 3B 2F 5E FE 98 FC E3|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5554; classtype:attempted-user; sid:35761; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player XMLSocket destroy function type confusion attempt"; flow:to_server,established; file_data; content:"valueOf"; content:"XMLSocket"; within:25; content:"connect|00|call"; within:30; content:"flash|00|display|00|BitmapData"; within:50; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5554; classtype:attempted-user; sid:35760; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player XMLSocket destroy function type confusion attempt"; flow:to_client,established; file_data; content:"valueOf"; content:"XMLSocket"; within:25; content:"connect|00|call"; within:30; content:"flash|00|display|00|BitmapData"; within:50; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5554; classtype:attempted-user; sid:35759; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player SharedObject use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|00|ASSetPropFlags"; fast_pattern:only; content:"|00|NetConnection"; content:"|00|SharedObject"; content:"|00|display|00|BitmapData"; content:"|00|setInterval"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5539; classtype:attempted-user; sid:35756; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player SharedObject use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|37 C3 0E 3C F3 93 63 72 44 33 2D 61 75 59 3D 03 BE 6E 49 D8 D9 E6 E6 D5 1B DE 6E AB 43 34 E3 4D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5539; classtype:attempted-user; sid:35755; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SharedObject use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|37 C3 0E 3C F3 93 63 72 44 33 2D 61 75 59 3D 03 BE 6E 49 D8 D9 E6 E6 D5 1B DE 6E AB 43 34 E3 4D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5539; classtype:attempted-user; sid:35754; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SharedObject use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|00|ASSetPropFlags"; fast_pattern:only; content:"|00|NetConnection"; content:"|00|SharedObject"; content:"|00|display|00|BitmapData"; content:"|00|setInterval"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5539; classtype:attempted-user; sid:35753; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player raster pointer null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|99 62 90 10 38 8E F3 90 58 BF B1 9A 07 E1 04 F5 E4 49 61 A0 45 E0 33 AB 1A 34 6A 84 19 15 82 5D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5126; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35744; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player raster pointer null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|99 62 90 10 38 8E F3 90 58 BF B1 9A 07 E1 04 F5 E4 49 61 A0 45 E0 33 AB 1A 34 6A 84 19 15 82 5D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5126; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35743; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player raster pointer null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|5E 03|"; content:"|60 03|"; within:70; content:"|64 D1 66 14 66 15|"; content:"|10 0B 00 00|"; within:15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5126; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35742; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player raster pointer null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|5E 03|"; content:"|60 03|"; within:70; content:"|64 D1 66 14 66 15|"; content:"|10 0B 00 00|"; within:15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5126; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35741; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player scale9Grid use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"scale9Grid"; fast_pattern:only; content:!"Rect"; nocase; content:!"skin"; nocase; content:"MovieClip"; nocase; content:"remove"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5564; classtype:attempted-user; sid:35825; rev:5;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player scale9Grid use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|5C DD 34 DA F5 1D F5 16 C4 7E AE 24 A1 73 E2 0F 12 16 66 BB 10 E3 84 93 34 A9 93 EA 2E AA 34 A6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5564; classtype:attempted-user; sid:35824; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player scale9Grid use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|5C DD 34 DA F5 1D F5 16 C4 7E AE 24 A1 73 E2 0F 12 16 66 BB 10 E3 84 93 34 A9 93 EA 2E AA 34 A6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5564; classtype:attempted-user; sid:35823; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player scale9Grid use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"scale9Grid"; fast_pattern:only; content:!"Rect"; nocase; content:!"skin"; nocase; content:"MovieClip"; nocase; content:"remove"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5564; classtype:attempted-user; sid:35822; rev:6;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player scale9Grid use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"scale9Grid"; fast_pattern:only; content:!"Rect"; nocase; content:!"skin"; nocase; content:"Button"; nocase; content:"remove"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5564; classtype:attempted-user; sid:35821; rev:5;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player scale9Grid use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"scale9Grid"; fast_pattern:only; content:!"Rect"; nocase; content:!"skin"; nocase; content:"Button"; nocase; content:"remove"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5564; classtype:attempted-user; sid:35820; rev:6;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player loadSound type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|90 78 DE EC 7F 9D 8C 05 18 0E CF 91 F5 1E 5D 61 5A 4E B7 B9 D8 FF 28 F0 9F 3E 04 B0 0F C3 2B 97|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5562; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35816; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player loadSound type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|90 78 DE EC 7F 9D 8C 05 18 0E CF 91 F5 1E 5D 61 5A 4E B7 B9 D8 FF 28 F0 9F 3E 04 B0 0F C3 2B 97|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5562; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35815; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player loadSound type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 04 00 04 01 08 06 4E 87 01 00 05 17 96 12 00 07 01 00 00 00 04 04 04 01 07 03 00 00 00 04 05|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5562; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35814; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player loadSound type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 04 00 04 01 08 06 4E 87 01 00 05 17 96 12 00 07 01 00 00 00 04 04 04 01 07 03 00 00 00 04 05|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5562; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:35813; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player swapDepths use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|A9 6B 4D 65 DB 79 8F 85 4D F1 B5 74 55 AB CA 6A 55 D6 EA 43 ED DC 50 C5 5B 93 E3 56 BD E7 5D 2A|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5550; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-admin; sid:35864; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player swapDepths use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 0B 00 06 00 00 00 00 00 00 00 00 08 00 1C 96 02 00 08 01 52 17 96 02 00 08 02 26 96 02 00 08 03|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5550; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-admin; sid:35863; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player swapDepths use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|A9 6B 4D 65 DB 79 8F 85 4D F1 B5 74 55 AB CA 6A 55 D6 EA 43 ED DC 50 C5 5B 93 E3 56 BD E7 5D 2A|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5550; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-admin; sid:35862; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player swapDepths use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 0B 00 06 00 00 00 00 00 00 00 00 08 00 1C 96 02 00 08 01 52 17 96 02 00 08 02 26 96 02 00 08 03|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5550; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-admin; sid:35861; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player attachMovie use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|9D AC 1C D6 15 C1 E6 BE F1 F6 76 F8 F6 E4 85 BB D3 D3 D3 AF E0 EA 1D 47 AB 6B 89 89 DE AC 73 C3|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5551; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-admin; sid:35938; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player attachMovie use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 12 00 07 C8 00 00 00 08 01 08 04 07 04 00 00 00 04 01 08 05 52 17 96 02 00 08 06 3E 07 96 08 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5551; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-admin; sid:35937; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player attachMovie use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|9D AC 1C D6 15 C1 E6 BE F1 F6 76 F8 F6 E4 85 BB D3 D3 D3 AF E0 EA 1D 47 AB 6B 89 89 DE AC 73 C3|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5551; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-admin; sid:35936; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player attachMovie use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 12 00 07 C8 00 00 00 08 01 08 04 07 04 00 00 00 04 01 08 05 52 17 96 02 00 08 06 3E 07 96 08 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5551; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-admin; sid:35935; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt"; flow:to_server,established; file_data; content:"|D0 49 00 5D 03 4A 03 00 80 03|"; content:"|60 05 66 06 D3 61 07 60 05 66 06 66 07 4F 08 00 2E 01 D5 2E 02 D6 D1 D2 3C 47|"; within:200; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-8439; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-26.html; classtype:attempted-user; sid:35954; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt"; flow:to_server,established; file_data; content:"|61 29 60 26 66 27 66 29 4F 2A 00 2E 01 D5 D0 66 08 74 D7 D3 37 D6 D2 D0 66 0E 14 03 00 00 D1 D3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-8439; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-26.html; classtype:attempted-user; sid:35953; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt"; flow:to_server,established; file_data; content:"|51 80 72 76 27 C5 30 8C 95 63 5B A6 22 2B 4C A4 36 76 04 57 05 6B 82 4F B3 97 FD 02 FE C5 B7 33|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-8439; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-26.html; classtype:attempted-user; sid:35952; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt"; flow:to_server,established; file_data; content:"|60 99 01 66 43 68 A5 01 F0 43 D0 2C 43 68 17 F0 44 D0 49 00 F0 45 60 64 76 12 0C 00 00 F0 47 D0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-8439; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-26.html; classtype:attempted-user; sid:35951; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt"; flow:to_server,established; file_data; content:"|E2 1E 42 8C 10 B3 D9 39 38 F9 3B 0A C4 ED 7B 15 6E AF 09 BD BF CE 45 DD 2C 44 7D 83 EB FD FB 42|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-8439; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-26.html; classtype:attempted-user; sid:35950; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt"; flow:to_client,established; file_data; content:"|D0 49 00 5D 03 4A 03 00 80 03|"; content:"|60 05 66 06 D3 61 07 60 05 66 06 66 07 4F 08 00 2E 01 D5 2E 02 D6 D1 D2 3C 47|"; within:200; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8439; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-26.html; classtype:attempted-user; sid:35949; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt"; flow:to_client,established; file_data; content:"|61 29 60 26 66 27 66 29 4F 2A 00 2E 01 D5 D0 66 08 74 D7 D3 37 D6 D2 D0 66 0E 14 03 00 00 D1 D3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8439; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-26.html; classtype:attempted-user; sid:35948; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt"; flow:to_client,established; file_data; content:"|51 80 72 76 27 C5 30 8C 95 63 5B A6 22 2B 4C A4 36 76 04 57 05 6B 82 4F B3 97 FD 02 FE C5 B7 33|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8439; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-26.html; classtype:attempted-user; sid:35947; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt"; flow:to_client,established; file_data; content:"|60 99 01 66 43 68 A5 01 F0 43 D0 2C 43 68 17 F0 44 D0 49 00 F0 45 60 64 76 12 0C 00 00 F0 47 D0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8439; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-26.html; classtype:attempted-user; sid:35946; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt"; flow:to_client,established; file_data; content:"|E2 1E 42 8C 10 B3 D9 39 38 F9 3B 0A C4 ED 7B 15 6E AF 09 BD BF CE 45 DD 2C 44 7D 83 EB FD FB 42|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8439; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-26.html; classtype:attempted-user; sid:35945; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-FLASH Infinity popup toolkit detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|30 10 6C 6D 7E 54 34 61 7D 1A 54 4B 44 7D 64 23|"; fast_pattern:only; metadata:service http; reference:url,www.virustotal.com/en/file/4F40A54A972991F23A9EA95485BF53C1B54671E7643C322F00508CF93DB7652C/analysis/; classtype:policy-violation; sid:36035; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-FLASH Infinity popup toolkit detected"; flow:to_client,established; file_data; content:"|D9 B4 83 B6 75 2F 16 F7 9A A3 68 07 A3 A0 C2 F6 0E 47 AE E5 B2 DD 4E B4 E2 D2 B0|"; fast_pattern:only; metadata:service http; reference:url,www.virustotal.com/en/file/4F40A54A972991F23A9EA95485BF53C1B54671E7643C322F00508CF93DB7652C/analysis/; classtype:policy-violation; sid:36034; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|17 A0 7C 30 34 31 49 C2 91 E8 1D 8A 59 8A 03 14 F3 14 07 29 99 A0 24 4C 99 08 25 02 25 B1 39 4C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,75712; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-18.html; classtype:attempted-user; sid:36129; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|17 A0 7C 30 34 31 49 C2 91 E8 1D 8A 59 8A 03 14 F3 14 07 29 99 A0 24 4C 99 08 25 02 25 B1 39 4C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,75712; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-18.html; classtype:attempted-user; sid:36128; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|9B 09 95 05 F8 92 81 7A 4F C2 F7 62 C2 56 7E 1B 30 4C 42 4E 82 C4 27 61 FB BC 08 C8 C9 14 BC 64|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,75712; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-18.html; classtype:attempted-user; sid:36127; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|29 45 DB 91 81 15 81 AC ED 6F 01 4D 80 AA A5 9D 87 09 D4 62 2F CE F7 E8 3A F1 1B 99 E0 48 79 1D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,75712; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-18.html; classtype:attempted-user; sid:36126; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|9B 09 95 05 F8 92 81 7A 4F C2 F7 62 C2 56 7E 1B 30 4C 42 4E 82 C4 27 61 FB BC 08 C8 C9 14 BC 64|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,75712; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-18.html; classtype:attempted-user; sid:36125; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|29 45 DB 91 81 15 81 AC ED 6F 01 4D 80 AA A5 9D 87 09 D4 62 2F CE F7 E8 3A F1 1B 99 E0 48 79 1D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,75712; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-18.html; classtype:attempted-user; sid:36124; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player regexp heap buffer overflow attempt"; flow:to_server,established; file_data; content:"|6F EF 25 B9 0B 9C 78 44 04 EB 8F 23 47 AE DD 2F C9 35 AD 7A 37 B5 C1 A2 0D F5 BF 6E 8F 23 74 80|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5129; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-admin; sid:36123; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player regexp heap buffer overflow attempt"; flow:to_server,established; file_data; content:"|30 D0 49 00 60 04 2C 07 42 01 80 04 D5 2C 08 D6 D1 D2 4F 05 01 47 00 00 02 02 01 01 08 23 D0 30|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5129; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-admin; sid:36122; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player regexp heap buffer overflow attempt"; flow:to_client,established; file_data; content:"|6F EF 25 B9 0B 9C 78 44 04 EB 8F 23 47 AE DD 2F C9 35 AD 7A 37 B5 C1 A2 0D F5 BF 6E 8F 23 74 80|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5129; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-admin; sid:36121; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player regexp heap buffer overflow attempt"; flow:to_client,established; file_data; content:"|30 D0 49 00 60 04 2C 07 42 01 80 04 D5 2C 08 D6 D1 D2 4F 05 01 47 00 00 02 02 01 01 08 23 D0 30|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5129; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-admin; sid:36120; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_server,established; file_data; content:"|CE 7D F0 90 BC 14 45 51 A4 44 EB 61 49 16 65 C7 B2 29 D2 12 FD 8C A5 F8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:36177; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_server,established; file_data; content:"|BE D7 F6 F8 DA 9E 49 E2 99 24 93 BF 36 75 93 99 A6 CD 66 FE 92 B4 DB 0E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:36176; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_server,established; file_data; content:"|B5 93 34 6E BB 95 6D 0C 0A 1C 40 91 06 54 42 B4 49 BB 5D 56 BA 68 DD B2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:36175; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_server,established; file_data; content:"|F1 38 01 5F 5A 49 4D CC FE A9 C0 A5 00 28 FA 85 48 E5 2E EA A4 81 9F 41|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:36174; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_server,established; file_data; content:"|7F 33 1E CF F3 D8 06 C6 3F 30 84 FC 1A 92 01 1A 8A B1 21 E9 B6 A1 04 2D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:36173; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_server,established; file_data; content:"|49 00 D0 5D 0D 25 80 08 25 80 08 4A 0D 02 68 0C D0 5D 0F 24 00 2A 25 80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:36172; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_server,established; file_data; content:"|47 00 00 01 06 04 09 0A CE 04 D0 30 24 00 74 D7 D0 D0 66 0D 24 04 A3 24|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:36171; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_server,established; file_data; content:"|0A 86 0D D0 30 20 80 20 D5 D0 5D 03 2C 26 4A 03 01 68 0B D0 60 21 60 0E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:36170; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_server,established; file_data; content:"|01 08 09 03 D0 30 47 00 00 01 05 04 09 0A 3B D0 30 D0 49 00 5D 03 4A 03|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:36169; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_client,established; file_data; content:"|CE 7D F0 90 BC 14 45 51 A4 44 EB 61 49 16 65 C7 B2 29 D2 12 FD 8C A5 F8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:36168; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_client,established; file_data; content:"|BE D7 F6 F8 DA 9E 49 E2 99 24 93 BF 36 75 93 99 A6 CD 66 FE 92 B4 DB 0E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:36167; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_client,established; file_data; content:"|B5 93 34 6E BB 95 6D 0C 0A 1C 40 91 06 54 42 B4 49 BB 5D 56 BA 68 DD B2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:36166; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_client,established; file_data; content:"|F1 38 01 5F 5A 49 4D CC FE A9 C0 A5 00 28 FA 85 48 E5 2E EA A4 81 9F 41|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:36165; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_client,established; file_data; content:"|7F 33 1E CF F3 D8 06 C6 3F 30 84 FC 1A 92 01 1A 8A B1 21 E9 B6 A1 04 2D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:36164; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_client,established; file_data; content:"|49 00 D0 5D 0D 25 80 08 25 80 08 4A 0D 02 68 0C D0 5D 0F 24 00 2A 25 80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:36163; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_client,established; file_data; content:"|47 00 00 01 06 04 09 0A CE 04 D0 30 24 00 74 D7 D0 D0 66 0D 24 04 A3 24|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:36162; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_client,established; file_data; content:"|0A 86 0D D0 30 20 80 20 D5 D0 5D 03 2C 26 4A 03 01 68 0B D0 60 21 60 0E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:36161; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_client,established; file_data; content:"|01 08 09 03 D0 30 47 00 00 01 05 04 09 0A 3B D0 30 D0 49 00 5D 03 4A 03|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:36160; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0D|currentDomain|0C|domainMemory"; fast_pattern:only; content:"|10|writeUnsignedInt"; nocase; content:"|09|writeByte"; distance:0; nocase; content:"|06|length"; distance:0; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:36157; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|FF EA C0 CA F6 7E BA 3B 75 95 99 B5 DB C0 68 39 D4 2B 01 1B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:36156; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|FF EA C0 CA F6 7E BA 3B 75 95 99 B5 DB C0 68 39 D4 2B 01 1B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:36155; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0D|currentDomain|0C|domainMemory"; fast_pattern:only; content:"|10|writeUnsignedInt"; nocase; content:"|09|writeByte"; distance:0; nocase; content:"|06|length"; distance:0; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:36154; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|09|prototype|08|toString"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5119; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-03.html; reference:url,www.virustotal.com/en/file/a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8/analysis/; classtype:attempted-admin; sid:36152; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|09|prototype|07|valueof"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5119; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-03.html; reference:url,www.virustotal.com/en/file/a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8/analysis/; classtype:attempted-admin; sid:36151; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|09|prototype|08|toString"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5119; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-03.html; reference:url,www.virustotal.com/en/file/a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8/analysis/; classtype:attempted-admin; sid:36150; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|09|prototype|07|valueof"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5119; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-03.html; reference:url,www.virustotal.com/en/file/a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8/analysis/; classtype:attempted-admin; sid:36149; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|50 3E 6B 88 9F F7 63 96 7E 4D 88 CE C5 85 6F D4 14 E9 85 96 1E BE D3 4B 8B 05 E7 E3 EF B3 9A 74|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,73084; reference:cve,2015-0336; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:36146; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"ASnative"; fast_pattern:only; content:"__proto__"; content:"|4F 96|"; content:"|00|"; within:1; distance:1; content:"|00 00 00|"; within:3; distance:4; content:"|07|"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,73084; reference:cve,2015-0336; reference:cve,2015-7659; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36145; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|50 3E 6B 88 9F F7 63 96 7E 4D 88 CE C5 85 6F D4 14 E9 85 96 1E BE D3 4B 8B 05 E7 E3 EF B3 9A 74|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,73084; reference:cve,2015-0336; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; classtype:attempted-user; sid:36144; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ASnative"; fast_pattern:only; content:"__proto__"; content:"|4F 96|"; content:"|00|"; within:1; distance:1; content:"|00 00 00|"; within:3; distance:4; content:"|07|"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,73084; reference:cve,2015-0336; reference:cve,2015-7659; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-05.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36143; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|EF 01 02 00 00 EF 01 03 01 00 D0 49 00 5D 01 F0 0A 4A 01 00 80 01 D6 D2 F0 0B 24 0A 61 02 5D 03|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5119; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-03.html; reference:url,www.virustotal.com/en/file/a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8/analysis/; classtype:attempted-admin; sid:36142; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|5D 09 D0 66 0A 66 0B 46 09 01 66 0C 66 0D 68 0E F0 1A 5D 09 D0 66 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5119; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-03.html; reference:url,www.virustotal.com/en/file/a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8/analysis/; classtype:attempted-admin; sid:36141; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|28 53 97 3E 14 07 87 0D B2 9E 9A 24 A0 4B D3 51 43 EA D2 29 A9 DE 51 55 27 C4 48 EE 16 23 29 E8|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5119; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-03.html; reference:url,www.virustotal.com/en/file/a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8/analysis/; classtype:attempted-admin; sid:36140; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|06 2B EF E3 A4 87 88 0F 85 F9 21 A2 65 76 C7 B3 BA 32 B6 60 B1 EA 8D 6B F3 D1 2B 32 3F 11 35 D9|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5119; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-03.html; reference:url,www.virustotal.com/en/file/a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8/analysis/; classtype:attempted-admin; sid:36139; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|EF 01 02 00 00 EF 01 03 01 00 D0 49 00 5D 01 F0 0A 4A 01 00 80 01 D6 D2 F0 0B 24 0A 61 02 5D 03|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5119; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-03.html; reference:url,www.virustotal.com/en/file/a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8/analysis/; classtype:attempted-admin; sid:36138; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|5D 09 D0 66 0A 66 0B 46 09 01 66 0C 66 0D 68 0E F0 1A 5D 09 D0 66 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5119; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-03.html; reference:url,www.virustotal.com/en/file/a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8/analysis/; classtype:attempted-admin; sid:36137; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|28 53 97 3E 14 07 87 0D B2 9E 9A 24 A0 4B D3 51 43 EA D2 29 A9 DE 51 55 27 C4 48 EE 16 23 29 E8|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5119; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-03.html; reference:url,www.virustotal.com/en/file/a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8/analysis/; classtype:attempted-admin; sid:36136; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|06 2B EF E3 A4 87 88 0F 85 F9 21 A2 65 76 C7 B3 BA 32 B6 60 B1 EA 8D 6B F3 D1 2B 32 3F 11 35 D9|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5119; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-03.html; reference:url,www.virustotal.com/en/file/a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8/analysis/; classtype:attempted-admin; sid:36135; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Exploit Kit decryption key detected"; flow:to_client,established; file_data; content:"|74 70 72 72 75 65 73 74 6A 62 61 66 65 69 61 78 66 6A 72 75 73 70 68 6D 6E 78|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5119; reference:url,malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and.html; classtype:attempted-user; sid:36193; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player display list use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"removeChildren"; nocase; content:"addChild"; distance:0; nocase; content:"URLRequest"; nocase; content:!"http"; within:15; nocase; content:".jpg"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5543; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:36190; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player display list use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"removeChildren"; nocase; content:"addChild"; distance:0; nocase; content:"URLRequest"; nocase; content:!"http"; within:15; nocase; content:".jpg"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5543; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:36189; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player display list use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|BC AF 95 07 A1 D5 42 9D DF 5A 45 5D B8 DF 1E 3F 35 E8 DE 18 48 CE 9B 71 15 78 DB FC 64 85 CC 8D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5543; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:36188; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player display list use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|BC AF 95 07 A1 D5 42 9D DF 5A 45 5D B8 DF 1E 3F 35 E8 DE 18 48 CE 9B 71 15 78 DB FC 64 85 CC 8D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5543; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:36187; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player diplayAsPassword information disclosure attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|8C 20 29 86 A4 38 82 09 04 87 10 44 48 4A 22 98 42 70 18 C1 5B 48 1A 45 70 0C C1 71 04 D3 08 4E|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-5572; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36280; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player diplayAsPassword information disclosure attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|8C 20 29 86 A4 38 82 09 04 87 10 44 48 4A 22 98 42 70 18 C1 5B 48 1A 45 70 0C C1 71 04 D3 08 4E|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-5572; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36279; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player diplayAsPassword information disclosure attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|61 0F F0 16 D2 D3 61 0D F0 17 D2 26 61 10 F0 18 D2 2C 1B 61 11 F0 19 D2 60 12 66 13 61 14 F0 1A|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-5572; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36278; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player diplayAsPassword information disclosure attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|61 0F F0 16 D2 D3 61 0D F0 17 D2 26 61 10 F0 18 D2 2C 1B 61 11 F0 19 D2 60 12 66 13 61 14 F0 1A|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-5572; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36277; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player URLStreamObject out of bounds read attempt"; flow:to_server,established; file_data; content:"|F7 D6 61 A5 0A E7 F2 A9 74 94 80 08 CE B5 21 7F 84 32 80 30 99 42 23 ED 29 3F 66 10 A6 D3 78 1D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5573; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36266; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player URLStreamObject out of bounds read attempt"; flow:to_server,established; file_data; content:"|F1 04 F0 1C 65 01 6C 04 24 00 65 01 6C 05 61 06 F0 1E 65 01 6C 03 65 01 6C 04 61 07 F0 20 65 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5573; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36265; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player URLStreamObject out of bounds read attempt"; flow:to_client,established; file_data; content:"|F7 D6 61 A5 0A E7 F2 A9 74 94 80 08 CE B5 21 7F 84 32 80 30 99 42 23 ED 29 3F 66 10 A6 D3 78 1D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5573; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36264; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player URLStreamObject out of bounds read attempt"; flow:to_client,established; file_data; content:"|F1 04 F0 1C 65 01 6C 04 24 00 65 01 6C 05 61 06 F0 1E 65 01 6C 03 65 01 6C 04 61 07 F0 20 65 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5573; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36263; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray writeByte buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|33 F5 E2 7C D6 4A C1 A1 86 58 56 E2 D9 B7 33 F3 58 DA 97 E0 4C BA 38 DF 68 1C A6 D1 F9 C6 1B 61 5B C2 3E 11|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6676; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36260; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray writeByte buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|33 F5 E2 7C D6 4A C1 A1 86 58 56 E2 D9 B7 33 F3 58 DA 97 E0 4C BA 38 DF 68 1C A6 D1 F9 C6 1B 61 5B C2 3E 11|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6676; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36259; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray writeByte buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"loadBytes"; fast_pattern:only; content:"|4A 02 00|"; content:"|4F 08 01|"; within:50; content:"|4F 08 01|"; within:4; distance:3; content:"|4F 08 01|"; within:4; distance:3; content:"|4F 08 01|"; within:4; distance:3; content:"|4F 08 01|"; within:4; distance:3; content:"|4F 08 01|"; within:4; distance:3; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6676; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36258; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray writeByte buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"loadBytes"; fast_pattern:only; content:"|4A 02 00|"; content:"|4F 08 01|"; within:50; content:"|4F 08 01|"; within:4; distance:3; content:"|4F 08 01|"; within:4; distance:3; content:"|4F 08 01|"; within:4; distance:3; content:"|4F 08 01|"; within:4; distance:3; content:"|4F 08 01|"; within:4; distance:3; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6676; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36257; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt"; flow:established,to_server; flowbits:isset,file.swf; file_data; content:"|C3 AC 77 B9 E9 E3 37 C6 AE CA D4 4D 95 05 EA 58 7B 9A 41 4D 31 DA A9 5B 02 C0 B8 7D 2A 4E F6 88|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5581; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36324; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt"; flow:established,to_client; flowbits:isset,file.swf; file_data; content:"|C3 AC 77 B9 E9 E3 37 C6 AE CA D4 4D 95 05 EA 58 7B 9A 41 4D 31 DA A9 5B 02 C0 B8 7D 2A 4E F6 88|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5581; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36323; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt"; flow:established,to_server; flowbits:isset,file.swf; file_data; content:"|72 65 6D 6F 76 65 43 68 69 6C 64 72 65 6E 05 45 76 65 6E 74 0C 66 6C 61 73 68 2E 65 76 65 6E 74 73 12 50 6F 43|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5581; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36322; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt"; flow:established,to_client; flowbits:isset,file.swf; file_data; content:"|72 65 6D 6F 76 65 43 68 69 6C 64 72 65 6E 05 45 76 65 6E 74 0C 66 6C 61 73 68 2E 65 76 65 6E 74 73 12 50 6F 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5581; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36321; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Netstream Video null pointer dereference attempt"; flow:to_server,established; file_data; content:"|D4 87 C4 B0 60 18 41 82 89 F8 CE 5B E1 0C 18 06 1F 03 04 13 F0 20 F7 C8 1D BE 3C 79 47 8C CC 83|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5575; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36319; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Netstream Video null pointer dereference attempt"; flow:to_client,established; file_data; content:"|D4 87 C4 B0 60 18 41 82 89 F8 CE 5B E1 0C 18 06 1F 03 04 13 F0 20 F7 C8 1D BE 3C 79 47 8C CC 83|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5575; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36318; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player URI loaded FLV potential information leak attempt"; flow:to_server,established; content:"swf?file="; nocase; http_uri; content:".flv"; within:20; nocase; http_uri; metadata:service http; reference:cve,2015-5575; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:policy-violation; sid:36317; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player URI loaded MP4 potential information leak attempt"; flow:to_server,established; content:"swf?file="; nocase; http_uri; content:".mp4"; within:20; nocase; http_uri; metadata:service http; reference:cve,2015-5576; reference:cve,2015-5578; reference:cve,2016-1096; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:policy-violation; sid:36316; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player class scope bypass attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|FD FC 86 CD C3 99 2E 2E D9 4E A9 1F 24 36 C5 09 05 DF 26 9E 4B 00 30 0C 08 C8 10 90 21 A0 12 A8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5588; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36314; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player class scope bypass attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|EF 01 04 00 0A|"; content:"|4A 01 00 80 01 D5|"; within:6; distance:4; content:"|46 02 01 29|"; within:4; distance:5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5588; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36313; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player class scope bypass attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|FD FC 86 CD C3 99 2E 2E D9 4E A9 1F 24 36 C5 09 05 DF 26 9E 4B 00 30 0C 08 C8 10 90 21 A0 12 A8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5588; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36312; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player class scope bypass attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|EF 01 04 00 0A|"; content:"|4A 01 00 80 01 D5|"; within:6; distance:4; content:"|46 02 01 29|"; within:4; distance:5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5588; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36311; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt"; flow:to_server,established; file_data; content:"|45 54 40 66 83 C7 6F 86 19 1E 74 40 A0 BA 3D D2 81 62 76 CC 05 D3 2D D1 CB 90 37 96 B4 CA 58 1F 20 24 A6 D0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,75086; reference:cve,2015-3105; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:attempted-user; sid:36302; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt"; flow:to_client,established; file_data; content:"|45 54 40 66 83 C7 6F 86 19 1E 74 40 A0 BA 3D D2 81 62 76 CC 05 D3 2D D1 CB 90 37 96 B4 CA 58 1F 20 24 A6 D0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,75086; reference:cve,2015-3105; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:attempted-user; sid:36301; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt"; flow:to_server,established; file_data; content:"|4F 24 02 60 21 D1 66 28 4F 2C 00 60 21 D1 20 61 28 D1 24 03 A0 74 D5 D1 60 1B 15 D8 FF FF 5D 0B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,75086; reference:cve,2015-3105; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:attempted-user; sid:36300; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt"; flow:to_client,established; file_data; content:"|4F 24 02 60 21 D1 66 28 4F 2C 00 60 21 D1 20 61 28 D1 24 03 A0 74 D5 D1 60 1B 15 D8 FF FF 5D 0B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,75086; reference:cve,2015-3105; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:attempted-user; sid:36299; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player video decode use after free attempt"; flow:to_server,established; file_data; content:"|11 2C 17 43 20 74 B2 07 44 E0 74 CE 00 00 E1 09 41 00 01 00 97 06 22 02 00 40 00 73 68 6F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5584; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36298; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player video decode use after free attempt"; flow:to_client,established; file_data; content:"|11 2C 17 43 20 74 B2 07 44 E0 74 CE 00 00 E1 09 41 00 01 00 97 06 22 02 00 40 00 73 68 6F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5584; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36297; rev:2;) alert tcp $HOME_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player movie signed integer memory corruption attempt"; flow:to_server,established; file_data; content:"|53 63 FC FF FF 3F 03 12 60 64 64 04 8A 40 48 64 71 10 1B 28 84 0C 20 D2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5582; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36296; rev:3;) alert tcp $HOME_NET $FILE_DATA_PORTS -> $EXTERNAL_NET any (msg:"FILE-FLASH Adobe Flash Player movie signed integer memory corruption attempt"; flow:to_client,established; file_data; content:"|53 63 FC FF FF 3F 03 12 60 64 64 04 8A 40 48 64 71 10 1B 28 84 0C 20 D2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5582; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36295; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|60 33 CB DE 3E 6A EC 69 DB 2B A6 DC F0 CB BA BD C5 6C 07 4A C1 0C E5 E6 91 C3 EC 6D DB 92 AF 5F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6682; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36292; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|60 33 CB DE 3E 6A EC 69 DB 2B A6 DC F0 CB BA BD C5 6C 07 4A C1 0C E5 E6 91 C3 EC 6D DB 92 AF 5F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6682; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36291; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt"; flow:to_server,established; file_data; content:"|80 09 D6 F0 69 D0 66 25 D2 46 2E 01 29 F0 6A D0 66 0A D2 46 2F 01 29 F0 6B D0 66 0A 66 30 25 80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6682; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36290; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt"; flow:to_client,established; file_data; content:"|80 09 D6 F0 69 D0 66 25 D2 46 2E 01 29 F0 6A D0 66 0A D2 46 2F 01 29 F0 6B D0 66 0A 66 30 25 80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6682; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36289; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player avc_core out of bounds memory access attempt"; flow:to_server,established; file_data; content:"|3D 96 1A EA D2 43 B2 2A E4 30 EB FD 39 C5 33 32 F7 9E E6 44 DC 63 AB 6F E1 E1 32 9A 1F B3 75 24|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5578; reference:cve,2015-5579; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36288; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player avc_core out of bounds memory access attempt"; flow:to_client,established; file_data; content:"|3D 96 1A EA D2 43 B2 2A E4 30 EB FD 39 C5 33 32 F7 9E E6 44 DC 63 AB 6F E1 E1 32 9A 1F B3 75 24|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5578; reference:cve,2015-5579; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36287; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Ovector out of bounds stack corruption attempt"; flow:established,to_server; file_data; content:"|D0 30 2C 07 2C 08 4F 04 01 47 00 00 02 03 01 0A 0B 10 D0 30 D0 49 00 5D 05 24 00 D0 66 03 4F 05|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0330; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:36399; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Ovector out of bounds stack corruption attempt"; flow:established,to_client; file_data; content:"|D0 30 2C 07 2C 08 4F 04 01 47 00 00 02 03 01 0A 0B 10 D0 30 D0 49 00 5D 05 24 00 D0 66 03 4F 05|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0330; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:36398; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player invalid vector length memory corruption attempt"; flow:to_server,established; file_data; content:"|70 0F F5 FE CF EE 6E 13 56 1B 12 40 7F E2 CB FA 90 7E B9 B9 6F E0 40 ED 7F 5B 6A C3 84 C7 E4 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5568; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36374; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player invalid vector length memory corruption attempt"; flow:to_server,established; file_data; content:"|60 0E 60 0D 53 01 62 04 42 01 68 0F 60 10 66 0F 24 00 2D 02 61 16 60 10 66 0F 24 01 2D 03 61 16|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5568; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36373; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player invalid vector length memory corruption attempt"; flow:to_client,established; file_data; content:"|70 0F F5 FE CF EE 6E 13 56 1B 12 40 7F E2 CB FA 90 7E B9 B9 6F E0 40 ED 7F 5B 6A C3 84 C7 E4 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5568; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36372; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player invalid vector length memory corruption attempt"; flow:to_client,established; file_data; content:"|60 0E 60 0D 53 01 62 04 42 01 68 0F 60 10 66 0F 24 00 2D 02 61 16 60 10 66 0F 24 01 2D 03 61 16|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5568; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36371; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player DefineText buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|1F 09 FC 4A 60 D1 A0 CA 1D 6D 8F 6A 3C 76 15 45 39 A6 67 BD 7A 62 E6 79 5E 15 E9 75 E8 E8 07 0E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6678; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36370; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player DefineText buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1F 09 FC 4A 60 D1 A0 CA 1D 6D 8F 6A 3C 76 15 45 39 A6 67 BD 7A 62 E6 79 5E 15 E9 75 E8 E8 07 0E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6678; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36369; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player DefineText buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|D0 30 21 82 D5 24 00 82 D5 10 26 00 00 09 D0 66 06 D1 66 08 20 14 04 00 00 10 12 00 00 D0 66 06|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6678; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36368; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player DefineText buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D0 30 21 82 D5 24 00 82 D5 10 26 00 00 09 D0 66 06 D1 66 08 20 14 04 00 00 10 12 00 00 D0 66 06|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6678; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36367; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AVSegmentedSource null pointer attempt"; flow:to_client,established; file_data; content:"|0A C9 DB 91 A4 22 C8 62 CF 43 33 76 5D F5 F5 D9 5F 84 6A 94 C5 05 45 BD 99 62 0C 53 96 86 12 6F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5567; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36358; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AVSegmentedSource null pointer attempt"; flow:to_server,established; file_data; content:"|0A C9 DB 91 A4 22 C8 62 CF 43 33 76 5D F5 F5 D9 5F 84 6A 94 C5 05 45 BD 99 62 0C 53 96 86 12 6F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5567; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36357; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AVSS null pointer attempt"; flow:to_server,established; file_data; content:"|29 50 F4 02 1F 63 10 1E 45 75 60 9E 54 DA 05 D0 28 72 B9 EF 4A 2F B2 C7 59 20 19 61 7E C9 28 7A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5567; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36356; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AVSS null pointer attempt"; flow:to_server,established; file_data; content:"|78 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79|"; fast_pattern; content:"setCueTags"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5567; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36355; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AVSS null pointer attempt"; flow:to_server,established; file_data; content:"|78 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79|"; fast_pattern; content:"setSubscribedTags"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5567; reference:cve,2015-5570; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36354; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AVSS null pointer attempt"; flow:to_client,established; file_data; content:"|29 50 F4 02 1F 63 10 1E 45 75 60 9E 54 DA 05 D0 28 72 B9 EF 4A 2F B2 C7 59 20 19 61 7E C9 28 7A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5567; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36353; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AVSS null pointer attempt"; flow:to_client,established; file_data; content:"|78 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79|"; fast_pattern; content:"setCueTags"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5567; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36352; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AVSS null pointer attempt"; flow:to_client,established; file_data; content:"|78 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79|"; fast_pattern; content:"setSubscribedTags"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5567; reference:cve,2015-5570; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36351; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|5D 0A F0 20 4A 0A 00 5E 01 2B 61 01 60 01 F0 23 2C 05 D0 66 02 46 0B 02 29 F0 21 10 0C 00 00 D0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5587; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36348; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|5D 0A F0 20 4A 0A 00 5E 01 2B 61 01 60 01 F0 23 2C 05 D0 66 02 46 0B 02 29 F0 21 10 0C 00 00 D0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5587; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36347; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|72 26 95 9E CD 64 E7 AE E4 E6 AF 32 50 5C B8 2A 40 56 60 62 09 01 0A F0 7A 62 09 0A CC 0D 01 7E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5587; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36346; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|72 26 95 9E CD 64 E7 AE E4 E6 AF 32 50 5C B8 2A 40 56 60 62 09 01 0A F0 7A 62 09 0A CC 0D 01 7E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5587; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36345; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|9B C9 CD 8A 73 62 46 9C 17 2F 89 59 71 41 5C 14 45 71 49 5C 5E E2 F8 CB F1 1C B3 C4 B0 1C 1F 13|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5587; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36344; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|9B C9 CD 8A 73 62 46 9C 17 2F 89 59 71 41 5C 14 45 71 49 5C 5E E2 F8 CB F1 1C B3 C4 B0 1C 1F 13|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5587; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36343; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|F0 2D 10 0D 00 00 D0 30 5A 02 2A 63 07 2A 30 2B 6D 01 1D 60 07 F0 35 2C 28 D0 66 0F 46 0B 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5587; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36342; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|F0 2D 10 0D 00 00 D0 30 5A 02 2A 63 07 2A 30 2B 6D 01 1D 60 07 F0 35 2C 28 D0 66 0F 46 0B 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5587; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36341; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|EC 23 EF 73 A2 53 CE 42 DE 5B 07 9B BD B0 B7 EC 61 55 93 67 BC F5 40 0B 7A 0B 03 3B 3E D3 C1 67|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5587; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36340; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|EC 23 EF 73 A2 53 CE 42 DE 5B 07 9B BD B0 B7 EC 61 55 93 67 BC F5 40 0B 7A 0B 03 3B 3E D3 C1 67|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5587; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36339; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player same orgin policy bypass attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|3E AF C7 33 4E E7 2A 58 5B 49 63 11 46 49 54 73 E6 DD EC C8 75 1A 05 ED E6 2B 05 CD 3C D6 1A 24|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-6679; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36479; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player same orgin policy bypass attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|03 46 12 01 20 62 03 66 03 82 2D 02 5D 02 D0 66 05 66 04 66 03 82 4A 02 01 4F 1E 04 10 15 00 00 02|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-6679; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36478; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player same orgin policy bypass attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|3E AF C7 33 4E E7 2A 58 5B 49 63 11 46 49 54 73 E6 DD EC C8 75 1A 05 ED E6 2B 05 CD 3C D6 1A 24|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6679; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36477; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player same orgin policy bypass attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|03 46 12 01 20 62 03 66 03 82 2D 02 5D 02 D0 66 05 66 04 66 03 82 4A 02 01 4F 1E 04 10 15 00 00 02|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6679; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36476; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt"; flow:to_server,established; file_data; content:"|E1 E5 27 13 85 01 9C ED 30 DD 72 8D B9 F9 F7 85 53 18 6E 79 15 B8 F6 57 2C 0C B6 ED 07 C3 D1 0B 6E B4 31 85|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,64199; reference:cve,2013-5331; reference:url,helpx.adobe.com/security/products/flash-player/apsb13-28.html; classtype:attempted-user; sid:36530; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt"; flow:to_server,established; file_data; content:"|D2 60 26 60 06 53 01 24 01 42 01 61 27 D2 91 82 D6 D2 D0 66 0A 15 E3 FF FF 24 00 82 D6 10 22 00 00 09 D0 66|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,64199; reference:cve,2013-5331; reference:url,helpx.adobe.com/security/products/flash-player/apsb13-28.html; classtype:attempted-user; sid:36529; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt"; flow:to_client,established; file_data; content:"|E1 E5 27 13 85 01 9C ED 30 DD 72 8D B9 F9 F7 85 53 18 6E 79 15 B8 F6 57 2C 0C B6 ED 07 C3 D1 0B 6E B4 31 85|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64199; reference:cve,2013-5331; reference:url,helpx.adobe.com/security/products/flash-player/apsb13-28.html; classtype:attempted-user; sid:36528; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt"; flow:to_client,established; file_data; content:"|D2 60 26 60 06 53 01 24 01 42 01 61 27 D2 91 82 D6 D2 D0 66 0A 15 E3 FF FF 24 00 82 D6 10 22 00 00 09 D0 66|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64199; reference:cve,2013-5331; reference:url,helpx.adobe.com/security/products/flash-player/apsb13-28.html; classtype:attempted-user; sid:36527; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|89 D8 C5 3D 88 A2 5F C5 7A 18 65 DC F7 8A 42 55 47 98 74 0B 39 7F 38 7E B4 00 57 49 5C CF 12 F2 01 B0 5F D7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72429; reference:cve,2015-0313; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-02.html; classtype:attempted-user; sid:36510; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|10 6A 00 00 24 00 74 D7 10 37 00 00 09 60 01 D3 66 28 66 3E 2F 02 14 0E 00 00 60 01 D3 66 28 5E 05 2B 61 05|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72429; reference:cve,2015-0313; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-02.html; classtype:attempted-user; sid:36509; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|89 D8 C5 3D 88 A2 5F C5 7A 18 65 DC F7 8A 42 55 47 98 74 0B 39 7F 38 7E B4 00 57 49 5C CF 12 F2 01 B0 5F D7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72429; reference:cve,2015-0313; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-02.html; classtype:attempted-user; sid:36508; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|10 6A 00 00 24 00 74 D7 10 37 00 00 09 60 01 D3 66 28 66 3E 2F 02 14 0E 00 00 60 01 D3 66 28 5E 05 2B 61 05|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72429; reference:cve,2015-0313; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-02.html; classtype:attempted-user; sid:36507; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player scrollRect property use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 02 00 08 04|"; content:"|96 04 00 08 0E 08 05|"; distance:0; content:"|96 1E 00 08 07 06 00 00 00 00 00 00 00 00 08 08 07 04 00 00 00 08 09|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5130; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-admin; sid:36505; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player scrollRect property use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|18 F2 2D 7C 6E B6 93 85 0A 21 B6 5E 3B 69 D4 D4 33 F3 EC 44 E9 74 3A 35 55 6D 1A 86 D1 AD AA C6|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5130; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-admin; sid:36504; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player scrollRect property use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 02 00 08 04|"; content:"|96 04 00 08 0E 08 05|"; distance:0; content:"|96 1E 00 08 07 06 00 00 00 00 00 00 00 00 08 08 07 04 00 00 00 08 09|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5130; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-admin; sid:36503; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player scrollRect property use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|18 F2 2D 7C 6E B6 93 85 0A 21 B6 5E 3B 69 D4 D4 33 F3 EC 44 E9 74 3A 35 55 6D 1A 86 D1 AD AA C6|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5130; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-admin; sid:36502; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player writeExternal type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"IExternalizable"; fast_pattern:only; content:"writeExternal"; nocase; content:"_a_-"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7645; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-05.html; classtype:attempted-user; sid:36556; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player writeExternal type confusion attempt"; flow:to_server,established; file_data; content:"|92 B1 09 92 C8 24 C9 78 94 64 E2 12 C9 64 8C 24 3A 45 72 69 9A 24 36 43 32 15 27 99 9E 25 99 99|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7645; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-05.html; classtype:attempted-user; sid:36555; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player writeExternal type confusion attempt"; flow:to_client,established; file_data; content:"|92 B1 09 92 C8 24 C9 78 94 64 E2 12 C9 64 8C 24 3A 45 72 69 9A 24 36 43 32 15 27 99 9E 25 99 99|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7645; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-05.html; classtype:attempted-user; sid:36554; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player writeExternal type confusion attempt"; flow:to_server,established; file_data; content:"|D7 B8 E0 BE 35 7C 5F 91 A5 F3 79 E6 B9 FA 4D 09 9D 72 DF 68 45 BC 23 55 7D B8 25 A0 0F EE 03 22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7645; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-05.html; classtype:attempted-user; sid:36553; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player writeExternal type confusion attempt"; flow:to_client,established; file_data; content:"|D7 B8 E0 BE 35 7C 5F 91 A5 F3 79 E6 B9 FA 4D 09 9D 72 DF 68 45 BC 23 55 7D B8 25 A0 0F EE 03 22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7645; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-05.html; classtype:attempted-user; sid:36552; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player writeExternal type confusion attempt"; flow:to_client,established; file_data; content:"|49 00 5D 01 F0 0C 4A 01 00 D6 60 02 64 F0 0D 2C 08 60 01 41 02 29 5D 03 F0 0E 4A 03 00 D5 D1 D2 F0 0F 46 04 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7645; reference:cve,2015-7647; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-05.html; classtype:attempted-user; sid:36551; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player writeExternal type confusion attempt"; flow:to_server,established; file_data; content:"|49 00 5D 01 F0 0C 4A 01 00 D6 60 02 64 F0 0D 2C 08 60 01 41 02 29 5D 03 F0 0E 4A 03 00 D5 D1 D2 F0 0F 46 04 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7645; reference:cve,2015-7647; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-05.html; classtype:attempted-user; sid:36550; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player writeExternal type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"writeExternal"; fast_pattern:only; content:"ByteArray"; nocase; content:"ololo"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7645; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-05.html; classtype:attempted-user; sid:36549; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player textLine use-after-free attempt"; flow:to_server,established; file_data; content:"|82 07 2D E8 D6 79 8F D0 C9 DE 52 7C 75 1F FC CD B3 FB 9B 67 F7 3F 74 76 BA AA B7 88 D6 8A 77 CE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7631; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-user; sid:36593; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player textLine use-after-free attempt"; flow:to_client,established; file_data; content:"|82 07 2D E8 D6 79 8F D0 C9 DE 52 7C 75 1F FC CD B3 FB 9B 67 F7 3F 74 76 BA AA B7 88 D6 8A 77 CE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7631; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-user; sid:36592; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player textLine use-after-free attempt"; flow:to_server,established; file_data; content:"|33 02 68 1B 5D 34 D0 66 1B 4F 34 01 5D 35 60 01 66 36 D0 66 1E 4F 35 02 D0 66 1B 2C 58 61 37 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7631; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-user; sid:36591; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player textLine use-after-free attempt"; flow:to_client,established; file_data; content:"|33 02 68 1B 5D 34 D0 66 1B 4F 34 01 5D 35 60 01 66 36 D0 66 1E 4F 35 02 D0 66 1B 2C 58 61 37 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7631; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-user; sid:36590; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player message handler array length overflow attempt"; flow:to_server,established; file_data; content:"|D2 34 36 44 C9 08 C5 A3 94 64 28 19 A3 64 9C 92 BB 94 DC A3 C2 24 25 D3 54 9C A1 E4 01 15 E7 28|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7629; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-user; sid:36589; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player message handler array length overflow attempt"; flow:to_client,established; file_data; content:"|D2 34 36 44 C9 08 C5 A3 94 64 28 19 A3 64 9C 92 BB 94 DC A3 C2 24 25 D3 54 9C A1 E4 01 15 E7 28|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7629; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-user; sid:36588; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player message handler array length overflow attempt"; flow:to_server,established; file_data; content:"|5D 17 4A 17 00 80 17 D7 F0 31 5D 18 4A 18 00 80 18 63 04 F0 32 62 04 2D 01 61 1C F0 33 D3 62 04 61 1D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7629; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-user; sid:36587; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player message handler array length overflow attempt"; flow:to_client,established; file_data; content:"|5D 17 4A 17 00 80 17 D7 F0 31 5D 18 4A 18 00 80 18 63 04 F0 32 62 04 2D 01 61 1C F0 33 D3 62 04 61 1D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7629; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-user; sid:36586; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|06|RegExp"; content:"}{"; content:",}!"; within:10; distance:1; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7633; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-user; sid:36584; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|79 6D 1C 1F B0 43 8A 4F D6 C7 89 96 6F 94 89 FD E8 9C 66 B7 14 C7 B5 F5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7633; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-user; sid:36583; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|06|RegExp"; content:"}{"; content:",}!"; within:10; distance:1; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7633; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-user; sid:36582; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|79 6D 1C 1F B0 43 8A 4F D6 C7 89 96 6F 94 89 FD E8 9C 66 B7 14 C7 B5 F5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7633; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-user; sid:36581; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player recursion check stack overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"removeChildAt"; nocase; content:"swapChildren"; within:15; fast_pattern; nocase; content:"getChildIndex"; within:30; nocase; content:"setChildIndex"; within:15; nocase; content:"removeChildren"; within:15; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7625; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-user; sid:36576; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player recursion check stack overflow attempt"; flow:to_server,established; file_data; content:"|A3 AC D4 F1 80 B8 3D 56 E9 2B 4F 1D 47 AD 30 B5 F8 A0 68 34 12 E5 B1 38 AC AF 39 C2 8A A7 AE 0C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7625; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-user; sid:36575; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player recursion check stack overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"removeChildAt"; nocase; content:"swapChildren"; within:15; fast_pattern; nocase; content:"getChildIndex"; within:30; nocase; content:"setChildIndex"; within:15; nocase; content:"removeChildren"; within:15; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7625; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-user; sid:36574; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player recursion check stack overflow attempt"; flow:to_client,established; file_data; content:"|A3 AC D4 F1 80 B8 3D 56 E9 2B 4F 1D 47 AD 30 B5 F8 A0 68 34 12 E5 B1 38 AC AF 39 C2 8A A7 AE 0C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7625; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-user; sid:36573; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|62 DE E2 A1 C5 97 B0 C4 97 D0 AC 9D 05 B6 BA C3 AD C5 AB 46 12 24 BE 4C 02 99 84 32 E9 C9 A4 2F|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-7628; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:policy-violation; sid:36609; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|62 DE E2 A1 C5 97 B0 C4 97 D0 AC 9D 05 B6 BA C3 AD C5 AB 46 12 24 BE 4C 02 99 84 32 E9 C9 A4 2F|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-7628; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:policy-violation; sid:36608; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|66 03 4F 07 02 47 00 00 03 02 01 01 09 27 D0 30 65 00 60 08 30 60 09 30 60 0A 30 60 0B 30 60 0C|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-7628; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:policy-violation; sid:36607; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|66 03 4F 07 02 47 00 00 03 02 01 01 09 27 D0 30 65 00 60 08 30 60 09 30 60 0A 30 60 0B 30 60 0C|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-7628; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:policy-violation; sid:36606; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt"; flow:established,to_server; flowbits:isset,file.swf; file_data; content:"|0F 9F 71 8E 63 E0 C6 4B EB BC 14 4F 55 90 29 70 C9 29 8B D3 00 5B 5E 4C FA A2 C5 CE 95 F8 8D E3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7627; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-user; sid:36600; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt"; flow:established,to_client; file_data; content:"|0F 9F 71 8E 63 E0 C6 4B EB BC 14 4F 55 90 29 70 C9 29 8B D3 00 5B 5E 4C FA A2 C5 CE 95 F8 8D E3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7627; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-user; sid:36599; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt"; flow:established,to_server; flowbits:isset,file.swf; file_data; content:"currentTarget"; fast_pattern:only; content:"addChild"; nocase; content:"removeChild"; within:15; nocase; content:"height"; within:30; nocase; content:"target"; within:30; nocase; content:"rotation"; within:40; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7627; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-user; sid:36598; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt"; flow:established,to_client; flowbits:isset,file.swf; file_data; content:"currentTarget"; fast_pattern:only; content:"addChild"; nocase; content:"removeChild"; within:15; nocase; content:"height"; within:30; nocase; content:"target"; within:30; nocase; content:"rotation"; within:40; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7627; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-user; sid:36597; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player loadBytes buffer overflow remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|4A 0C 00 68 0D F0 3E D0 5D 0E 4A 0E 00 68 0F F0 3F D0 66 0F 2D 01 61 10 F0 43 D0 66 0F 24 00 61|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7632; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-admin; sid:36758; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player loadBytes buffer overflow remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|2E 06 9C FE 00 1A 18 83 B6 76 88 51 F7 70 84 FD E8 35 3B DE 25 A9 1B 4E CB 54 4F C3 41 4D 6C D1|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7632; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-admin; sid:36757; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player loadBytes buffer overflow remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|4A 0C 00 68 0D F0 3E D0 5D 0E 4A 0E 00 68 0F F0 3F D0 66 0F 2D 01 61 10 F0 43 D0 66 0F 24 00 61|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7632; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-admin; sid:36756; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player loadBytes buffer overflow remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|2E 06 9C FE 00 1A 18 83 B6 76 88 51 F7 70 84 FD E8 35 3B DE 25 A9 1B 4E CB 54 4F C3 41 4D 6C D1|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7632; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-25.html; classtype:attempted-admin; sid:36755; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt"; flow:to_server,established; file_data; content:"|9B 09 95 05 F8 92 81 7A 4F C2 F7 62 C2 56 7E 1B 30 4C 42 4E 82 C4 27 61 FB BC 08 C8 C9 14 BC 64|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,75712; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-18.html; classtype:attempted-user; sid:36822; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt"; flow:to_server,established; file_data; content:"|29 45 DB 91 81 15 81 AC ED 6F 01 4D 80 AA A5 9D 87 09 D4 62 2F CE F7 E8 3A F1 1B 99 E0 48 79 1D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,75712; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-18.html; classtype:attempted-user; sid:36821; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt"; flow:to_client,established; file_data; content:"|9B 09 95 05 F8 92 81 7A 4F C2 F7 62 C2 56 7E 1B 30 4C 42 4E 82 C4 27 61 FB BC 08 C8 C9 14 BC 64|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,75712; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-18.html; classtype:attempted-user; sid:36820; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt"; flow:to_client,established; file_data; content:"|29 45 DB 91 81 15 81 AC ED 6F 01 4D 80 AA A5 9D 87 09 D4 62 2F CE F7 E8 3A F1 1B 99 E0 48 79 1D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,75712; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-18.html; classtype:attempted-user; sid:36819; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt"; flow:to_server,established; file_data; content:"|54 7D 71 42 A0 86 8B 17 3B 1D 37 D9 29 98 12 E8 5E C5 4B C2 18 7D 4C 77 1A 76 9C B6 0A 6D 36 9E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7653; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36853; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt"; flow:to_client,established; file_data; content:"|54 7D 71 42 A0 86 8B 17 3B 1D 37 D9 29 98 12 E8 5E C5 4B C2 18 7D 4C 77 1A 76 9C B6 0A 6D 36 9E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7653; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36852; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"_level0.tf"; fast_pattern:only; content:"globalToLocal"; nocase; content:"toString"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7653; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36851; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"_level0.tf"; fast_pattern:only; content:"globalToLocal"; nocase; content:"toString"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7653; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36850; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player GetConsoleMode input action variable corruption attempt"; flow:to_server,established; file_data; content:"|87 01 00 01 17 96 04 00 04 01 08 00 1C 48 12 9D 02 00 4D 01 96 04 00 08 01 08 02 1C 96 04 00 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7651; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36849; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player GetConsoleMode input action variable corruption attempt"; flow:to_client,established; file_data; content:"|87 01 00 01 17 96 04 00 04 01 08 00 1C 48 12 9D 02 00 4D 01 96 04 00 08 01 08 02 1C 96 04 00 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7651; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36848; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt"; flow:to_server,established; file_data; content:"|B8 1E B9 C1 00 B9 E0 59 10 00 0D AE 68 C4 C2 6B 7D 0D 1C 40 CC 04 0D AE 68 10 12 40 1A 84 CE 14|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7652; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36847; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt"; flow:to_client,established; file_data; content:"|B8 1E B9 C1 00 B9 E0 59 10 00 0D AE 68 C4 C2 6B 7D 0D 1C 40 CC 04 0D AE 68 10 12 40 1A 84 CE 14|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7652; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36846; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt"; flow:to_server,established; file_data; content:"|06 00 00 00 00 00 00 00 00 43 3C 96 02 00 08 07 1C 96 02 00 08 08 8E 08 00 00 00 00 02 2A 01 7E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7652; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36845; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt"; flow:to_client,established; file_data; content:"|06 00 00 00 00 00 00 00 00 43 3C 96 02 00 08 07 1C 96 02 00 08 08 8E 08 00 00 00 00 02 2A 01 7E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7652; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36844; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player MovieClip object corruption use after free attempt"; flow:to_server,established; file_data; content:"FWS"; depth:3; content:"|1D 96 02 00 08 02 1C 96 05 00 07 00 04 00 00 48 12|"; fast_pattern:only; content:"MovieClip"; content:"toString"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7660; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36843; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MovieClip object corruption use after free attempt"; flow:to_client,established; file_data; content:"FWS"; depth:3; content:"|1D 96 02 00 08 02 1C 96 05 00 07 00 04 00 00 48 12|"; fast_pattern:only; content:"MovieClip"; content:"toString"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7660; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36842; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player file API validation bypass attempt"; flow:to_server,established; file_data; content:"|8B 44 24 28 8D 54 24 38 52 6A 00 6A 00 FF 74 24 20 8B 08 50 FF 51 1C 8B 44 24 28 8D 54|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7662; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36839; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player file API validation bypass attempt"; flow:to_client,established; file_data; content:"|8B 44 24 28 8D 54 24 38 52 6A 00 6A 00 FF 74 24 20 8B 08 50 FF 51 1C 8B 44 24 28 8D 54|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7662; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36838; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player toString with script objects use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"loadSound"; nocase; content:"createTextField"; within:100; nocase; content:"toString"; within:50; nocase; content:"removeMovieClip"; within:30; nocase; content:"createEmptyMovieClip"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8042; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36837; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player toString with script objects use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"loadSound"; nocase; content:"createTextField"; within:100; nocase; content:"toString"; within:50; nocase; content:"removeMovieClip"; within:30; nocase; content:"createEmptyMovieClip"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8042; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36836; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt"; flow:to_server,established; file_data; content:"|86 51 37 2F BE 5C 6A E0 12 6C 23 A6 B4 E1 25 90 F9 26 4D 3C 4D E2 FC C6 DB B4 D8 CB 04 A9 C3 51|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7655; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36832; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt"; flow:to_server,established; file_data; content:"|43 10 57 57 57 85 AC 24 48 52 1A 11 69 F7 A4 E9 A9 9D 74 D3 5D 5A 2C A6 7C 86 0A 71 35 C7 68 79|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7655; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36831; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt"; flow:to_client,established; file_data; content:"|86 51 37 2F BE 5C 6A E0 12 6C 23 A6 B4 E1 25 90 F9 26 4D 3C 4D E2 FC C6 DB B4 D8 CB 04 A9 C3 51|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7655; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36830; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt"; flow:to_client,established; file_data; content:"|43 10 57 57 57 85 AC 24 48 52 1A 11 69 F7 A4 E9 A9 9D 74 D3 5D 5A 2C A6 7C 86 0A 71 35 C7 68 79|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7655; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36829; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"extendToCustomObject"; fast_pattern:only; content:"|96 02 00 04 02 96 02 00 04 03 69 26|"; content:"|96 0D 00 06 00 00 00 00 00 00 00 00 04 02 08 06|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7655; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36828; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"extendToCustomObject"; fast_pattern:only; content:"|96 02 00 04 02 96 02 00 04 03 69 26|"; content:"|96 0D 00 06 00 00 00 00 00 00 00 00 04 02 08 06|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7655; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36827; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player attachsound use-after-free attempt"; flow:to_server,established; file_data; content:"|1F C5 2A 57 73 F4 CF 7E 5A 7D 94 30 D3 C5 5C D7 C9 3A CE CB CC BB A2 5E 28 31 AC 77 9E D2 4F C4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7654; classtype:attempted-user; sid:36864; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player attachsound use-after-free attempt"; flow:to_client,established; file_data; content:"|1F C5 2A 57 73 F4 CF 7E 5A 7D 94 30 D3 C5 5C D7 C9 3A CE CB CC BB A2 5E 28 31 AC 77 9E D2 4F C4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7654; classtype:attempted-user; sid:36863; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player attachsound use-after-free attempt"; flow:to_server,established; file_data; content:"|96 02 00 08 0E 8E 08 00 00 00 00 03 2A 01 96 00 96 0B 00 06 00 00 00 00 00 00 00 00 08 08 1C 96 02 00 08 0F 52|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7654; classtype:attempted-user; sid:36862; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player attachsound use-after-free attempt"; flow:to_client,established; file_data; content:"|96 02 00 08 0E 8E 08 00 00 00 00 03 2A 01 96 00 96 0B 00 06 00 00 00 00 00 00 00 00 08 08 1C 96 02 00 08 0F 52|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7654; classtype:attempted-user; sid:36861; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player writeExternal type confusion attempt"; flow:to_server,established; file_data; content:"|A1 FC A2 BF 67 5B 5F 28 C1 17 3D 9F 10 72 A0 DE 23 EA 0B BE CB 4C 49 BF 35 01 D1 B6 B2 1D 54 C6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7645; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-05.html; classtype:attempted-user; sid:36860; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player writeExternal type confusion attempt"; flow:to_client,established; file_data; content:"|A1 FC A2 BF 67 5B 5F 28 C1 17 3D 9F 10 72 A0 DE 23 EA 0B BE CB 4C 49 BF 35 01 D1 B6 B2 1D 54 C6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7645; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-05.html; classtype:attempted-user; sid:36859; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player writeExternal type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"_SafeStr_"; fast_pattern:only; content:"writeExternal"; nocase; content:"ololo"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7645; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-05.html; classtype:attempted-user; sid:36858; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt"; flow:to_client,established; file_data; content:"|6E 95 2F 3B 41 F2 3A 06 2B B0 64 62 8C 4B ED AB 2C 4E 20 0C DC FD 47 70 79 DA B3 01 EE 10 B4 E0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8440; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:36883; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt"; flow:to_server,established; file_data; content:"|D6 10 09 00 00 09 D1 2D 01 4F 05 01 C2 02 D2 25 80 10 15 EF FF FF 60 06 66 07 D0 66 08 66 09|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-8440; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:36882; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt"; flow:to_server,established; file_data; content:"|6E 95 2F 3B 41 F2 3A 06 2B B0 64 62 8C 4B ED AB 2C 4E 20 0C DC FD 47 70 79 DA B3 01 EE 10 B4 E0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-8440; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:36881; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt"; flow:to_client,established; file_data; content:"|D6 10 09 00 00 09 D1 2D 01 4F 05 01 C2 02 D2 25 80 10 15 EF FF FF 60 06 66 07 D0 66 08 66 09|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8440; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:36880; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player SWF buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"nextNameIndex"; fast_pattern; content:"|12 34 00 00 60 05 F0 1E 24 0A AD F0 1E|"; distance:1; content:"|12 07 00 00 F0 2D 24 01 48 F0 2F 24 00 48|"; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0327; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:36879; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SWF buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"nextNameIndex"; fast_pattern; content:"|12 34 00 00 60 05 F0 1E 24 0A AD F0 1E|"; distance:1; content:"|12 07 00 00 F0 2D 24 01 48 F0 2F 24 00 48|"; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0327; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:36878; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"atomicCompareAndSwapLength"; nocase; content:"casi32"; within:40; nocase; content:"|08 61 04 60 05 66 06 D1 61 07 D1 25 80 08 24 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0569; reference:url,www.adobe.com/support/security/bulletins/apsb14-22.html; classtype:attempted-user; sid:36876; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"atomicCompareAndSwapLength"; nocase; content:"casi32"; within:40; nocase; content:"|08 61 04 60 05 66 06 D1 61 07 D1 25 80 08 24 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0569; reference:url,www.adobe.com/support/security/bulletins/apsb14-22.html; classtype:attempted-user; sid:36875; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS2 valueOf function assignment with removeTextField use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"toString"; content:"createTextField"; fast_pattern:only; content:"_global"; content:"valueOf"; within:120; content:"removeTextField"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7657; reference:cve,2015-8447; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:36874; rev:5;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS2 valueOf function assignment with removeTextField use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"toString"; content:"createTextField"; fast_pattern:only; content:"_global"; content:"valueOf"; within:120; content:"removeTextField"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7657; reference:cve,2015-8447; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:36873; rev:5;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript ProgressBar use after free attempt"; flow:to_server,established; file_data; content:"|5D 0D 66 0D 66 0E D0 66 18 46 15 01 29 F0 2E D0 66 18 2D 02 61 19 F0 30 5D 1A D0 66 1B 24 32 46 1A 02 29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7663; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36898; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript ProgressBar use after free attempt"; flow:to_client,established; file_data; content:"|5D 0D 66 0D 66 0E D0 66 18 46 15 01 29 F0 2E D0 66 18 2D 02 61 19 F0 30 5D 1A D0 66 1B 24 32 46 1A 02 29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7663; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:36897; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player DisplacementMapFilter mapBitmap use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"tabStops"; nocase; content:"dmf|00|mapBitmap"; within:20; fast_pattern; content:"display|00|BitmapData"; within:50; nocase; content:"DisplacementMapFilter"; within:100; nocase; content:"TextFormat"; within:30; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8448; classtype:attempted-user; sid:37116; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player DisplacementMapFilter mapBitmap use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"tabStops"; nocase; content:"dmf|00|mapBitmap"; within:20; fast_pattern; content:"display|00|BitmapData"; within:50; nocase; content:"DisplacementMapFilter"; within:100; nocase; content:"TextFormat"; within:30; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8448; classtype:attempted-user; sid:37115; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player PCRE parsing out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|6D AA 6D 3C 8D DE CE F3 A8 46 CC 78 3F 7E 5B 7E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,78710; reference:cve,2015-8418; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37114; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player PCRE parsing out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"FWS"; depth:3; content:"RegExp"; fast_pattern:only; content:"?P<"; content:!">"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,78710; reference:cve,2015-8418; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37113; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player PCRE parsing out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|6D AA 6D 3C 8D DE CE F3 A8 46 CC 78 3F 7E 5B 7E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,78710; reference:cve,2015-8418; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37112; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player PCRE parsing out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"FWS"; depth:3; content:"RegExp"; fast_pattern:only; content:"?P<"; content:!">"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,78710; reference:cve,2015-8418; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37111; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|37 85 73 9D 08 B1 A8 55 13 4D 2B 2E 78 6B D3 93 5C CC BA 09 72 43 27 39 64 25 77 AF F8 5C 2E F9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8437; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37110; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|37 85 73 9D 08 B1 A8 55 13 4D 2B 2E 78 6B D3 93 5C CC BA 09 72 43 27 39 64 25 77 AF F8 5C 2E F9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8437; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37109; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 07 00 07 01 00 00 00 08 14 1C 96 02 00 08 15 52 17|"; fast_pattern:only; content:"|3C 96 05 00 07 00 00 00 00|"; content:"|52 17 99 02 00 C3 FF|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8437; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37108; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 07 00 07 01 00 00 00 08 14 1C 96 02 00 08 15 52 17|"; fast_pattern:only; content:"|3C 96 05 00 07 00 00 00 00|"; content:"|52 17 99 02 00 C3 FF|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8437; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37107; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player MovieClip object use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|31 FC 73 F9 C8 C3 0D E4 FB 54 DE 70 E4 D2 AB 6C 3A 2B A7 E4 D3 96 ED 58 F2 86 96 DD 56 6E FA 8E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8449; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37106; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MovieClip object use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|31 FC 73 F9 C8 C3 0D E4 FB 54 DE 70 E4 D2 AB 6C 3A 2B A7 E4 D3 96 ED 58 F2 86 96 DD 56 6E FA 8E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8449; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37105; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player MovieClip object use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|07 00 00 01 00 08 0F 07 06 00 00 00 04 01 08 10 4E 96 02 00 08 11 52 17 96 0B 00 06 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8449; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37104; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MovieClip object use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|07 00 00 01 00 08 0F 07 06 00 00 00 04 01 08 10 4E 96 02 00 08 11 52 17 96 0B 00 06 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8449; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37103; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player SoundURLStream memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"SoundLoaderContext"; nocase; content:"URLRequest"; within:20; nocase; content:"close http://"; within:40; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,78710; reference:cve,2015-8408; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37095; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player SoundURLStream memory corruption attempt"; flow:to_server,established; file_data; content:"|24 2D C8 B2 43 43 C1 31 7C 7B 81 5A DF 9C 73 33 53 15 06 22 98 1D A1 CB 4E 80 06 FC F5 96 53 3A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,78710; reference:cve,2015-8408; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37094; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SoundURLStream memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"SoundLoaderContext"; nocase; content:"URLRequest"; within:20; nocase; content:"close http://"; within:40; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,78710; reference:cve,2015-8408; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37093; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SoundURLStream memory corruption attempt"; flow:to_client,established; file_data; content:"|24 2D C8 B2 43 43 C1 31 7C 7B 81 5A DF 9C 73 33 53 15 06 22 98 1D A1 CB 4E 80 06 FC F5 96 53 3A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,78710; reference:cve,2015-8408; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37092; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player PrintJob object use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|EE FD 29 15 EB 0A 35 03 C7 D0 F3 7E 31 DC 58 DA B1 86 26 F4 C0 B5 12 EC 94 CC 77 12 E1 BA 76 E0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8436; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37091; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player PrintJob object use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|EE FD 29 15 EB 0A 35 03 C7 D0 F3 7E 31 DC 58 DA B1 86 26 F4 C0 B5 12 EC 94 CC 77 12 E1 BA 76 E0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8436; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37090; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player PrintJob object use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|1C 96 02 00 08 0A 52 17 96 02 00 08 06 1C 3E 96 0B 00 08 0B 07 03 00 00 00 04 02 08 0C 52 17 99|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8436; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37089; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player PrintJob object use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1C 96 02 00 08 0A 52 17 96 02 00 08 06 1C 3E 96 0B 00 08 0B 07 03 00 00 00 04 02 08 0C 52 17 99|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8436; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37088; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player byte array memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|F3 EA AC F1 BA 77 7E FE C3 D9 1B 03 2C 4A 7C CB A9 C7 28 FF 25 9F 80 67 D2 F5 F5 F5 BB BC CC 4B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8060; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37086; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player byte array memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|F3 EA AC F1 BA 77 7E FE C3 D9 1B 03 2C 4A 7C CB A9 C7 28 FF 25 9F 80 67 D2 F5 F5 F5 BB BC CC 4B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8060; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37085; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player byte array memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"obj|09|ByteArray"; fast_pattern:only; content:"|4A 01 00 80 01 D5|"; content:"|D1 46 04 01 29 F0 14|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8060; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37084; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player byte array memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"obj|09|ByteArray"; fast_pattern:only; content:"|4A 01 00 80 01 D5|"; content:"|D1 46 04 01 29 F0 14|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8060; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37083; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player String length heap buffer overflow attempt"; flow:to_server,established; file_data; content:"|C7 31 4C 3E B4 78 96 A0 3D 1C 2A D3 5F E4 F3 57 5A 26 05 56 0C 02 F5 5A ED 2B C3 17 8F 12 AF EE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8438; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37082; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player String length heap buffer overflow attempt"; flow:to_client,established; file_data; content:"|C7 31 4C 3E B4 78 96 A0 3D 1C 2A D3 5F E4 F3 57 5A 26 05 56 0C 02 F5 5A ED 2B C3 17 8F 12 AF EE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8438; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37081; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player String length heap buffer overflow attempt"; flow:to_server,established; file_data; content:"FWS"; depth:3; content:"|96 05 00 07 00 00 00 40|"; content:"|96 05 00 07 00 00 00 20|"; content:"|96 04 00 04 04 04 04 47 87 01 00 04|"; content:"|96 04 00 04 05 04 05 47 87 01 00 05|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8438; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37080; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player String length heap buffer overflow attempt"; flow:to_client,established; file_data; content:"FWS"; depth:3; content:"|96 05 00 07 00 00 00 40|"; content:"|96 05 00 07 00 00 00 20|"; content:"|96 04 00 04 04 04 04 47 87 01 00 04|"; content:"|96 04 00 04 05 04 05 47 87 01 00 05|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8438; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37079; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"MainTimeline_PixelShader"; fast_pattern:only; content:"|66 0B 66 19 66 1A 5D 1B 24 01 2D 01 4A 1B 02 61 1C D0|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8445; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37076; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt"; flow:to_server,established; file_data; content:"|71 86 B4 6F E2 C6 45 65 03 0C 99 9A D9 F0 88 03 DF 30 2C 40 FC D5 EE 89 57 B6 6D C7 40 1B AB 60|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service smtp; reference:cve,2015-8445; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37075; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt"; flow:to_server,established; file_data; content:"|33 CB EC F2 76 7C 3A 4F 89 98 90 99 DA CC 53 D0 25 8A 24 B7 69 62 08 5B 16 84 1F C0 76 31 55 6E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service smtp; reference:cve,2015-8445; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37074; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"MainTimeline_PixelShader"; fast_pattern:only; content:"|66 0B 66 19 66 1A 5D 1B 24 01 2D 01 4A 1B 02 61 1C D0|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8445; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37073; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt"; flow:to_client,established; file_data; content:"|71 86 B4 6F E2 C6 45 65 03 0C 99 9A D9 F0 88 03 DF 30 2C 40 FC D5 EE 89 57 B6 6D C7 40 1B AB 60|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8445; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37072; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt"; flow:to_client,established; file_data; content:"|33 CB EC F2 76 7C 3A 4F 89 98 90 99 DA CC 53 D0 25 8A 24 B7 69 62 08 5B 16 84 1F C0 76 31 55 6E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8445; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37071; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player object Filters type confusion use after free attempt"; flow:to_server,established; file_data; content:"|07 01 00 00 00 08 0A 07 06 00 00 00 08 17 3D 3C 96 02 00 08 02 1C 96 04 00 08 03 08 16 1C 96 05|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8442; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37070; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player object Filters type confusion use after free attempt"; flow:to_client,established; file_data; content:"|07 01 00 00 00 08 0A 07 06 00 00 00 08 17 3D 3C 96 02 00 08 02 1C 96 04 00 08 03 08 16 1C 96 05|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8442; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37069; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player SetSlot type confusion attempt"; flow:to_server,established; file_data; content:"|02 D0 B2 7F 7F B6 A0 02 FC 0D D3 0D 50 12 AB 30 BB 94 E4 E1 9E A0 28 4B CA 72 FA ED 34 09 CA CA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8439; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37145; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SetSlot type confusion attempt"; flow:to_client,established; file_data; content:"|02 D0 B2 7F 7F B6 A0 02 FC 0D D3 0D 50 12 AB 30 BB 94 E4 E1 9E A0 28 4B CA 72 FA ED 34 09 CA CA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8439; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37144; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player SetSlot type confusion attempt"; flow:to_server,established; file_data; content:"|3D 17 96 02 00 08 0E 1C 96 09 00 08 0D 07 02 00 00 00 08 07 1C 96 02 00 08 0F 52 17 96 0B 00 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8439; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37143; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SetSlot type confusion attempt"; flow:to_client,established; file_data; content:"|3D 17 96 02 00 08 0E 1C 96 09 00 08 0D 07 02 00 00 00 08 07 1C 96 02 00 08 0F 52 17 96 0B 00 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8439; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37142; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS2 setTransform use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|78 F4 69 43 17 41 B7 0D 6D 04 ED 36 20 04 A8 0D 06 70 71 F0 71 30 4D 30 FC 10 44 10 68 C3 E1 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8447; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37129; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS2 setTransform use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|78 F4 69 43 17 41 B7 0D 6D 04 ED 36 20 04 A8 0D 06 70 71 F0 71 30 4D 30 FC 10 44 10 68 C3 E1 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8447; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37128; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player MP3 ID3 data parsing heap buffer overflow attempt"; flow:to_server,established; file_data; content:"ID3"; depth:3; content:"COMM"; distance:0; content:!"E"; within:1; nocase; byte_test:4,>,50000,0,relative,big; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,78712; reference:cve,2015-8446; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37126; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MP3 ID3 data parsing heap buffer overflow attempt"; flow:to_client,established; file_data; content:"ID3"; depth:3; content:"COMM"; distance:0; content:!"E"; within:1; nocase; byte_test:4,>,50000,0,relative,big; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,78712; reference:cve,2015-8446; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37125; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player MP3 ID3 data parsing heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"addEventListener"; nocase; content:"Main/onID3"; fast_pattern:only; content:"URLrequest"; nocase; content:".mp3"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,78712; reference:cve,2015-8446; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37124; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player MP3 ID3 data parsing heap buffer overflow attempt"; flow:to_server,established; file_data; content:"|F7 66 67 57 45 FD 2C 74 F9 DA A5 E6 FE E1 36 D0 26 39 3F 3F 7F 2B 71 10 4A C1 E2 53 BF BC 1D A2|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,78712; reference:cve,2015-8446; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37123; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MP3 ID3 data parsing heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"addEventListener"; nocase; content:"Main/onID3"; fast_pattern:only; content:"URLrequest"; nocase; content:".mp3"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,78712; reference:cve,2015-8446; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37122; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MP3 ID3 data parsing heap buffer overflow attempt"; flow:to_client,established; file_data; content:"|F7 66 67 57 45 FD 2C 74 F9 DA A5 E6 FE E1 36 D0 26 39 3F 3F 7F 2B 71 10 4A C1 E2 53 BF BC 1D A2|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,78712; reference:cve,2015-8446; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37121; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TextField filters use-after-free attempt"; flow:to_server,established; file_data; content:"|D9 DB BC BF 3F 80 F7 4B 58 64 59 70 63 91 E8 8F 51 F2 02 24 E9 01 F6 57 93 5D 90 56 D2 42 5A E0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8450; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37119; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TextField filters use-after-free attempt"; flow:to_client,established; file_data; content:"|D9 DB BC BF 3F 80 F7 4B 58 64 59 70 63 91 E8 8F 51 F2 02 24 E9 01 F6 57 93 5D 90 56 D2 42 5A E0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8450; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37118; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TextFormat.tabStops use after free attempt"; flow:to_server,established; file_data; content:"|52 3C 96 02 00 08 31 1C 96 06 00 08 33 08 34 08 35 1C 96 05 00 07 01 00 00 00 43 4F 96 0B 00 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8435; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37194; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TextFormat.tabStops use after free attempt"; flow:to_client,established; file_data; content:"|52 3C 96 02 00 08 31 1C 96 06 00 08 33 08 34 08 35 1C 96 05 00 07 01 00 00 00 43 4F 96 0B 00 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8435; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37193; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TextFormat.tabStops use after free attempt"; flow:to_server,established; file_data; content:"|96 02 00 08 07 52 17 99 02 00 C8 FF 96 0B 00 06 00 00 00 00 00 00 00 00 08 00 1C 96 02 00 08 07|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8435; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37192; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TextFormat.tabStops use after free attempt"; flow:to_client,established; file_data; content:"|96 02 00 08 07 52 17 99 02 00 C8 FF 96 0B 00 06 00 00 00 00 00 00 00 00 08 00 1C 96 02 00 08 07|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8435; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37191; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TextFormat.tabStops use after free attempt"; flow:to_server,established; file_data; content:"|96 0D 00 06 00 00 00 00 00 00 00 00 04 01 08 01 4E 96 02 00 08 02 52 17 96 09 00 06 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8435; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37190; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TextFormat.tabStops use after free attempt"; flow:to_client,established; file_data; content:"|96 0D 00 06 00 00 00 00 00 00 00 00 04 01 08 01 4E 96 02 00 08 02 52 17 96 09 00 06 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8435; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37189; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TextFormat.tabStops use after free attempt"; flow:to_server,established; file_data; content:"|05 2B A0 D9 3D F2 67 56 3C B5 48 08 6D F0 63 9B E0 AC 78 6A 19 87 D6 E1 04 84 8E B2 F5 59 21 19|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8435; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37188; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TextFormat.tabStops use after free attempt"; flow:to_client,established; file_data; content:"|05 2B A0 D9 3D F2 67 56 3C B5 48 08 6D F0 63 9B E0 AC 78 6A 19 87 D6 E1 04 84 8E B2 F5 59 21 19|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8435; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37187; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TextFormat.tabStops use after free attempt"; flow:to_server,established; file_data; content:"|B4 C5 76 AF FC B1 94 E5 82 2B BB B5 29 86 ED DE 2B 4A 46 84 AB 6C 3D 3B 37 4A FA 64 4F E0 97 05|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8435; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37186; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TextFormat.tabStops use after free attempt"; flow:to_client,established; file_data; content:"|B4 C5 76 AF FC B1 94 E5 82 2B BB B5 29 86 ED DE 2B 4A 46 84 AB 6C 3D 3B 37 4A FA 64 4F E0 97 05|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8435; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37185; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TextFormat.tabStops use after free attempt"; flow:to_server,established; file_data; content:"|6C AD 42 DE ED 45 7E 77 52 2F 6E 6E A2 DB 53 55 EA C4 A6 12 E2 68 EC 75 C4 6A 13 4B 99 2A 8F 57|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8435; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37184; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TextFormat.tabStops use after free attempt"; flow:to_client,established; file_data; content:"|6C AD 42 DE ED 45 7E 77 52 2F 6E 6E A2 DB 53 55 EA C4 A6 12 E2 68 EC 75 C4 6A 13 4B 99 2A 8F 57|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8435; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37183; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"FILE-FLASH Adobe Flash Player String null check memory corruption attempt"; flow:to_server,established; file_data; content:"|D0 30 5E 28 60 4F 68 28 D0 49 00 5E 26 5D 27 D0 4A 27 01 68 26 47 00 00 02 02 01 01 08 25 D0 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8444; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37182; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player String null check memory corruption attempt"; flow:to_client,established; file_data; content:"|D0 30 5E 28 60 4F 68 28 D0 49 00 5E 26 5D 27 D0 4A 27 01 68 26 47 00 00 02 02 01 01 08 25 D0 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8444; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37181; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player M3U8 parser logic memory corruption attempt"; flow:to_server,established; file_data; content:"|A1 DA 78 A6 3E 6B 8D 25 71 9E EC E2 B1 EA D2 79 1C 3B 6C 18 5E 10 ED EC 5D 06 22 59 2C B9 E4 25|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8457; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37180; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player M3U8 parser logic memory corruption attempt"; flow:to_server,established; file_data; content:"|2C E9 01 46 BD 01 01 24 00 0F 08 00 00 60 17 66 BE 01 85 63 05 D0 66 16 2C EC 01 D3 A0 2C ED 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8457; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37179; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player M3U8 parser logic memory corruption attempt"; flow:to_client,established; file_data; content:"|A1 DA 78 A6 3E 6B 8D 25 71 9E EC E2 B1 EA D2 79 1C 3B 6C 18 5E 10 ED EC 5D 06 22 59 2C B9 E4 25|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8457; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37178; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player M3U8 parser logic memory corruption attempt"; flow:to_client,established; file_data; content:"|2C E9 01 46 BD 01 01 24 00 0F 08 00 00 60 17 66 BE 01 85 63 05 D0 66 16 2C EC 01 D3 A0 2C ED 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8457; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37177; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player heap memory disclosure via custom valueOf handler attempt"; flow:to_server,established; file_data; content:"|1C 96 05 00 07 01 00 00 00 43 3C 96 07 00 07 03 00 00 00 08 32 1C 96 07 00 07 02 00 00 00 08 30 1C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8414; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-recon; sid:37176; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player heap memory disclosure via custom valueOf handler attempt"; flow:to_client,established; file_data; content:"|1C 96 05 00 07 01 00 00 00 43 3C 96 07 00 07 03 00 00 00 08 32 1C 96 07 00 07 02 00 00 00 08 30 1C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8414; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-recon; sid:37175; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player heap memory disclosure via custom valueOf handler attempt"; flow:to_server,established; file_data; content:"|8E 08 00 00 00 00 02 29 00 33 00 96 02 00 08 04 1C 96 02 00 08 07 4E 96 07 00 07 01 00 00 00 08 04 1C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8414; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-recon; sid:37174; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player heap memory disclosure via custom valueOf handler attempt"; flow:to_client,established; file_data; content:"|8E 08 00 00 00 00 02 29 00 33 00 96 02 00 08 04 1C 96 02 00 08 07 4E 96 07 00 07 01 00 00 00 08 04 1C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8414; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-recon; sid:37173; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player heap memory disclosure via custom valueOf handler attempt"; flow:to_server,established; file_data; content:"|CA 38 A1 04 A4 E8 76 0E BE 1E E6 EB 49 42 CF EF 58 97 02 C3 1C D6 C5 61 D7 09 BD B2 1B AC 17 61|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8414; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-recon; sid:37172; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player heap memory disclosure via custom valueOf handler attempt"; flow:to_client,established; file_data; content:"|CA 38 A1 04 A4 E8 76 0E BE 1E E6 EB 49 42 CF EF 58 97 02 C3 1C D6 C5 61 D7 09 BD B2 1B AC 17 61|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8414; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-recon; sid:37171; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player heap memory disclosure via custom valueOf handler attempt"; flow:to_server,established; file_data; content:"|B9 50 5B 8D BB CE 82 99 AA 9B 5F E8 C1 46 92 75 56 9C CB 0C D1 65 7E AE 2A E8 55 2E D3 0D 92 AA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8414; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-recon; sid:37170; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player heap memory disclosure via custom valueOf handler attempt"; flow:to_client,established; file_data; content:"|B9 50 5B 8D BB CE 82 99 AA 9B 5F E8 C1 46 92 75 56 9C CB 0C D1 65 7E AE 2A E8 55 2E D3 0D 92 AA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8414; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-recon; sid:37169; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player URLStream use after free attempt"; flow:to_client,established; file_data; content:"|1E 8A 0B F4 6E E9 86 1C 00 6D 52 CD A1 92 94 8A DF EF 57 8F 5E 46 00 F8 91 C7 04 6C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8048; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37168; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player URLStream use after free attempt"; flow:to_server,established; file_data; content:"|1E 8A 0B F4 6E E9 86 1C 00 6D 52 CD A1 92 94 8A DF EF 57 8F 5E 46 00 F8 91 C7 04 6C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8048; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37167; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player URLStream use after free attempt"; flow:to_server,established; file_data; content:"FWS"; depth:3; content:"|12|registerClassAlias"; fast_pattern:only; content:"|05|close"; content:"|09|URLStream"; content:"|64 60 02 41 01 29 60 02 F0 0C 46 03|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8048; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37166; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player URLStream use after free attempt"; flow:to_client,established; file_data; content:"FWS"; depth:3; content:"|12|registerClassAlias"; fast_pattern:only; content:"|05|close"; content:"|09|URLStream"; content:"|64 60 02 41 01 29 60 02 F0 0C 46 03|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8048; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37165; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player oversize source bitmap memory corruption attempt"; flow:to_server,established; file_data; content:"|24 0A 24 01 26 4A 01 03 80 01 D5 F0 0F 5D 02 24 3C 2F 01 25 80 01 25 80 80 01 4A 02 04 80 02 D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8419; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37163; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player oversize source bitmap memory corruption attempt"; flow:to_client,established; file_data; content:"|24 0A 24 01 26 4A 01 03 80 01 D5 F0 0F 5D 02 24 3C 2F 01 25 80 01 25 80 80 01 4A 02 04 80 02 D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8419; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37162; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player oversize source bitmap memory corruption attempt"; flow:to_client,established; file_data; content:"|6F FA B7 84 F9 E0 D7 FB 3F 23 00 A4 0D 52 73 0D D4 81 8C 54 80 04 FF 96 0A 97 3B 1F A9 A9 63 BF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8419; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37161; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player oversize source bitmap memory corruption attempt"; flow:to_server,established; file_data; content:"|6F FA B7 84 F9 E0 D7 FB 3F 23 00 A4 0D 52 73 0D D4 81 8C 54 80 04 FF 96 0A 97 3B 1F A9 A9 63 BF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8419; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37160; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player SharedObject send stack buffer overflow attempt"; flow:to_server,established; file_data; content:"|34 14 E2 10 97 78 2C E4 F6 AA B1 BD A6 A1 59 3E 75 31 6B E3 20 70 6C 03 47 82 CA B4 1A 8E 7C E3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8407; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37159; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player SharedObject send stack buffer overflow attempt"; flow:to_server,established; file_data; content:"|2D 01 61 09 D0 66 03 66 0A 20 D0 66 05 4F 0B 02 47 00 00 02 03 01 0A 0B 10 D0 30 D0 49 00 5D 0C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8407; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37158; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SharedObject send stack buffer overflow attempt"; flow:to_client,established; file_data; content:"|34 14 E2 10 97 78 2C E4 F6 AA B1 BD A6 A1 59 3E 75 31 6B E3 20 70 6C 03 47 82 CA B4 1A 8E 7C E3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8407; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37157; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SharedObject send stack buffer overflow attempt"; flow:to_client,established; file_data; content:"|2D 01 61 09 D0 66 03 66 0A 20 D0 66 05 4F 0B 02 47 00 00 02 03 01 0A 0B 10 D0 30 D0 49 00 5D 0C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8407; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37156; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MP3 ID3 data parsing heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|1C E0 C6 B8 D8 2A FC 4A C0 7D 50 37 31 CF 2D 65 D9 11 A5 AD 2D C1 AB 0E 88 75 4E EA 37 D6 EF 60|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,78712; reference:cve,2015-8446; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37150; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MP3 ID3 data parsing heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"rthe"; fast_pattern:only; content:"gerher8x"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,78712; reference:cve,2015-8446; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:37149; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AVM domain memory range integer overflow attempt"; flow:to_server,established; file_data; content:"|7E 1E DF 73 6B 95 FE 92 76 E1 D7 E2 17 94 F1 1A FC 72 F5 5B 14 71 62 D9 BE 04 3A E4 5E 23 A5 FC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8651; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37198; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AVM domain memory range integer overflow attempt"; flow:to_server,established; file_data; content:"|2D 01 A0 37 2A 74 D7 24 72 AB 96 2A 11 0C 00 00 29 D1 2D 02 A0 37 2D 03 AB 76 F0 19 12 00 00 00 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8651; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37197; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AVM domain memory range integer overflow attempt"; flow:to_client,established; file_data; content:"|7E 1E DF 73 6B 95 FE 92 76 E1 D7 E2 17 94 F1 1A FC 72 F5 5B 14 71 62 D9 BE 04 3A E4 5E 23 A5 FC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8651; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37196; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AVM domain memory range integer overflow attempt"; flow:to_client,established; file_data; content:"|2D 01 A0 37 2A 74 D7 24 72 AB 96 2A 11 0C 00 00 29 D1 2D 02 A0 37 2D 03 AB 76 F0 19 12 00 00 00 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8651; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37195; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player canvas out of bounds read attempt"; flow:to_server,established; file_data; content:"|4C 02 5D 4C 60 04 66 4E D0 66 22 4F 4C 02 60 47 D0 66 1D 4F 4F 01 D0 66 1F 4F 50 00 D0 20 68 1D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8636; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37241; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player canvas out of bounds read attempt"; flow:to_client,established; file_data; content:"|4C 02 5D 4C 60 04 66 4E D0 66 22 4F 4C 02 60 47 D0 66 1D 4F 4F 01 D0 66 1F 4F 50 00 D0 20 68 1D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8636; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37240; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player object hasOwnProperty use after free attempt"; flow:to_server,established; file_data; content:"|C7 F6 E6 E6 47 86 F7 4C 83 DA B6 71 5D 72 AD 1E DB 25 F3 8E 84 EB 16 36 6C 70 D6 21 50 F3 4A 60|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8649; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37239; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player object hasOwnProperty use after free attempt"; flow:to_server,established; file_data; content:"|96 02 00 08 18 3E 4F 96 0B 00 04 05 07 01 00 00 00 04 04 08 19 52 17 4F 96 0F 00 07 01 00 00 00 02 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8649; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37238; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player object hasOwnProperty use after free attempt"; flow:to_client,established; file_data; content:"|C7 F6 E6 E6 47 86 F7 4C 83 DA B6 71 5D 72 AD 1E DB 25 F3 8E 84 EB 16 36 6C 70 D6 21 50 F3 4A 60|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8649; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37237; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player object hasOwnProperty use after free attempt"; flow:to_client,established; file_data; content:"|96 02 00 08 18 3E 4F 96 0B 00 04 05 07 01 00 00 00 04 04 08 19 52 17 4F 96 0F 00 07 01 00 00 00 02 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8649; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37236; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player getBounds method use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 02 00 08 10 1C 3E 96 0B 00 08 12 07 03 00 00 00 04 04 08 13 52 17 96 0B 00 08 12 07 01 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8638; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37232; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player getBounds method use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 02 00 08 10 1C 3E 96 0B 00 08 12 07 03 00 00 00 04 04 08 13 52 17 96 0B 00 08 12 07 01 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8638; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37231; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player MovieClip method use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 02 00 08 04 1C 96 0B 00 04 03 07 00 00 00 00 04 02 08 07 52 96 04 00 08 08 04 03 47 96 09 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8639; reference:cve,2016-7862; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-37.html; classtype:attempted-user; sid:37230; rev:5;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MovieClip method use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 02 00 08 04 1C 96 0B 00 04 03 07 00 00 00 00 04 02 08 07 52 96 04 00 08 08 04 03 47 96 09 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8639; reference:cve,2016-7862; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-37.html; classtype:attempted-user; sid:37229; rev:5;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player overly large bitmap integer overflow attempt"; flow:to_server,established; file_data; content:"|D0 66 0A 82 D6 10 0E 00 00 D0 30 5A 00 2A D7 2A 30 2B 6D 01 1D 08 03 D0 D2 2C 22 46 18 01 61 05|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8460; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37224; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player overly large bitmap integer overflow attempt"; flow:to_client,established; file_data; content:"|D0 66 0A 82 D6 10 0E 00 00 D0 30 5A 00 2A D7 2A 30 2B 6D 01 1D 08 03 D0 D2 2C 22 46 18 01 61 05|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8460; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37223; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Date with invalid parameter toTimeString attempt"; flow:to_server,established; file_data; content:"|A0 1F 5D 03 24 00 2A 60 04 66 05 24 00 2A 2A 24 00 4A 03 07 80 03 63 A1 1F 62 A1 1F 4F 06 00 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8645; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37221; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Date with invalid parameter toTimeString attempt"; flow:to_client,established; file_data; content:"|A0 1F 5D 03 24 00 2A 60 04 66 05 24 00 2A 2A 24 00 4A 03 07 80 03 63 A1 1F 62 A1 1F 4F 06 00 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8645; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37220; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player MovieClip setMask use after free attempt"; flow:to_server,established; file_data; content:"|96 0B 00 08 11 07 01 00 00 00 04 04 08 13 52 17 96 09 00 08 14 07 01 00 00 00 08 15 1C 96 02 00 08 16|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8648; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37219; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player MovieClip setMask use after free attempt"; flow:to_server,established; file_data; content:"|1F 81 E0 85 9C 50 D7 BB A5 72 30 A1 FF 30 1C 08 0C C2 38 46 B3 D7 13 4A A7 3F 8F C3 28 47 C1 C0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8648; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37218; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MovieClip setMask use after free attempt"; flow:to_client,established; file_data; content:"|96 0B 00 08 11 07 01 00 00 00 04 04 08 13 52 17 96 09 00 08 14 07 01 00 00 00 08 15 1C 96 02 00 08 16|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8648; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37217; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MovieClip setMask use after free attempt"; flow:to_client,established; file_data; content:"|1F 81 E0 85 9C 50 D7 BB A5 72 30 A1 FF 30 1C 08 0C C2 38 46 B3 D7 13 4A A7 3F 8F C3 28 47 C1 C0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8648; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37216; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player LoadVars decode use after free attempt"; flow:to_server,established; file_data; content:"|96 0D 00 04 05 04 04 07 02 00 00 00 04 06 08 1A 4E 96 02 00 08 17 52 17 4F 96 0F 00 07 01 00 00 00 02 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8650; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37211; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player LoadVars decode use after free attempt"; flow:to_server,established; file_data; content:"|2E 0F 87 7E C0 53 F9 9C 27 68 8B 3C F0 04 67 92 EF 47 89 1C CF 90 10 F1 08 52 80 9E 14 C3 91 0F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8650; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37210; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player LoadVars decode use after free attempt"; flow:to_client,established; file_data; content:"|96 0D 00 04 05 04 04 07 02 00 00 00 04 06 08 1A 4E 96 02 00 08 17 52 17 4F 96 0F 00 07 01 00 00 00 02 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8650; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37209; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player LoadVars decode use after free attempt"; flow:to_client,established; file_data; content:"|2E 0F 87 7E C0 53 F9 9C 27 68 8B 3C F0 04 67 92 EF 47 89 1C CF 90 10 F1 08 52 80 9E 14 C3 91 0F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8650; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37208; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player object.addProperty method use after free attempt"; flow:to_server,established; file_data; content:"|53 26 E7 B6 75 94 2F C2 61 85 73 D1 6F 53 BD 2F 33 DD 74 C9 21 E0 B5 A6 94 ED F2 E5 3D 5D CA 2D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8640; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37206; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player object.addProperty method use after free attempt"; flow:to_client,established; file_data; content:"|53 26 E7 B6 75 94 2F C2 61 85 73 D1 6F 53 BD 2F 33 DD 74 C9 21 E0 B5 A6 94 ED F2 E5 3D 5D CA 2D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8640; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37205; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player object.addProperty method use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 0B 00 04 05 07 03 00 00 00 04 04 08 19|"; fast_pattern:only; content:"|96 04 00 04 05 08 11|"; content:"|96 02 00 08 12|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8640; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37204; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player object.addProperty method use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 0B 00 04 05 07 03 00 00 00 04 04 08 19|"; fast_pattern:only; content:"|96 04 00 04 05 08 11|"; content:"|96 02 00 08 12|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8640; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37203; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Standalone Player ASSetPropFlags use after free attempt"; flow:to_server,established; content:"|08 15 52 17 96 07 00 07 01 00 00 00 08 0D 1C 96 03 00 02 08 05 1C 96 07 00 07 04 00 00 00 08 16|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8646; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37202; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Standalone Player ASSetPropFlags use after free attempt"; flow:to_client,established; content:"|08 15 52 17 96 07 00 07 01 00 00 00 08 0D 1C 96 03 00 02 08 05 1C 96 07 00 07 04 00 00 00 08 16|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8646; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37201; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player multiple script render display use after free attempt"; flow:to_server,established; file_data; content:"|96 09 00 07 02 00 00 00 04 03 08 06 52 1D 96 02 00 08 01 1C 96 07 00 08 07 07 68 01 00 00 30 4F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8635; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37200; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player multiple script render display use after free attempt"; flow:to_client,established; file_data; content:"|96 09 00 07 02 00 00 00 04 03 08 06 52 1D 96 02 00 08 01 1C 96 07 00 08 07 07 68 01 00 00 30 4F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8635; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37199; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|60 01 24 01 A0 5E 01 2B 61 01 10 12 00 00 D0 30 5A 00 2A D7 2A 30 2B 6D 01 1D 08 03 10 84 01 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8459; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37256; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|60 01 24 01 A0 5E 01 2B 61 01 10 12 00 00 D0 30 5A 00 2A D7 2A 30 2B 6D 01 1D 08 03 10 84 01 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8459; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37254; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt"; flow:to_server,established; file_data; content:"|92 CC AE 19 37 BF FF D4 C3 9E F5 9C D4 E9 16 ED 62 FB 55 B3 DF 1A B4 9B C7 1D A8 70 9C 97 0F D8 3C 57 B3 CC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8643; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37252; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt"; flow:to_server,established; file_data; content:"|58 2F C1 C4 AE 39 FA 7D D2 FB 4F 3C 1C 5A CF D4 72 B6 A3 6E 5D FB 65 B3 DF 1A B4 9B 67 1D C8 30 CA CB 97 6B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8641; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37251; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt"; flow:to_server,established; file_data; content:"|0F 9F 7B D8 B3 5E D2 72 BA 45 B7 AE FD A6 D9 6F 0D DA CD E3 0E 54 38 CE CB C7 6A 9E A6 B9 B6 FA AE 7A D5 35|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8642; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37250; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt"; flow:to_client,established; file_data; content:"|92 CC AE 19 37 BF FF D4 C3 9E F5 9C D4 E9 16 ED 62 FB 55 B3 DF 1A B4 9B C7 1D A8 70 9C 97 0F D8 3C 57 B3 CC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8643; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37249; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt"; flow:to_client,established; file_data; content:"|58 2F C1 C4 AE 39 FA 7D D2 FB 4F 3C 1C 5A CF D4 72 B6 A3 6E 5D FB 65 B3 DF 1A B4 9B 67 1D C8 30 CA CB 97 6B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8641; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37248; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt"; flow:to_client,established; file_data; content:"|0F 9F 7B D8 B3 5E D2 72 BA 45 B7 AE FD A6 D9 6F 0D DA CD E3 0E 54 38 CE CB C7 6A 9E A6 B9 B6 FA AE 7A D5 35|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8642; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37247; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player SimpleButton constructor type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"addFrameScript"; fast_pattern:only; content:"Font"; nocase; content:"SimpleButton"; within:200; nocase; content:"trace"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8644; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37353; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SimpleButton constructor type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"addFrameScript"; fast_pattern:only; content:"Font"; nocase; content:"SimpleButton"; within:200; nocase; content:"trace"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8644; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37352; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player invalid parent pointer use after free attempt"; flow:to_server,established; file_data; content:"|5E D3 01 D0 68 D3 01 5E B4 01 60 D3 01 66 F3 03 68 B4 01 D0 66 F4 03 60 0D 66 F5 03 60 AE 01 4F C1 03 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8634; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37351; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player invalid parent pointer use after free attempt"; flow:to_client,established; file_data; content:"|5E D3 01 D0 68 D3 01 5E B4 01 60 D3 01 66 F3 03 68 B4 01 D0 66 F4 03 60 0D 66 F5 03 60 AE 01 4F C1 03 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8634; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37350; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|35 24 8A ED 34 19 DC 68 C0 31 DB 2B 09 0C 71 2E DD C4 DF 09 BE EF 1A 50 C6 EE 68 FA 22 63 80 CE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8459; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37347; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|01 24 01 A0 5E 01 2B 61 01 10 12 00 00 D0 30 5A 00 2A D7 2A 30 2B 6D 01 1D 08 03 10 84 01 00 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8459; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37346; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|35 24 8A ED 34 19 DC 68 C0 31 DB 2B 09 0C 71 2E DD C4 DF 09 BE EF 1A 50 C6 EE 68 FA 22 63 80 CE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8459; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37345; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|01 24 01 A0 5E 01 2B 61 01 10 12 00 00 D0 30 5A 00 2A D7 2A 30 2B 6D 01 1D 08 03 10 84 01 00 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8459; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-01.html; classtype:attempted-user; sid:37344; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt"; flow:to_server,established; file_data; content:"|24 00 61|"; content:"|24 64 2C|"; within:15; content:"|27 24 02 46|"; within:4; distance:1; byte_extract:2,0,loadPCM,relative; content:"|27 24 02 46|"; within:100; byte_test:2,=,loadPCM,0,relative; content:"|30 5A 00 2A|"; within:30; content:"|2A 30 2B 6D 01|"; within:10; fast_pattern; content:"|24 01 24 00 46|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0984; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37653; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt"; flow:to_client,established; file_data; content:"|24 00 61|"; content:"|24 64 2C|"; within:15; content:"|27 24 02 46|"; within:4; distance:1; byte_extract:2,0,loadPCM,relative; content:"|27 24 02 46|"; within:100; byte_test:2,=,loadPCM,0,relative; content:"|30 5A 00 2A|"; within:30; content:"|2A 30 2B 6D 01|"; within:10; fast_pattern; content:"|24 01 24 00 46|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0984; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37652; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_server,established; file_data; content:"|47 00 00 01 06 08 09 0A CB 0D D0 30 20 85 D5 21 82 D6 24 00 74 D7 24 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:37645; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_client,established; file_data; content:"|47 00 00 01 06 08 09 0A CB 0D D0 30 20 85 D5 21 82 D6 24 00 74 D7 24 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:37644; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"TextElement|04|bps2"; fast_pattern:only; content:"|24 00 D5 D0 49 00|"; content:"|66 20 24 62 61 23|"; content:"|66 15 2D 05 4F 18 01|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-user; sid:37641; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_server,established; file_data; content:"|6F 5B 02 12 14 91 8F 89 28 29 12 8F 1F 08 06 24 23 EE 24 C8 82 18 03 51 16 45 05 A4 38 8C 01 4E|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-user; sid:37640; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"TextElement|04|bps2"; fast_pattern:only; content:"|24 00 D5 D0 49 00|"; content:"|66 20 24 62 61 23|"; content:"|66 15 2D 05 4F 18 01|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-user; sid:37639; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; file_data; content:"|6F 5B 02 12 14 91 8F 89 28 29 12 8F 1F 08 06 24 23 EE 24 C8 82 18 03 51 16 45 05 A4 38 8C 01 4E|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-user; sid:37638; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt"; flow:to_server,established; file_data; content:"A5@-@01000000A4@-@0B00437@-@2797"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-8439; classtype:attempted-user; sid:37632; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt"; flow:to_client,established; file_data; content:"A5@-@01000000A4@-@0B00437@-@2797"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8439; classtype:attempted-user; sid:37631; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt"; flow:to_server,established; file_data; content:"|B7 5F|A501@-@0000@-@00AxXx40B@-@0043@"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-8439; classtype:attempted-user; sid:37630; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt"; flow:to_client,established; file_data; content:"|B7 5F|A501@-@0000@-@00AxXx40B@-@0043@"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8439; classtype:attempted-user; sid:37629; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt"; flow:to_server,established; content:"|F5 75 6F D0 7E 61 35 1B 1A 8B 16 4D DF 05 32 FE A4 4C 46 49 B7 7B 6B 75 F9 2B 5C 37 29 0B 91 37|"; fast_pattern:only; file_data; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:37628; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt"; flow:to_client,established; content:"|F5 75 6F D0 7E 61 35 1B 1A 8B 16 4D DF 05 32 FE A4 4C 46 49 B7 7B 6B 75 F9 2B 5C 37 29 0B 91 37|"; fast_pattern:only; file_data; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:37627; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player heap object address enumeration technique"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|24 03 A0 46|"; content:"|25 80 20 AD|"; within:40; fast_pattern; content:"|25 80 20 AD|"; within:40; content:"|25 80 20 AD|"; within:40; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-3113; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-14.html; classtype:attempted-user; sid:37673; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player heap object address enumeration technique"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|24 03 A0 46|"; content:"|25 80 20 AD|"; within:40; fast_pattern; content:"|25 80 20 AD|"; within:40; content:"|25 80 20 AD|"; within:40; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3113; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-14.html; classtype:attempted-user; sid:37672; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|4F FA BA A5 F2 55 2A 7A 29 1D D4 5A 1D D2 5F CC CB CE E9 92 D5 F1 99 F8 1B 63 39 DF AB 53 F5 D8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0349; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:37671; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|4F FA BA A5 F2 55 2A 7A 29 1D D4 5A 1D D2 5F CC CB CE E9 92 D5 F1 99 F8 1B 63 39 DF AB 53 F5 D8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0349; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:37670; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|4A 03 01 80 03 63 08 62 08 24 00 D0 42 00 61 F6 0A 62 08 24 01 62 08 24 00 66 F6 0A 61 F6 0A 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0349; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:37669; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|4A 03 01 80 03 63 08 62 08 24 00 D0 42 00 61 F6 0A 62 08 24 01 62 08 24 00 66 F6 0A 61 F6 0A 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0349; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:37668; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|09|URLLoader"; fast_pattern:only; content:"|0C|createWorker"; content:"|09|terminate"; within:500; content:"|66|"; distance:0; content:"|46|"; within:1; distance:1; content:"|01 68|"; within:2; distance:1; content:"|D0 66|"; within:2; distance:1; byte_extract:2,1,version,relative; content:"|D0 66|"; within:2; content:"|10|"; within:80; content:"|00 D0|"; within:2; distance:2; byte_extract:4,0,WrkrCurr,relative; byte_test:2,=,version,0,relative; byte_test:4,=,WrkrCurr,7,relative; content:"|00 47 00 00|"; distance:0; byte_test:4,=,WrkrCurr,-10,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0502; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-07.html; classtype:attempted-user; sid:37685; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|09|URLLoader"; fast_pattern:only; content:"|0C|createWorker"; content:"|09|terminate"; within:500; content:"|66|"; distance:0; content:"|46|"; within:1; distance:1; content:"|01 68|"; within:2; distance:1; content:"|D0 66|"; within:2; distance:1; byte_extract:2,1,version,relative; content:"|D0 66|"; within:2; content:"|10|"; within:80; content:"|00 D0|"; within:2; distance:2; byte_extract:4,0,WrkrCurr,relative; byte_test:2,=,version,0,relative; byte_test:4,=,WrkrCurr,7,relative; content:"|00 47 00 00|"; distance:0; byte_test:4,=,WrkrCurr,-10,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0502; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-07.html; classtype:attempted-user; sid:37684; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash player ASNative textField use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"swfRoot"; content:"createTextField"; content:"removeTextField"; content:"addProperty"; content:"ASnative"; fast_pattern:only; content:"|1C 96 04 00|"; byte_extract:2,0,textField,relative; content:"|1C 96 04 00|"; distance:0; byte_test:2,=,textField,0,relative; content:"|47|"; within:1; distance:4; content:"|1C 96 07 00|"; distance:0; byte_test:2,=,textField,0,relative; content:"|00 00 00 00 47|"; within:5; distance:3; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0982; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37680; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash player ASNative textField use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"swfRoot"; content:"createTextField"; content:"removeTextField"; content:"addProperty"; content:"ASnative"; fast_pattern:only; content:"|1C 96 04 00|"; byte_extract:2,0,textField,relative; content:"|1C 96 04 00|"; distance:0; byte_test:2,=,textField,0,relative; content:"|47|"; within:1; distance:4; content:"|1C 96 07 00|"; distance:0; byte_test:2,=,textField,0,relative; content:"|00 00 00 00 47|"; within:5; distance:3; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0982; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37679; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"ExploitByteArray"; fast_pattern:only; content:"casi32"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0569; reference:url,www.adobe.com/support/security/bulletins/apsb14-22.html; classtype:attempted-user; sid:37723; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ExploitByteArray"; fast_pattern:only; content:"casi32"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0569; reference:url,www.adobe.com/support/security/bulletins/apsb14-22.html; classtype:attempted-user; sid:37722; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"atomicCompareAndSwapLength"; content:"casi32"; content:"|60 49 64 25 80 20 25 FE 07 2D 06|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0569; reference:url,www.adobe.com/support/security/bulletins/apsb14-22.html; classtype:attempted-user; sid:37721; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"atomicCompareAndSwapLength"; content:"casi32"; content:"|60 49 64 25 80 20 25 FE 07 2D 06|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0569; reference:url,www.adobe.com/support/security/bulletins/apsb14-22.html; classtype:attempted-user; sid:37720; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_server,established; file_data; content:"|89 0A A5 4A 4E ED 93 F8 AC 8E 6D F9 9C 34 C9 15 F9 1B FC 01 C4 BF E0 82 3F 50 98 80 DB 89 0B C4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:37711; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_server,established; file_data; content:"|30 F1 01 EF 01 02 00 00 EF 01 03 01 00 EF 01 04 02 00 D0 49 00 5D 01 F0 0A 4A 01 00 80 01 D7 D3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:37710; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_client,established; file_data; content:"|89 0A A5 4A 4E ED 93 F8 AC 8E 6D F9 9C 34 C9 15 F9 1B FC 01 C4 BF E0 82 3F 50 98 80 DB 89 0B C4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:37709; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt"; flow:to_client,established; file_data; content:"|30 F1 01 EF 01 02 00 00 EF 01 03 01 00 EF 01 04 02 00 D0 49 00 5D 01 F0 0A 4A 01 00 80 01 D7 D3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0556; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-21.html; classtype:attempted-user; sid:37708; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player invalid object reference code execution attempt"; flow:to_server,established; file_data; content:"|43 57 53 06 40 F3 14 00 78 DA 44 7C 05 58 54 DB F7 F6 1A 66 80 A1 87 54 86 EE EE A1 86 9A A1 41 10 10 A4 2C 44 3A 2C 10 0B 61 08 15 41 10 15 95 52 4A 01 11 15 05 F4 9A A0 A2 5E 95 10 30 08 03|"; depth:64; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,33880; reference:cve,2009-0520; reference:url,adobe.com/support/security/bulletins/apsb09-01.html; classtype:attempted-user; sid:37690; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|2F A9 9F AB 0A 19 B2 1C AB CF F4 4E D7 DE B0 1C 07 1A B3 AE 16 59 1E EF 61 0B 6F 53 E5 80 0C 25|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5119; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-03.html; reference:url,www.virustotal.com/en/file/a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8/analysis/; classtype:attempted-admin; sid:37689; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|2F A9 9F AB 0A 19 B2 1C AB CF F4 4E D7 DE B0 1C 07 1A B3 AE 16 59 1E EF 61 0B 6F 53 E5 80 0C 25|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5119; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-03.html; reference:url,www.virustotal.com/en/file/a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8/analysis/; classtype:attempted-admin; sid:37688; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BlurFilter memory corruption attempt"; flow:to_server,established; file_data; content:"|E3 BF 17 6E 51 F1 69 2A 9C FD E2 AC C5 97 BF 8C C5 FD 2F 39 D7 F5 46 52 9D 57 1C 49 DF 90 2B 35|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0964; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37741; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BlurFilter memory corruption attempt"; flow:to_client,established; file_data; content:"|E3 BF 17 6E 51 F1 69 2A 9C FD E2 AC C5 97 BF 8C C5 FD 2F 39 D7 F5 46 52 9D 57 1C 49 DF 90 2B 35|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0964; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37740; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BlurFilter memory corruption attempt"; flow:to_server,established; file_data; content:"|D0 30 5D 0C D0 66 CB 01 D0 66 A2 03 D0 66 A1 03 D0 66 A0 03 D0 66 9F 03 D0 66 99 03 4A 0C 06 48|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0964; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37739; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BlurFilter memory corruption attempt"; flow:to_client,established; file_data; content:"|D0 30 5D 0C D0 66 CB 01 D0 66 A2 03 D0 66 A1 03 D0 66 A0 03 D0 66 9F 03 D0 66 99 03 4A 0C 06 48|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0964; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37738; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Point object integer overflow attempt"; flow:to_server,established; file_data; content:"|4A 07 00 82 63 04 D2 2F 01 61 08 D3 D1 61 09 62 04 2D 01 61 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0976; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37737; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Point object integer overflow attempt"; flow:to_client,established; file_data; content:"|4D 2A 75 F5 DF D6 86 11 83 3A 56 95 87 BA A6 33 D7 82 8C D2 A3 C6 2D 7E 4E BA 46 60 3A 5C 75 99|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0976; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37736; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Point object integer overflow attempt"; flow:to_client,established; file_data; content:"|4A 07 00 82 63 04 D2 2F 01 61 08 D3 D1 61 09 62 04 2D 01 61 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0976; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37735; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Point object integer overflow attempt"; flow:to_server,established; file_data; content:"|4D 2A 75 F5 DF D6 86 11 83 3A 56 95 87 BA A6 33 D7 82 8C D2 A3 C6 2D 7E 4E BA 46 60 3A 5C 75 99|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0976; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37734; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash file with embedded PE detected"; flow:to_server,established; file_data; content:"FWS"; depth:3; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy max-detect-ips drop, service smtp; classtype:misc-activity; sid:37850; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash file with embedded PE detected"; flow:to_client,established; file_data; content:"FWS"; depth:3; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:37849; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AAC audio memory corruption attempt"; flow:to_server,established; file_data; content:"|00 00 00 AF 00 15 08 56 E5 BD 48 00 00 00 00 14 08 00 01 75 00 00 00 00 00 00 00 AF 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0970; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37840; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AAC audio memory corruption attempt"; flow:to_client,established; file_data; content:"|00 00 00 AF 00 15 08 56 E5 BD 48 00 00 00 00 14 08 00 01 75 00 00 00 00 00 00 00 AF 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0970; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37839; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player integer underflow attempt"; flow:to_server,established; file_data; content:"|9B 89 31 7C 10 9E 9D D4 1B 8D 94 88 82 38 64 89 47 7B 29 0E C2 37 74 BC EE 13 63 F4 61 30 3D 9A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0497; classtype:attempted-user; sid:37809; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player integer underflow attempt"; flow:to_client,established; file_data; content:"|9B 89 31 7C 10 9E 9D D4 1B 8D 94 88 82 38 64 89 47 7B 29 0E C2 37 74 BC EE 13 63 F4 61 30 3D 9A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0497; classtype:attempted-user; sid:37808; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player integer underflow attempt"; flow:to_server,established; file_data; content:"|0C 00 61 15 D1 62 08 66 15 60 16 66 17 61 18 62 08 74 63 10 24 00 63 08 10 09 00 00 09 D1 62 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0497; classtype:attempted-user; sid:37807; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player integer underflow attempt"; flow:to_client,established; file_data; content:"|0C 00 61 15 D1 62 08 66 15 60 16 66 17 61 18 62 08 74 63 10 24 00 63 08 10 09 00 00 09 D1 62 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0497; classtype:attempted-user; sid:37806; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player rectangle memory access violation attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|B4 47 7D C2 5C 9F 1B F7 5C 3E 20 41 9B 70 82 C6 6A E8 F6 FA 1C 1D C9 9C 05 85 89 63 B3 4F 7C 9F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0978; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37798; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player rectangle memory access violation attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|B4 47 7D C2 5C 9F 1B F7 5C 3E 20 41 9B 70 82 C6 6A E8 F6 FA 1C 1D C9 9C 05 85 89 63 B3 4F 7C 9F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0978; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37797; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player rectangle memory access violation attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|25 90 4E 4A 05 02 82 D7 D2 24 0A 61 06 D1 24 03 61 07 D2 24 7F 61 08 D1 2D 01 61 09 5D 05 25 90|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0978; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37796; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player rectangle memory access violation attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|25 90 4E 4A 05 02 82 D7 D2 24 0A 61 06 D1 24 03 61 07 D2 24 7F 61 08 D1 2D 01 61 09 5D 05 25 90|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0978; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37795; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript 3 URLRequest class use after free attempt"; flow:to_server,established; file_data; content:"|55 52 4C 4C 6F 61 64 65 72 07 72 65 71 75 65 73 74|"; content:"|55 52 4C 52 65 71 75 65 73 74 11 6C 6F 61 64 65 72 5F 69 6F 43 6F 6D 70 6C 65 74 65|"; fast_pattern:only; content:"|73 74 6F 70|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0973; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:misc-attack; sid:37794; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript 3 URLRequest class use after free attempt"; flow:to_client,established; file_data; content:"|55 52 4C 4C 6F 61 64 65 72 07 72 65 71 75 65 73 74|"; content:"|55 52 4C 52 65 71 75 65 73 74 11 6C 6F 61 64 65 72 5F 69 6F 43 6F 6D 70 6C 65 74 65|"; fast_pattern:only; content:"|73 74 6F 70|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0973; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:misc-attack; sid:37793; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASnative use after free attempt"; flow:to_server,established; file_data; content:"|A5 C2 13 E0 35 67 B2 65 D2 B2 5B 79 1D AE 32 51 44 EF F6 0F 4D 44 8F 82 7F 2C 98 6E 99 3E BC EA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0959; classtype:attempted-user; sid:37792; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASnative use after free attempt"; flow:to_server,established; file_data; content:"|07 01 00 00 00 07 02 00 00 00 08 01 1C 96 02 00 08 0E 52 96 02 00 08 0F 52 17 87 01 00 00 4F 96|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0959; classtype:attempted-user; sid:37791; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASnative use after free attempt"; flow:to_client,established; file_data; content:"|A5 C2 13 E0 35 67 B2 65 D2 B2 5B 79 1D AE 32 51 44 EF F6 0F 4D 44 8F 82 7F 2C 98 6E 99 3E BC EA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0959; classtype:attempted-user; sid:37790; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASnative use after free attempt"; flow:to_client,established; file_data; content:"|07 01 00 00 00 07 02 00 00 00 08 01 1C 96 02 00 08 0E 52 96 02 00 08 0F 52 17 87 01 00 00 4F 96|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0959; classtype:attempted-user; sid:37789; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed Adobe Texture Format heap overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|81 00 00 06 01 F3 A0 81 A8 C3 8A BC 87 E2 81 A8 C3 8A BD 88 8A BD 88 E1 82 A6 89 E5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0971; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37783; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed Adobe Texture Format heap overflow attempt"; flow:to_client,established; file_data; content:"|81 00 00 06 01 F3 A0 81 A8 C3 8A BC 87 E2 81 A8 C3 8A BD 88 8A BD 88 E1 82 A6 89 E5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0971; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37782; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASnative memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 18 00 04 03 07 01 00 00 00 07 0A 00 00 00 07 65 00 00 00 07 02 00 00 00 08 01 1C 96 02 00 08 07 52 96 02 00 08 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0981; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37781; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASnative memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 18 00 04 03 07 01 00 00 00 07 0A 00 00 00 07 65 00 00 00 07 02 00 00 00 08 01 1C 96 02 00 08 07 52 96 02 00 08 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0981; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37780; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player LoadVars use-after-free attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|92 94 C8 37 3B 75 F1 E1 53 70 C6 96 B4 7D 21 AA 67 7B E3 4D 5E 25 9E E9 EC CF F9 EC 5C F1 42 94|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0974; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37777; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player LoadVars use-after-free attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|92 94 C8 37 3B 75 F1 E1 53 70 C6 96 B4 7D 21 AA 67 7B E3 4D 5E 25 9E E9 EC CF F9 EC 5C F1 42 94|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0974; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37776; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript constructor use after free attempt"; flow:to_server,established; file_data; content:"|5C 77 2D 2C 03 1C 16 1F F0 72 7C 31 51 6D DC 55 AC 74 15 0C 86 93 4A 14 43 63 01 6A 2F 2D 10 9C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0975; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37775; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript constructor use after free attempt"; flow:to_client,established; file_data; content:"|5C 77 2D 2C 03 1C 16 1F F0 72 7C 31 51 6D DC 55 AC 74 15 0C 86 93 4A 14 43 63 01 6A 2F 2D 10 9C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0975; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37774; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript constructor use after free attempt"; flow:to_server,established; file_data; content:"|06 18 04 F0 3F 6A BC 74 93 87 01 00 05 17 96 0E 00 07 01 00 00 00 08 11 07 02 00 00 00 08 12 1C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0975; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37773; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript constructor use after free attempt"; flow:to_client,established; file_data; content:"|06 18 04 F0 3F 6A BC 74 93 87 01 00 05 17 96 0E 00 07 01 00 00 00 08 11 07 02 00 00 00 08 12 1C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0975; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37772; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASnative custom getter use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|C6 A9 F4 94 7C 15 25 6A B6 46 40 24 23 64 C0 50 A5 C1 D4 C7 65 1A 47 ED 89 97 B6 E3 0B 89 EC C3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0983; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37771; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASnative custom getter use after free attempt"; flow:to_server,established; file_data; content:"|C6 A9 F4 94 7C 15 25 6A B6 46 40 24 23 64 C0 50 A5 C1 D4 C7 65 1A 47 ED 89 97 B6 E3 0B 89 EC C3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0983; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37770; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASnative custom getter use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|07 84 03 00 00|"; content:"|96 05 00 07|"; content:"|96 02|"; content:"|1C 96 02|"; within:10; content:"ASnative|00|"; fast_pattern; content:"removeMovieClip|00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0983; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37769; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASnative custom getter use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|07 84 03 00 00|"; content:"|96 05 00 07|"; content:"|96 02|"; content:"|1C 96 02|"; within:10; content:"ASnative|00|"; fast_pattern; content:"removeMovieClip|00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0983; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37768; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BitmapData method memory corruption attempt"; flow:to_server,established; file_data; content:"|D0 30 21 82 63 04 D0 49 00 5D 03 25 C8 01 25 C8 01 4A 03 02 82 D5 5D 04 4A 04 00 82 D6 5D 05 4A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0969; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37767; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BitmapData method memory corruption attempt"; flow:to_server,established; file_data; content:"|59 B7 7D 74 3D A7 EC A3 3B FB 5F 83 01 58 1C AD D7 66 16 85 DE 92 D5 5B B6 7A 79 AB 57 B0 7A 45|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0969; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37766; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BitmapData method memory corruption attempt"; flow:to_client,established; file_data; content:"|D0 30 21 82 63 04 D0 49 00 5D 03 25 C8 01 25 C8 01 4A 03 02 82 D5 5D 04 4A 04 00 82 D6 5D 05 4A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0969; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37765; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BitmapData method memory corruption attempt"; flow:to_client,established; file_data; content:"|59 B7 7D 74 3D A7 EC A3 3B FB 5F 83 01 58 1C AD D7 66 16 85 DE 92 D5 5B B6 7A 79 AB 57 B0 7A 45|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0969; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37764; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player rectangle auxiliary method integer overflow attempt"; flow:to_server,established; file_data; content:"|C2 DA 99 CB 1F 31 7C 1B 19 40 CA B4 CC 16 BA 4A 57 39 F8 34 6D 65 65 70 43 12 02 79 53 17 F7 4D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0977; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37763; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player rectangle auxiliary method integer overflow attempt"; flow:to_server,established; file_data; content:"|82 D5 5D 04 4A 04 00 82 D6 D2 2D 01 61 05 5D 06 4A 06 00 82 D7 D1 25 FF 01 61 07 D1 26 61 08 D1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0977; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37762; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player rectangle auxiliary method integer overflow attempt"; flow:to_client,established; file_data; content:"|C2 DA 99 CB 1F 31 7C 1B 19 40 CA B4 CC 16 BA 4A 57 39 F8 34 6D 65 65 70 43 12 02 79 53 17 F7 4D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0977; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37761; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player rectangle auxiliary method integer overflow attempt"; flow:to_client,established; file_data; content:"|82 D5 5D 04 4A 04 00 82 D6 D2 2D 01 61 05 5D 06 4A 06 00 82 D7 D1 25 FF 01 61 07 D1 26 61 08 D1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0977; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37760; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-FLASH Adobe Flash Player invalid sourceRect copyPixels heap corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|09|Rectangle"; content:"|0A|copyPixels"; content:"|FF FF FF 07 00|"; content:"|24 80 61|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0968; reference:cve,2018-16030; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37759; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player invalid sourceRect copyPixels heap corruption attempt"; flow:to_client,established; file_data; content:"|E1 6C 91 F1 2F 96 E4 3D 12 8C 26 64 44 BB F7 1F A7 B9 F3 38 F5 48 38 ED B6 AC E6 8F F5 A6 55 6F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0968; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37758; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-FLASH Adobe Flash Player invalid sourceRect copyPixels heap corruption attempt"; flow:to_server,established; file_data; content:"|E1 6C 91 F1 2F 96 E4 3D 12 8C 26 64 44 BB F7 1F A7 B9 F3 38 F5 48 38 ED B6 AC E6 8F F5 A6 55 6F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0968; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37757; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player invalid sourceRect copyPixels heap corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|09|Rectangle"; content:"|0A|copyPixels"; content:"|FF FF FF 07 00|"; content:"|24 80 61|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0968; reference:cve,2018-16030; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37756; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Point object integer overflow attempt"; flow:to_server,established; file_data; content:"|64 41 29 A4 0A 23 F9 31 21 23 4A 28 81 65 21 A9 A4 46 D2 19 29 32 B2 32 C2 32 16 15 09 29 69 A4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0979; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37755; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Point object integer overflow attempt"; flow:to_client,established; file_data; content:"|64 41 29 A4 0A 23 F9 31 21 23 4A 28 81 65 21 A9 A4 46 D2 19 29 32 B2 32 C2 32 16 15 09 29 69 A4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0979; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37754; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Point object integer overflow attempt"; flow:to_server,established; file_data; content:"|4A 04 00 82 D6 5D 05 4A 05 00 82 D7 D3 24 64 25 80 80 FE FF 0F 2D 01 24 02 4F 06 04 D2 24 03 2D 02 4F 06 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0979; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37753; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Point object integer overflow attempt"; flow:to_client,established; file_data; content:"|4A 04 00 82 D6 5D 05 4A 05 00 82 D7 D3 24 64 25 80 80 FE FF 0F 2D 01 24 02 4F 06 04 D2 24 03 2D 02 4F 06 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0979; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37752; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player FLV invalid reference frame count memory corruption attempt"; flow:to_server,established; file_data; content:"|57 0F 0C F3 E1 EF EC C3 B9 69 4E F2 7E C8 F4 DA 73 9D BF ED F6 85 AB EC 3B 72 0D FB 7B 6C 89 25|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0972; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37751; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player FLV invalid reference frame count memory corruption attempt"; flow:to_client,established; file_data; content:"|57 0F 0C F3 E1 EF EC C3 B9 69 4E F2 7E C8 F4 DA 73 9D BF ED F6 85 AB EC 3B 72 0D FB 7B 6C 89 25|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0972; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37750; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TextField object Type Confusion Attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|D0 30 57 2A D5 30 D0 5D 06 4A 06 00 68 03 10 34 00 00 D0 30 D1 30 5A 00 2A D6 2A 30 2B 6D 01 5D 07 65|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0985; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37749; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TextField object Type Confusion Attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D0 30 57 2A D5 30 D0 5D 06 4A 06 00 68 03 10 34 00 00 D0 30 D1 30 5A 00 2A D6 2A 30 2B 6D 01 5D 07 65|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0985; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37748; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player list filter memory corruption attempt"; flow:to_client,established; file_data; content:"|D0 D1 68 14 D0 66 14 27 61 3A D0 66 22 D0 66 14 D0 66 14 66 3B 66 3C 20 60 3D 66 3E D0 66 1C 26|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0965; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37747; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player list filter memory corruption attempt"; flow:to_server,established; file_data; content:"|D0 D1 68 14 D0 66 14 27 61 3A D0 66 22 D0 66 14 D0 66 14 66 3B 66 3C 20 60 3D 66 3E D0 66 1C 26|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0965; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37746; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TextLine memory corruption attempt"; flow:to_server,established; file_data; content:"|54 22 CB BF B4 F3 FB 45 98 88 B2 54 94 90 D9 17 18 7D C6 C7 4B 44 C3 A5 BB A4 4D 6B 68 41 CB 2E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0966; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37745; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TextLine memory corruption attempt"; flow:to_client,established; file_data; content:"|54 22 CB BF B4 F3 FB 45 98 88 B2 54 94 90 D9 17 18 7D C6 C7 4B 44 C3 A5 BB A4 4D 6B 68 41 CB 2E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0966; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37744; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TextLine memory corruption attempt"; flow:to_server,established; file_data; content:"|66 20 D0 66 22 4F 2B 01 24 40 82 D6 10 10 00 00 09 D0 66 06 D2 66 29 D0 66 08 61 2A D2 91 82 D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0966; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37743; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TextLine memory corruption attempt"; flow:to_client,established; file_data; content:"|66 20 D0 66 22 4F 2B 01 24 40 82 D6 10 10 00 00 09 D0 66 06 D2 66 29 D0 66 08 61 2A D2 91 82 D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0966; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:37742; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash file with RC4 decryption routine detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|25 FF 01 A8|"; content:"|25 FF 01 A8|"; within:2000; content:"|25 FF 01 A8|"; within:2000; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38026; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash file with large DefineBinaryData tag"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"allowLoadBytesCodeExecution"; fast_pattern:only; content:"|FF 15|"; byte_test:4,>,1024,0,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-3113; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-14.html; classtype:policy-violation; sid:38025; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash file with large DefineBinaryData tag"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"virtualprotect"; fast_pattern:only; content:"|FF 15|"; byte_test:4,>,1024,0,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-3113; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-14.html; classtype:policy-violation; sid:38024; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash file CreateFileA shellcode found"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"43726561746546696c654100"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-3113; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-14.html; classtype:attempted-user; sid:38023; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash file with RC4 decryption routine detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|25 FF 01 A8|"; content:"|25 FF 01 A8|"; within:2000; content:"|25 FF 01 A8|"; within:2000; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38022; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash file with large DefineBinaryData tag"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"virtualprotect"; fast_pattern:only; content:"|FF 15|"; byte_test:4,>,1024,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3113; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-14.html; classtype:policy-violation; sid:38021; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash file with CreateFileA shellcode"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"43726561746546696c654100"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3113; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-14.html; classtype:attempted-user; sid:38020; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"casi32"; content:"0x9tr4we9tr4we9tr4we9tr4we"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0569; reference:url,www.adobe.com/support/security/bulletins/apsb14-22.html; classtype:attempted-user; sid:37933; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"atomicCompareAndSwapLength"; content:"casi32"; content:"shell_rc4"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0569; reference:url,www.adobe.com/support/security/bulletins/apsb14-22.html; classtype:attempted-user; sid:37932; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"ByteArray"; content:"ropgadgets"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0569; reference:url,www.adobe.com/support/security/bulletins/apsb14-22.html; classtype:attempted-user; sid:37931; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"ByteArray"; content:"hexdump"; content:"casi32"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0569; reference:url,www.adobe.com/support/security/bulletins/apsb14-22.html; classtype:attempted-user; sid:37930; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"casi32"; content:"0x9tr4we9tr4we9tr4we9tr4we"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0569; reference:url,www.adobe.com/support/security/bulletins/apsb14-22.html; classtype:attempted-user; sid:37927; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"atomicCompareAndSwapLength"; content:"casi32"; content:"shell_rc4"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0569; reference:url,www.adobe.com/support/security/bulletins/apsb14-22.html; classtype:attempted-user; sid:37926; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ByteArray"; content:"ropgadgets"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0569; reference:url,www.adobe.com/support/security/bulletins/apsb14-22.html; classtype:attempted-user; sid:37925; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player mp4 size memory corruption attempt"; flow:to_client,established; content:"Content-Type: video/mp4"; content:"200"; http_stat_code; content:"|0D 0A|Content-Length: 0|0D 0A|"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-1005; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-09.html; classtype:attempted-user; sid:38227; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player invalid FLV header out of bounds write attempt"; flow:to_server,established; flowbits:isset,file.flv; file_data; content:"FLV|01|"; depth:4; content:"|00 00 00 09|"; within:4; distance:1; byte_test:4,>,9,0,relative; isdataat:15,relative; content:!"|00 00 00|"; within:3; distance:12; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1001; reference:cve,2017-2935; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:38226; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player invalid FLV header out of bounds write attempt"; flow:to_client,established; flowbits:isset,file.flv; file_data; content:"FLV|01|"; depth:4; content:"|00 00 00 09|"; within:4; distance:1; byte_test:4,>,9,0,relative; isdataat:15,relative; content:!"|00 00 00|"; within:3; distance:12; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1001; reference:cve,2017-2935; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:38225; rev:5;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|4F 96 09 00 04 01 08 1A 07 0F 27 00 00 4F 96 09 00 04 01 08 0E 07 0F 27 00 00 4F 96 09 00 04 01|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0987; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-09.html; classtype:attempted-user; sid:38222; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"removeMovieClip|00|"; content:"createEmptyMovieClip|00|"; content:"Sound|00|"; content:"|96 09 00 04|"; content:"|0F 27 00 00|"; within:4; distance:4; content:"|96 09 00 04|"; distance:0; content:"|0F 27 00 00|"; within:4; distance:4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0987; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-09.html; classtype:attempted-user; sid:38221; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player use after free"; flow:to_server,established; file_data; content:"|B7 07 C2 8A A7 70 21 25 C5 E5 B6 17 99 AE D8 8F 03 F9 77 C1 43 F8 25 F7 FB 3D 04 72 0D 79 1A EF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0987; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-09.html; classtype:attempted-user; sid:38220; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player use after free attempt"; flow:to_client,established; file_data; content:"|B7 07 C2 8A A7 70 21 25 C5 E5 B6 17 99 AE D8 8F 03 F9 77 C1 43 F8 25 F7 FB 3D 04 72 0D 79 1A EF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0987; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-09.html; classtype:attempted-user; sid:38219; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BitmapData.paletteMap size mismatch integer overflow attempt"; flow:to_server,established; file_data; content:"|08 B8 81 E2 8A 30 D4 1E 73 97 28 29 C9 CD A1 36 5C 87 1D E1 E6 AF 97 FC DB 10 F0 FE E7 1D 71 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0962; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38216; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BitmapData.paletteMap size mismatch integer overflow attempt"; flow:to_client,established; file_data; content:"|08 B8 81 E2 8A 30 D4 1E 73 97 28 29 C9 CD A1 36 5C 87 1D E1 E6 AF 97 FC DB 10 F0 FE E7 1D 71 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0962; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38215; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BitmapData.paletteMap size mismatch integer overflow attempt"; flow:to_server,established; file_data; content:"|4A 04 00 82 D6 5D 05 4A 05 00 82 D7 D2 2D 01 61 06 D2 24 04 61 07 D3 24 64 24 32 4F 08 02 D1 D1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0962; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38214; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BitmapData.paletteMap size mismatch integer overflow attempt"; flow:to_client,established; file_data; content:"|4A 04 00 82 D6 5D 05 4A 05 00 82 D7 D2 2D 01 61 06 D2 24 04 61 07 D3 24 64 24 32 4F 08 02 D1 D1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0962; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38213; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player MPD use-after-free attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|06 C6 9D CB 89 11 4C E0 FF FE 95 A9 32 8E FE C5 87 E1 C7 40 D0 11 69 45 86 9A 91 74 EA 09 8A 40|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1006; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38208; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MPD use-after-free attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|06 C6 9D CB 89 11 4C E0 FF FE 95 A9 32 8E FE C5 87 E1 C7 40 D0 11 69 45 86 9A 91 74 EA 09 8A 40|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1006; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38207; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player MPD use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|68 16 D0 66 14 2C C0 01 4F 94 01 01 D0 5D 19 D0 66 16 4A 19 01 68 18 D0 66 14 2C C1 01 4F 94 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1006; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38206; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MPD use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|68 16 D0 66 14 2C C0 01 4F 94 01 01 D0 5D 19 D0 66 16 4A 19 01 68 18 D0 66 14 2C C1 01 4F 94 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1006; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38205; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BitmapData.applyFilter access violation attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"flash.filters"; content:"|62 04 D2 D3 D1 4F 0B 04 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0961; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38204; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BitmapData.applyFilter access violation attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"flash.filters"; content:"|62 04 D2 D3 D1 4F 0B 04 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0961; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38203; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BitmapData.copyChannel access violation attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"copyChannel"; content:"|24 7F 2D 01 26 4A 01 03 80 01 D5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0960; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38200; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BitmapData.copyChannel access violation attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"copyChannel"; content:"|24 7F 2D 01 26 4A 01 03 80 01 D5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0960; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38199; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player recursion calls stack overflow attempt"; flow:to_server,established; file_data; content:"|DE 22 72 37 C4 C8 30 78 7F F5 87 C1 16 E0 98 1A EC 0A E3 D8 34 9B 5D CB 36 E5 45 A3 D2 10 DB 03|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0986; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-09.html; classtype:attempted-user; sid:38198; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player recursion calls stack overflow attempt"; flow:to_client,established; file_data; content:"|DE 22 72 37 C4 C8 30 78 7F F5 87 C1 16 E0 98 1A EC 0A E3 D8 34 9B 5D CB 36 E5 45 A3 D2 10 DB 03|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0986; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-09.html; classtype:attempted-user; sid:38197; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player htmlText method use-after-free memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|5D 1C 4A 1C 00|"; nocase; content:" $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player htmlText method use-after-free memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|5D 1C 4A 1C 00|"; content:" $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player setInterval use-after-free memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 09 00 07 02 00 00 00 04 02 08 0A|"; content:"|96 04 00 04 05 08 12 8E 08 00 00 00 00 04 29 00 DC 00|"; content:"|96 02 00 08 18|"; content:"|96 10 00 07 6F 00 00 00 04 05 04 04 07 03 00 00 00 08 01 1C 96 02 00 08 19|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0996; classtype:attempted-user; sid:38194; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player setInterval use-after-free memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 09 00 07 02 00 00 00 04 02 08 0A|"; content:"|96 04 00 04 05 08 12 8E 08 00 00 00 00 04 29 00 DC 00|"; content:"|96 02 00 08 18|"; content:"|96 10 00 07 6F 00 00 00 04 05 04 04 07 03 00 00 00 08 01 1C 96 02 00 08 19|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0996; classtype:attempted-user; sid:38193; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player si32 integer overflow attempt"; flow:to_server,established; file_data; content:"|3D 11 70 7B 2B A9 D1 6A FA BA D2 51 C0 55 12 75 C6 63 EB E2 58 FF 0D 53 A6 2F 69 48 79 AD 8A 3F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2016-0993; reference:url,helpx.adobe.com/security/products/flash-player/apsa16-08.html; classtype:attempted-user; sid:38192; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player si32 integer overflow attempt"; flow:to_client,established; file_data; content:"|3D 11 70 7B 2B A9 D1 6A FA BA D2 51 C0 55 12 75 C6 63 EB E2 58 FF 0D 53 A6 2F 69 48 79 AD 8A 3F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2016-0993; reference:url,helpx.adobe.com/security/products/flash-player/apsa16-08.html; classtype:attempted-user; sid:38191; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player si32 integer overflow attempt"; flow:to_server,established; file_data; content:"avm2.intrinsics.memory"; fast_pattern:only; content:"|2D 02 D3 2D 03 A1 3C 47|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0993; reference:url,helpx.adobe.com/security/products/flash-player/apsa16-08.html; classtype:attempted-user; sid:38190; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player si32 integer overflow attempt"; flow:to_client,established; file_data; content:"avm2.intrinsics.memory"; fast_pattern:only; content:"|2D 02 D3 2D 03 A1 3C 47|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2016-0993; reference:url,helpx.adobe.com/security/products/flash-player/apsa16-08.html; classtype:attempted-user; sid:38189; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS2 setInterval use after free attempt"; flow:to_server,established; file_data; content:"|96 02 00 08 05 52 17 96 02 00 08 06 26 96 24 00 07 90 01 00 00 07 2C 01 00 00 07 02 00 00 00 07|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0988; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38188; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS2 setInterval use after free attempt"; flow:to_server,established; file_data; content:"|54 0D 7D 6C 1C 39 4D CB 31 9B AA 6E 3B BA 7E 83 BB 42 AE A8 43 CC 50 80 18 BA 4D B6 C7 46 D3 D1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0988; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38187; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS2 setInterval use after free attempt"; flow:to_client,established; file_data; content:"|96 02 00 08 05 52 17 96 02 00 08 06 26 96 24 00 07 90 01 00 00 07 2C 01 00 00 07 02 00 00 00 07|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0988; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38186; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS2 setInterval use after free attempt"; flow:to_client,established; file_data; content:"|54 0D 7D 6C 1C 39 4D CB 31 9B AA 6E 3B BA 7E 83 BB 42 AE A8 43 CC 50 80 18 BA 4D B6 C7 46 D3 D1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0988; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38185; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS3 multiple axis attributes integer overflow attempt"; flow:to_server,established; file_data; content:"|EF 99 6E 8F 16 8F 6D 3A 2D BE 5D BC B7 AC 8F D8 31 25 24 9B 4B A3 CD 95 63 92 B0 BA 62 B8 23 CD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0989; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38184; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS3 multiple axis attributes integer overflow attempt"; flow:to_server,established; file_data; content:"|2D 01 61 09 5D 0A 4A 0A 00 2C 17 4F 0B 01 5D 0A 4A 0A 00 2C 17 4F 0B 01 10 0F 00 00 D0 30 5A 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0989; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38183; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS3 multiple axis attributes integer overflow attempt"; flow:to_client,established; file_data; content:"|EF 99 6E 8F 16 8F 6D 3A 2D BE 5D BC B7 AC 8F D8 31 25 24 9B 4B A3 CD 95 63 92 B0 BA 62 B8 23 CD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0989; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38182; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS3 multiple axis attributes integer overflow attempt"; flow:to_client,established; file_data; content:"|2D 01 61 09 5D 0A 4A 0A 00 2C 17 4F 0B 01 5D 0A 4A 0A 00 2C 17 4F 0B 01 10 0F 00 00 D0 30 5A 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0989; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38181; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Microsoft Standalone Flash Player asNative object use after free attempt"; flow:to_server,established; file_data; content:"|77 0F 23 30 D2 68 08 83 AC DB BF B9 62 4C 7C 13 A8 B3 92 14 91 35 E5 D3 D4 C7 63 E0 0D EF 67 D7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0991; classtype:attempted-user; sid:38180; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Standalone Flash Player ASnative object use after free attempt"; flow:to_client,established; file_data; content:"|77 0F 23 30 D2 68 08 83 AC DB BF B9 62 4C 7C 13 A8 B3 92 14 91 35 E5 D3 D4 C7 63 E0 0D EF 67 D7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0991; classtype:attempted-user; sid:38179; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Microsoft Standalone Flash Player asNative object use after free attempt"; flow:to_server,established; file_data; content:"removeTextField"; content:"toString"; content:"ASnative"; content:"|96 05 00 07 00 00 00 00 43 87 01 00|"; byte_extract:1,0,objReg,relative; content:"|40 3C 96 04 00 04|"; within:100; content:"|8E 08 00 00 00 00 02 29 00|"; within:9; distance:3; byte_test:1,=,objReg,-12,relative; content:"|52 17 96 05 00 07 0A 00 00 00 3E 4F 96 04 00 04|"; within:500; byte_test:1,=,objReg,0,relative; content:"|8E 08 00 00 00 00 03 29 00|"; within:9; distance:3; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0991; classtype:attempted-user; sid:38178; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Standalone Flash Player ASnative object use after free attempt"; flow:to_client,established; file_data; content:"removeTextField"; content:"toString"; content:"ASnative"; content:"|96 05 00 07 00 00 00 00 43 87 01 00|"; byte_extract:1,0,objReg,relative; content:"|40 3C 96 04 00 04|"; within:100; content:"|8E 08 00 00 00 00 02 29 00|"; within:9; distance:3; byte_test:1,=,objReg,-12,relative; content:"|52 17 96 05 00 07 0A 00 00 00 3E 4F 96 04 00 04|"; within:500; byte_test:1,=,objReg,0,relative; content:"|8E 08 00 00 00 00 03 29 00|"; within:9; distance:3; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0991; classtype:attempted-user; sid:38177; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Standalone Flash Player texfield getter use after free attempt"; flow:to_server,established; file_data; content:"|3B EF 58 56 83 70 39 36 01 6E 58 14 2B 07 7B D9 0A 38 F2 38 CC BA 32 E1 DA 24 E5 EE 91 C9 FB DE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0990; classtype:attempted-user; sid:38176; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Standalone Flash Player texfield getter use after free attempt"; flow:to_client,established; file_data; content:"|3B EF 58 56 83 70 39 36 01 6E 58 14 2B 07 7B D9 0A 38 F2 38 CC BA 32 E1 DA 24 E5 EE 91 C9 FB DE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0990; classtype:attempted-user; sid:38175; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Standalone Flash Player texfield getter use after free attempt"; flow:to_server,established; file_data; content:"createTextField"; content:"removeTextField"; content:"|8E 08 00 00 00 00 02 29 00 00 00 8E 08 00 00 00 00 04 29 00|"; fast_pattern; content:"|96 05 00 07 20 00 00 00 87 01 00|"; within:11; distance:2; content:"|96 07 00 07 00 00 00 00 08|"; within:100; content:"|1C 96 04 00 08|"; within:5; distance:1; byte_extract:1,-6,swfRoot,relative; content:"|47 4E 96 02 00 08|"; within:6; distance:8; content:"|07 00 00 00 00 47 4E 3E 96 09 00 08|"; within:500; content:"|07 03 00 00 00 08|"; within:6; distance:1; byte_test:1,=,swfRoot,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0990; classtype:attempted-user; sid:38174; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Standalone Flash Player texfield getter use after free attempt"; flow:to_client,established; file_data; content:"createTextField"; content:"removeTextField"; content:"|8E 08 00 00 00 00 02 29 00 00 00 8E 08 00 00 00 00 04 29 00|"; fast_pattern; content:"|96 05 00 07 20 00 00 00 87 01 00|"; within:11; distance:2; content:"|96 07 00 07 00 00 00 00 08|"; within:100; content:"|1C 96 04 00 08|"; within:5; distance:1; byte_extract:1,-6,swfRoot,relative; content:"|47 4E 96 02 00 08|"; within:6; distance:8; content:"|07 00 00 00 00 47 4E 3E 96 09 00 08|"; within:500; content:"|07 03 00 00 00 08|"; within:6; distance:1; byte_test:1,=,swfRoot,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0990; classtype:attempted-user; sid:38173; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player hitTest BitmapData object integer overflow attempt"; flow:to_server,established; file_data; content:"|31 2D CD F1 0F 18 91 87 E0 33 DE 83 D8 A9 B6 A0 A2 70 FD 44 94 DC CE 3F C3 36 A9 46 E5 52 BC 9B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0963; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38170; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player hitTest BitmapData object integer overflow attempt"; flow:to_client,established; file_data; content:"|31 2D CD F1 0F 18 91 87 E0 33 DE 83 D8 A9 B6 A0 A2 70 FD 44 94 DC CE 3F C3 36 A9 46 E5 52 BC 9B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0963; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38169; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player hitTest BitmapData object integer overflow attempt"; flow:to_server,established; file_data; content:"|03 F0 15 D2 2D 01 61 04 F0 17 5D 02 24 00 24 00 4A 02 02 80 02 D7 F0 19 D3 2F 01 61 04 F0 1B D3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0963; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38168; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player hitTest BitmapData object integer overflow attempt"; flow:to_server,established; file_data; content:"|E4 1B AD B5 F1 8F B6 07 9E A1 C5 62 F1 2A A3 C9 54 52 76 3D F9 D3 AB 25 EA AF 41 ED B7 63 79 25|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0963; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38167; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player hitTest BitmapData object integer overflow attempt"; flow:to_client,established; file_data; content:"|03 F0 15 D2 2D 01 61 04 F0 17 5D 02 24 00 24 00 4A 02 02 80 02 D7 F0 19 D3 2F 01 61 04 F0 1B D3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0963; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38166; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player hitTest BitmapData object integer overflow attempt"; flow:to_client,established; file_data; content:"|E4 1B AD B5 F1 8F B6 07 9E A1 C5 62 F1 2A A3 C9 54 52 76 3D F9 D3 AB 25 EA AF 41 ED B7 63 79 25|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0963; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38165; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player rectangle width integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|58 3F 2E 2A 23 E0 78 21 21 84 16 C7 73 BC C8 01 66 70 F1 84 30 52 77 99 2B 16 4B C8 F7 47 EA 68|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1010; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38241; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player rectangle width integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0A|BitmapData"; content:"|09|Rectangle"; content:"|25 90 F9 FF FF 0F 24 FE 2D 02 24 08 4A 05 04 80 05 D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1010; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38240; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player rectangle width integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|58 3F 2E 2A 23 E0 78 21 21 84 16 C7 73 BC C8 01 66 70 F1 84 30 52 77 99 2B 16 4B C8 F7 47 EA 68|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1010; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38239; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player rectangle width integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0A|BitmapData"; content:"|09|Rectangle"; content:"|25 90 F9 FF FF 0F 24 FE 2D 02 24 08 4A 05 04 80 05 D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1010; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38238; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player integer underflow attempt"; flow:to_client,established; file_data; content:"|80 10 2A 63 11 24 14 61 11 62 11 24 64 61 12 62 11 26 61 13 62 11 2C 1E 4F 14 01 5D 15 62 11 4F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0497; classtype:attempted-user; sid:38311; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player integer underflow attempt"; flow:to_server,established; file_data; content:"|80 10 2A 63 11 24 14 61 11 62 11 24 64 61 12 62 11 26 61 13 62 11 2C 1E 4F 14 01 5D 15 62 11 4F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0497; classtype:attempted-user; sid:38310; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|D6 8E 45 54 46 B6 77 76 E6 DB 6F 66 BE F5 04 14 7E 02 B0 F2 19 80 9B 10 F4 6A B7 00 00 EF D6 47|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0569; reference:url,www.adobe.com/support/security/bulletins/apsb14-22.html; classtype:attempted-user; sid:38335; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D6 8E 45 54 46 B6 77 76 E6 DB 6F 66 BE F5 04 14 7E 02 B0 F2 19 80 9B 10 F4 6A B7 00 00 EF D6 47|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0569; reference:url,www.adobe.com/support/security/bulletins/apsb14-22.html; classtype:attempted-user; sid:38334; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt"; flow:to_server,established; file_data; content:"|CB 58 10 F3 BE BF FE 6F 13 E8 D0 C6 93 40 CD 80 7B 26 BF DF 28 3D AC 3F B0 81 82 DE F8 7D B8 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1019; reference:url,helpx.adobe.com/security/products/flash-player/apsa16-01.html; classtype:attempted-user; sid:38434; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt"; flow:to_client,established; file_data; content:"|CB 58 10 F3 BE BF FE 6F 13 E8 D0 C6 93 40 CD 80 7B 26 BF DF 28 3D AC 3F B0 81 82 DE F8 7D B8 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1019; reference:url,helpx.adobe.com/security/products/flash-player/apsa16-01.html; classtype:attempted-user; sid:38433; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt"; flow:to_server,established; file_data; content:"|28 A1 0F 48 F7 41 00 23 EB A0 3F 20 14 68 61 14 C8 AE 5F 90 EE BA A2 44 44 FE 85 7E 45 D3 33 B4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1019; reference:url,helpx.adobe.com/security/products/flash-player/apsa16-01.html; classtype:attempted-user; sid:38432; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"ASnative"; fast_pattern:only; content:"toString"; content:"|8E 08 00 00 00 00 02 29 00|"; content:"|96 02 00 08|"; within:6; content:"|1C 96 02 00 08|"; within:25; content:"|4E 96 05 00 07|"; within:25; content:"|00 07|"; within:25; content:"|00 07|"; within:8; content:"|00 07|"; within:8; content:"|00 08|"; within:8; content:"|1C 96 02 00 08|"; within:6; content:"|52 96 02 00 08|"; within:6; content:"|52 17 96 05 00 07|"; within:25; content:"|43 87 01 00|"; within:4; distance:4; byte_extract:1,0,objToConfuse,relative; content:"|96 09 00 04|"; distance:0; byte_test:1,=,objToConfuse,0,relative; content:"|07 01 00 00 00 08|"; within:10; content:"|40|"; within:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1019; reference:url,helpx.adobe.com/security/products/flash-player/apsa16-01.html; classtype:attempted-user; sid:38431; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt"; flow:to_client,established; file_data; content:"|28 A1 0F 48 F7 41 00 23 EB A0 3F 20 14 68 61 14 C8 AE 5F 90 EE BA A2 44 44 FE 85 7E 45 D3 33 B4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1019; reference:url,helpx.adobe.com/security/products/flash-player/apsa16-01.html; classtype:attempted-user; sid:38430; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ASnative"; fast_pattern:only; content:"toString"; content:"|8E 08 00 00 00 00 02 29 00|"; content:"|96 02 00 08|"; within:6; content:"|1C 96 02 00 08|"; within:25; content:"|4E 96 05 00 07|"; within:25; content:"|00 07|"; within:25; content:"|00 07|"; within:8; content:"|00 07|"; within:8; content:"|00 08|"; within:8; content:"|1C 96 02 00 08|"; within:6; content:"|52 96 02 00 08|"; within:6; content:"|52 17 96 05 00 07|"; within:25; content:"|43 87 01 00|"; within:4; distance:4; byte_extract:1,0,objToConfuse,relative; content:"|96 09 00 04|"; distance:0; byte_test:1,=,objToConfuse,0,relative; content:"|07 01 00 00 00 08|"; within:10; content:"|40|"; within:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1019; reference:url,helpx.adobe.com/security/products/flash-player/apsa16-01.html; classtype:attempted-user; sid:38429; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt"; flow:to_server,established; file_data; content:"|2C 5D 66 1C 62 0C 62 0B 41 01 08 0C AA 82 63 0A 62 09 2A 63 0C 2C 59 66 1C 62 0C 62 0A 41 01 29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1019; reference:url,helpx.adobe.com/security/products/flash-player/apsa16-01.html; classtype:attempted-user; sid:38456; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt"; flow:to_client,established; file_data; content:"|2C 5D 66 1C 62 0C 62 0B 41 01 08 0C AA 82 63 0A 62 09 2A 63 0C 2C 59 66 1C 62 0C 62 0A 41 01 29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1019; reference:url,helpx.adobe.com/security/products/flash-player/apsa16-01.html; classtype:attempted-user; sid:38455; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Rig Exploit Kit exploitation attempt"; flow:to_server,established; content:"FWS"; depth:3; content:"|00 18 01 00 44 11 19 00 00 00 C1 3F 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:38535; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Rig Exploit Kit exploitation attempt"; flow:to_server,established; content:"FWS"; depth:3; content:"|00 19 01 00 44 11 19 00 00 00 C1 3F 00|"; fast_pattern:only; content:!"bitmovin"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:38534; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Rig Exploit Kit exploitation attempt"; flow:to_client,established; content:"FWS"; depth:3; content:"|00 18 01 00 44 11 19 00 00 00 C1 3F 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:38533; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Rig Exploit Kit exploitation attempt"; flow:to_client,established; content:"FWS"; depth:3; content:"|00 19 01 00 44 11 19 00 00 00 C1 3F 00|"; fast_pattern:only; content:!"bitmovin"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:38532; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt"; flow:to_server,established; file_data; content:"|A2 C5 A4 23 CD 76 78 E8 92 59 FE FE 2C A2 7B 8C 91 D9 CA 22 3E 8A 1C 97 E7 26 31 F2 D0 8F CA 7B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-8439; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-26.html; classtype:attempted-user; sid:38577; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt"; flow:to_client,established; file_data; content:"|A2 C5 A4 23 CD 76 78 E8 92 59 FE FE 2C A2 7B 8C 91 D9 CA 22 3E 8A 1C 97 E7 26 31 F2 D0 8F CA 7B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8439; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-22.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-26.html; classtype:attempted-user; sid:38576; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|2D 8F A1 3C BC 56 89 F1 36 F2 B3 8C 72 6C 71 20 E5 CF 97 0A 4C B0 47 BF 93 29 7F 4E 36 63 A2 C1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/7c3b275cfb65f653f12aada3a5aff22793edac5e5f33e48852a374c22323bef8/analysis/; classtype:attempted-user; sid:38636; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|2D 8F A1 3C BC 56 89 F1 36 F2 B3 8C 72 6C 71 20 E5 CF 97 0A 4C B0 47 BF 93 29 7F 4E 36 63 A2 C1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/7c3b275cfb65f653f12aada3a5aff22793edac5e5f33e48852a374c22323bef8/analysis/; classtype:attempted-user; sid:38635; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|D1 25 A2 1D 2F CF 19 61 3A D1 25 CB 0D 2D B8 19 61 3A D1 25 D9 11 2F D0 19 61 3A D1 25 D2 15 2D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/75bfe6422f66b68a80103c89d993f9b35b9d55041364f33bb85cd5917cb4c335/analysis/; classtype:attempted-user; sid:38634; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D1 25 A2 1D 2F CF 19 61 3A D1 25 CB 0D 2D B8 19 61 3A D1 25 D9 11 2F D0 19 61 3A D1 25 D2 15 2D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/75bfe6422f66b68a80103c89d993f9b35b9d55041364f33bb85cd5917cb4c335/analysis/; classtype:attempted-user; sid:38633; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|33 7F 31 79 FC FE 5A 95 31 F8 1D 7E F4 BD 5A 3A D8 ED CC 79 37 C3 7E C3 79 FA 41 55 50 6A 03 8D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/1b332c513d20e01208ee7dc3c80fc231b49cfd03a9be6c49990372d742381985/analysis/; classtype:attempted-user; sid:38632; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|33 7F 31 79 FC FE 5A 95 31 F8 1D 7E F4 BD 5A 3A D8 ED CC 79 37 C3 7E C3 79 FA 41 55 50 6A 03 8D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/1b332c513d20e01208ee7dc3c80fc231b49cfd03a9be6c49990372d742381985/analysis/; classtype:attempted-user; sid:38631; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|7B 40 74 51 5F 69 38 3E 3C 2B 3F 66 7E 3C 55 7A 4D 63 41 31 47 4C 77 71 4E 2B 24 72 70 48 70 59|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/669068edb9044990070276a6fda8f29da021b01d6dd43b78a6dd0f33c648e82b/analysis/; classtype:attempted-user; sid:38630; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|7B 40 74 51 5F 69 38 3E 3C 2B 3F 66 7E 3C 55 7A 4D 63 41 31 47 4C 77 71 4E 2B 24 72 70 48 70 59|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/669068edb9044990070276a6fda8f29da021b01d6dd43b78a6dd0f33c648e82b/analysis/; classtype:attempted-user; sid:38629; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player loadSound method use-after-free memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 04 00 04 00 08 03 1C 69 96 04 00 04 00 08 04|"; content:"|96 02 00 08 0B|"; content:"|96 02 00 08 10|"; content:"|96 0D 00 08 0C 04 03 07 02 00 00 00 04 04 08 0D 4E 96 02 00 08 0E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1108; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38848; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player loadSound method use-after-free memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 04 00 04 00 08 03 1C 69 96 04 00 04 00 08 04|"; content:"|96 02 00 08 0B|"; content:"|96 02 00 08 10|"; content:"|96 0D 00 08 0C 04 03 07 02 00 00 00 04 04 08 0D 4E 96 02 00 08 0E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1108; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38847; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player faulty x64 support out of bounds read attempt"; flow:to_server,established; file_data; content:"|71 AE E1 9C BE 13 1B 6F 5A DD 1E AD EE CF 10 FD B0 CC E5 39 1A 19 AE A6 8B 32 BF 9F 54 DF 3B BC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1096; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38838; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player faulty x64 support out of bounds read attempt"; flow:to_client,established; file_data; content:"|71 AE E1 9C BE 13 1B 6F 5A DD 1E AD EE CF 10 FD B0 CC E5 39 1A 19 AE A6 8B 32 BF 9F 54 DF 3B BC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1096; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38837; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player bitmap heap overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|64 60 04 F0 1D 66 05 41 01 80 03 D6 5D 06 D2 F0 1E 4F 06 01 47 00 00 02 03 01 00 01 80 01 D0 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1101; reference:cve,2016-1102; reference:cve,2016-1103; reference:cve,2017-3078; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:38836; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player bitmap heap overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|64 60 04 F0 1D 66 05 41 01 80 03 D6 5D 06 D2 F0 1E 4F 06 01 47 00 00 02 03 01 00 01 80 01 D0 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1101; reference:cve,2016-1102; reference:cve,2016-1103; reference:cve,2017-3078; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:38835; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ContentFactory memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"createDefaultContentFactory"; fast_pattern:only; content:"retrieveAdPolicySelector"; content:"mediacore"; within:40; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1098; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38833; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ContentFactory memory corruption attempt"; flow:to_server,established; file_data; content:"|1B F1 3A 9C 76 8D BE 10 49 DD B2 C6 E3 B1 39 DE 34 63 D6 B3 AA DB DB DB 96 5D B3 6A B5 0A 20 2A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1098; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38832; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ContentFactory memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"createDefaultContentFactory"; fast_pattern:only; content:"retrieveAdPolicySelector"; content:"mediacore"; within:40; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1098; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38831; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ContentFactory memory corruption attempt"; flow:to_client,established; file_data; content:"|1B F1 3A 9C 76 8D BE 10 49 DD B2 C6 E3 B1 39 DE 34 63 D6 B3 AA DB DB DB 96 5D B3 6A B5 0A 20 2A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1098; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38830; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player removeMovieClip callback use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|00|e13|00|valueOf|00|callback|00|my_mc|00|_root|00|createEmptyMovieClip|00|e77|00|_rotation|00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1107; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38827; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player removeMovieClip callback use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|00|e13|00|valueOf|00|callback|00|my_mc|00|_root|00|createEmptyMovieClip|00|e77|00|_rotation|00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1107; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38826; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player removeMovieClip callback use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"valueOf|00|"; fast_pattern:only; content:"_root|00|"; content:"removeMovieClip|00|"; content:"callback|00|"; content:"createEmptyMovieClip|00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1107; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38825; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player removeMovieClip callback use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"valueOf|00|"; fast_pattern:only; content:"_root|00|"; content:"removeMovieClip|00|"; content:"callback|00|"; content:"createEmptyMovieClip|00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1107; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38824; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASSetNativeAccessor use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|00|ASSetNativeAccessor|00|"; fast_pattern:only; content:"|00|removeMovieClip|00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1110; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38793; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASSetNativeAccessor use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|00|ASSetNativeAccessor|00|"; fast_pattern:only; content:"|00|removeMovieClip|00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1110; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38792; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player DeleteRangeTimelineOperation type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"com.adobe.tvsdk.mediacore"; content:"|09|placement"; content:"DeleteRangeTimelineOperation"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4117; reference:cve,2016-4224; reference:url,helpx.adobe.com/security/products/flash-player/apsa16-02.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:38875; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player DeleteRangeTimelineOperation type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"com.adobe.tvsdk.mediacore"; content:"|09|placement"; content:"DeleteRangeTimelineOperation"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4117; reference:cve,2016-4224; reference:url,helpx.adobe.com/security/products/flash-player/apsa16-02.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:38874; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player MSIMG32.dll dll-load exploit attempt"; flow:to_server,established; content:"/MSIMG32.dll"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-4116; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38873; rev:3;) alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-FLASH Adobe Flash Player request for MSIMG32.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"M|00|S|00|I|00|M|00|G|00|3|00|2|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2016-4116; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38872; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player FileReference type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 04 00 04 01 08 10 4E 96 04 00 08 11 08 09 1C 96 02 00 08 12 4E 96 02 00 08 13|"; fast_pattern:only; content:"|96 0B 00 08 05 07 02 00 00 00 04 01 08 06 52|"; content:"|96 02 00 08 0B 53|"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1105; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38884; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player FileReference type confusion attempt"; flow:to_server,established; file_data; content:"|30 72 E3 44 6C 95 8B 09 B4 2C 9B 1D 64 6A 2F ED 2C 30 90 4D ED C4 21 01 3F F0 88 47 68 13 83 E5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1105; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38883; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player FileReference type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 04 00 04 01 08 10 4E 96 04 00 08 11 08 09 1C 96 02 00 08 12 4E 96 02 00 08 13|"; fast_pattern:only; content:"|96 0B 00 08 05 07 02 00 00 00 04 01 08 06 52|"; content:"|96 02 00 08 0B 53|"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1105; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38882; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player FileReference type confusion attempt"; flow:to_client,established; file_data; content:"|30 72 E3 44 6C 95 8B 09 B4 2C 9B 1D 64 6A 2F ED 2C 30 90 4D ED C4 21 01 3F F0 88 47 68 13 83 E5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1105; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38881; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt"; flow:to_server,established; file_data; content:"|EC A7 EB E5 3A 88 FA 34 A0 A1 14 2A 5E 23 8D D7 75 2C 8F C7 01 91 0D 12 45 3E 73 48 02 44 13 5D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1106; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:39033; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt"; flow:to_client,established; file_data; content:"|EC A7 EB E5 3A 88 FA 34 A0 A1 14 2A 5E 23 8D D7 75 2C 8F C7 01 91 0D 12 45 3E 73 48 02 44 13 5D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1106; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:39032; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"ASSetNative"; fast_pattern:only; content:"watch"; content:"removeMovieClip"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1106; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:39031; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ASSetNative"; fast_pattern:only; content:"watch"; content:"removeMovieClip"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1106; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:39030; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt"; flow:to_server,established; file_data; content:"|96 02 00 08 09 3A 17 96 02 00 08 0A 1C 96 02 00 08 0A 1C 96 09 00 08 09 07 03 00 00 00 08 03 1C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1109; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:39026; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt"; flow:to_server,established; file_data; content:"|97 2C 44 23 BD C5 08 38 C3 27 6B 03 71 75 25 59 CF 5E 3A 4F 12 13 36 DE B5 BC B4 5F 00 5B E8 8B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1109; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:39025; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt"; flow:to_client,established; file_data; content:"|97 2C 44 23 BD C5 08 38 C3 27 6B 03 71 75 25 59 CF 5E 3A 4F 12 13 36 DE B5 BC B4 5F 00 5B E8 8B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1109; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:39024; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt"; flow:to_client,established; file_data; content:"|96 02 00 08 09 3A 17 96 02 00 08 0A 1C 96 02 00 08 0A 1C 96 09 00 08 09 07 03 00 00 00 08 03 1C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1109; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:39023; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player PSDK use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|44 10 E8 03 3C 00|"; content:"PSDK|19|com.adobe.tvsdk.mediacore"; distance:0; content:"|04|pSDK"; distance:0; content:"|07|release"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1097; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:39022; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player PSDK use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|44 10 E8 03 3C 00|"; content:"PSDK|19|com.adobe.tvsdk.mediacore"; distance:0; content:"|04|pSDK"; distance:0; content:"|07|release"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1097; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:39021; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player PSDK use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|B1 B9 5E 08 56 64 4D 57 8A EA F1 50 3C 12 0B 05 4F 4C BB A7 B4 5C 7E F2 D2 EC 7C 10 A4 AA 3E 09|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1097; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:39020; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player PSDK use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|B1 B9 5E 08 56 64 4D 57 8A EA F1 50 3C 12 0B 05 4F 4C BB A7 B4 5C 7E F2 D2 EC 7C 10 A4 AA 3E 09|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1097; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:39019; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt"; flow:to_server,established; file_data; content:"|D0 30 F1 01 EF 01 02 00 00 20 D5 D0 49 00 5D 01 F0 0B 4A 01 00 2C 05 D1 46 02 02 29 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1099; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:39012; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt"; flow:to_client,established; file_data; content:"|D0 30 F1 01 EF 01 02 00 00 20 D5 D0 49 00 5D 01 F0 0B 4A 01 00 2C 05 D1 46 02 02 29 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1099; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:39011; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt"; flow:to_server,established; file_data; content:"|31 BD AE 0A 01 35 A7 E9 B9 71 A6 28 9B 65 16 9A 5E D0 C5 CC C0 BE EF D8 26 0E 73 AA C3 2C 6D 7B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1099; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:39010; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt"; flow:to_client,established; file_data; content:"|31 BD AE 0A 01 35 A7 E9 B9 71 A6 28 9B 65 16 9A 5E D0 C5 CC C0 BE EF D8 26 0E 73 AA C3 2C 6D 7B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1099; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:39009; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player addProperty use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"removeMovieClip|00|"; fast_pattern:only; content:"createEmptyMovieClip|00|"; content:"watch|00|"; content:"addProperty|00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4108; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38999; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player addProperty use after free attempt"; flow:to_server,established; file_data; content:"|7F AD C4 35 6A 44 2F B8 D4 0A 76 C1 C1 AE 47 FC A4 E6 63 BD A8 FC 98 82 7C 55 63 7B 4C BF 5F C2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4108; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38998; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player addProperty use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"removeMovieClip|00|"; fast_pattern:only; content:"createEmptyMovieClip|00|"; content:"watch|00|"; content:"addProperty|00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4108; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38997; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player addProperty use after free attempt"; flow:to_client,established; file_data; content:"|7F AD C4 35 6A 44 2F B8 D4 0A 76 C1 C1 AE 47 FC A4 E6 63 BD A8 FC 98 82 7C 55 63 7B 4C BF 5F C2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4108; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38996; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt"; flow:to_server,established; file_data; content:"|26 52 CD 04 40 D9 07 00 00 02 02 00 FF 94 11 C2 00 00 3F 00 00 40 00 00 7B D7 03 FE FF 07 00 F8 FF FF 7F F0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1104; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38983; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt"; flow:to_client,established; file_data; content:"|26 52 CD 04 40 D9 07 00 00 02 02 00 FF 94 11 C2 00 00 3F 00 00 40 00 00 7B D7 03 FE FF 07 00 F8 FF FF 7F F0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1104; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38982; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt"; flow:to_server,established; file_data; content:"|69 00 7F AE FC 8E FA 95 26 77 8B 60 C9 E5 8D 9B 7E FD 70 98 B2 E3 2C 26 01 3D C4 C8 21 67 C1 BD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1100; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38974; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt"; flow:to_client,established; file_data; content:"|69 00 7F AE FC 8E FA 95 26 77 8B 60 C9 E5 8D 9B 7E FD 70 98 B2 E3 2C 26 01 3D C4 C8 21 67 C1 BD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1100; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38973; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|1A|createOpportunityGenerator"; fast_pattern:only; content:"|06|update"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1100; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38972; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1A|createOpportunityGenerator"; fast_pattern:only; content:"|06|update"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1100; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:38971; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player MovieClip object use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|00|onLoadStart|00|"; fast_pattern:only; content:"|00|removeMovieClip|00|"; content:"|1C 96 02 00 08|"; content:"|4E|"; within:1; distance:1; byte_extract:1,-2,constant,relative; content:"|52|"; byte_extract:4,-5,callmethod,relative; content:"|1C 96 02 00 08|"; byte_test:1,=,constant,0,relative; content:"|52|"; byte_test:4,=,callmethod,-5,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4146; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39317; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MovieClip object use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|00|onLoadStart|00|"; fast_pattern:only; content:"|00|removeMovieClip|00|"; content:"|1C 96 02 00 08|"; content:"|4E|"; within:1; distance:1; byte_extract:1,-2,constant,relative; content:"|52|"; byte_extract:4,-5,callmethod,relative; content:"|1C 96 02 00 08|"; byte_test:1,=,constant,0,relative; content:"|52|"; byte_test:4,=,callmethod,-5,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4146; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39316; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player RegExp numbered backreference out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"/AS3"; content:"/builtin"; within:15; content:"|08|TextArea"; content:"|06|RegExp"; within:500; distance:-250; content:"|04|exec"; within:500; distance:-250; content:"|5C|g"; within:500; distance:-250; byte_test:10,>,65535,0,relative,string,dec; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4133; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39315; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player RegExp numbered backreference out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"/AS3"; content:"/builtin"; within:15; content:"|08|TextArea"; content:"|06|RegExp"; within:500; distance:-250; content:"|04|exec"; within:500; distance:-250; content:"|5C|g"; within:500; distance:-250; byte_test:10,>,65535,0,relative,string,dec; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4133; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39314; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed Adobe Texture Format image load memory corruption attempt"; flow:to_server,established; flowbits:isset,file.atf; file_data; content:"ATF"; depth:3; fast_pattern; content:"|FF|"; within:1; distance:3; content:"|0C|"; within:1; distance:5; isdataat:!51,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4137; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39313; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed Adobe Texture Format image load memory corruption attempt"; flow:to_client,established; flowbits:isset,file.atf; file_data; content:"ATF"; depth:3; fast_pattern; content:"|FF|"; within:1; distance:3; content:"|0C|"; within:1; distance:5; isdataat:!51,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4137; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39312; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player same origin policy security bypass attempt"; flow:to_server,established; file_data; content:"window.location.__proto__"; fast_pattern:only; content:"toString"; nocase; content:"function"; within:50; nocase; content:"return"; within:50; nocase; content:"http://"; within:15; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4139; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39311; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player same origin policy security bypass attempt"; flow:to_client,established; file_data; content:"window.location.__proto__"; fast_pattern:only; content:"toString"; nocase; content:"function"; within:50; nocase; content:"return"; within:50; nocase; content:"http://"; within:15; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4139; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39310; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.atf; file_data; content:"ATF"; depth:3; content:"|FF|"; within:1; distance:3; dsize:<1201; byte_extract:4,1,file_length,relative; isdataat:!file_length,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4138; reference:cve,2017-2933; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:39309; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.atf; file_data; content:"ATF"; depth:3; content:"|FF|"; within:1; distance:3; dsize:<1201; byte_extract:4,1,file_length,relative; isdataat:!file_length,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4138; reference:cve,2017-2933; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:39308; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player sound object use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|00|removeMovieClip|00|"; content:"|00|onID3|00|"; content:"|00|attachSound|00|"; fast_pattern:only; content:"|4E 96 02 00 08 02 52 17|"; content:"|4E 96 02 00 08 02 52 17|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4148; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39307; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player sound object use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|00|removeMovieClip|00|"; content:"|00|onID3|00|"; content:"|00|attachSound|00|"; fast_pattern:only; content:"|4E 96 02 00 08 02 52 17|"; content:"|4E 96 02 00 08 02 52 17|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4148; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39306; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Primetime SDK ShimContentResolver out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|13|ShimContentResolver"; fast_pattern:only; content:"|0B|Opportunity"; content:"|07|resolve"; content:"|24 00 4A 01|"; content:"|80|"; within:1; distance:1; content:"|63|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4154; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39305; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Primetime SDK ShimContentResolver out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|13|ShimContentResolver"; fast_pattern:only; content:"|0B|Opportunity"; content:"|07|resolve"; content:"|24 00 4A 01|"; content:"|80|"; within:1; distance:1; content:"|63|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4154; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39304; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ExecPolicy invalid string table lookup attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0A|ExecPolicy"; fast_pattern:only; content:"|03|OSR"; content:"|05 FF 10|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4171; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39302; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ExecPolicy invalid string table lookup attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0A|ExecPolicy"; fast_pattern:only; content:"|03|OSR"; content:"|05 FF 10|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4171; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39301; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed regular expression use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|06|RegExp"; fast_pattern:only; content:"|A0 D5 D2|"; content:"|2C|"; within:1; distance:-5; content:"|A0 D7 D3|"; within:50; content:"|2C|"; within:1; distance:-5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4121; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:39300; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed regular expression use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|06|RegExp"; fast_pattern:only; content:"|A0 D5 D2|"; content:"|2C|"; within:1; distance:-5; content:"|A0 D7 D3|"; within:50; content:"|2C|"; within:1; distance:-5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4121; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:39299; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash player retrieveResolvers memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|02 00 00 EF 01 03 01 00 20 D6 D0 49 00 5D 01 F0 0A 4A 01 00 80 01 D5 D1 D2 F0 0C 46 02 01 29 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4151; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39298; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash player retrieveResolvers memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|02 00 00 EF 01 03 01 00 20 D6 D0 49 00 5D 01 F0 0A 4A 01 00 80 01 D5 D1 D2 F0 0C 46 02 01 29 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4151; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39297; rev:2;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-FLASH Adobe Flash Player request for dbghelp.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"d|00|b|00|g|00|h|00|e|00|l|00|p|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; pcre:"/(\x19\x00|\x00\x5C)\x00d\x00b\x00g\x00h\x00e\x00l\x00p\x00\.\x00d\x00l\x00l\x00\x00\x00/i"; metadata:policy max-detect-ips drop, policy security-ips alert, service netbios-ssn; reference:cve,2016-4140; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39296; rev:4;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-FLASH Adobe Flash Player request for apphelp.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"a|00|p|00|p|00|h|00|e|00|l|00|p|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; pcre:"/(\x19\x00|\x00\x5C)\x00a\x00p\x00p\x00h\x00e\x00l\x00p\x00\.\x00d\x00l\x00l\x00\x00\x00/i"; metadata:policy max-detect-ips drop, policy security-ips alert, service netbios-ssn; reference:cve,2016-4140; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39295; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player dbghelp.dll dll-load exploit attempt"; flow:to_server,established; content:"/dbghelp.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips alert, service http; reference:cve,2016-4140; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39294; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player apphelp.dll dll-load exploit attempt"; flow:to_server,established; content:"/apphelp.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips alert, service http; reference:cve,2016-4140; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39293; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetConnection object type confusion overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|5F|root|00|addProperty|00|rtmp://127.0.0"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4144; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39292; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetConnection object type confusion overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|5F|root|00|addProperty|00|rtmp://127.0.0"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4144; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39291; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Primetime SDK ShimContentResolver out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|13|ShimContentResolver"; fast_pattern:only; content:"|0B|Opportunity"; content:"|07|resolve"; content:"|24 02 4A 01|"; content:"|80|"; within:1; distance:1; content:"|63|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4156; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39290; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Primetime SDK ShimContentResolver out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|13|ShimContentResolver"; fast_pattern:only; content:"|0B|Opportunity"; content:"|07|resolve"; content:"|24 02 4A 01|"; content:"|80|"; within:1; distance:1; content:"|63|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4156; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39289; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ShimContentResolver out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|13|ShimContentResolver"; fast_pattern:only; content:"|0B|Opportunity"; content:"|07|resolve"; content:"|24 01 4A 01|"; content:"|80|"; within:1; distance:1; content:"|63|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4155; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39288; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ShimContentResolver out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|13|ShimContentResolver"; fast_pattern:only; content:"|0B|Opportunity"; content:"|07|resolve"; content:"|24 01 4A 01|"; content:"|80|"; within:1; distance:1; content:"|63|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4155; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39287; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player loadSound use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|55 AC 69 B5 BC D6 CC C9 07 41 A4 B5 40 03 72 6A 1A 45 F7 8A 3D 9D BD 16 BE 3F AB 07 0F 46 9B 2F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4147; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39286; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player loadSound use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|55 AC 69 B5 BC D6 CC C9 07 41 A4 B5 40 03 72 6A 1A 45 F7 8A 3D 9D BD 16 BE 3F AB 07 0F 46 9B 2F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4147; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39285; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player loadSound use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 02 00 08|"; content:"|1C 96 02 00 08|"; within:6; content:"|9B 05 00 00 00 00|"; within:7; content:"|96 02 00 08|"; within:6; content:"|1C 96 02 00 08|"; within:6; content:"|9B 05 00 00 00 00|"; within:7; content:"|96 0B 00 06 00 00 00 00 00 00 00 00 08|"; within:16; content:"|3D 17 4F 96 04 00 08|"; within:8; content:"|1C 96 07 00 07 02 00 00 00 08|"; within:13; fast_pattern; byte_extract:1,0,soundObj,relative; content:"|1C 96 02 00 08|"; within:5; content:"|4E 96 02 00 08|"; within:6; content:"|52 17 4F 96 04 00 08|"; within:8; content:"|1C 96 07 00 07 02 00 00 00 08|"; within:13; byte_test:1,=,soundObj,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4147; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39284; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player loadSound use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 02 00 08|"; content:"|1C 96 02 00 08|"; within:6; content:"|9B 05 00 00 00 00|"; within:7; content:"|96 02 00 08|"; within:6; content:"|1C 96 02 00 08|"; within:6; content:"|9B 05 00 00 00 00|"; within:7; content:"|96 0B 00 06 00 00 00 00 00 00 00 00 08|"; within:16; content:"|3D 17 4F 96 04 00 08|"; within:8; content:"|1C 96 07 00 07 02 00 00 00 08|"; within:13; fast_pattern; byte_extract:1,0,soundObj,relative; content:"|1C 96 02 00 08|"; within:5; content:"|4E 96 02 00 08|"; within:6; content:"|52 17 4F 96 04 00 08|"; within:8; content:"|1C 96 07 00 07 02 00 00 00 08|"; within:13; byte_test:1,=,soundObj,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4147; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39283; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed JPEG-XR out of bounds memory access attempt"; flow:to_server,established; file_data; content:"|57 4D 50 48 4F 54 4F 00 19 80 C1 71 00 1F 00 1F 00 10 00 00 42 84 C0 10 93 24 C9 30 00 04 6F FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4141; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39282; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed JPEG-XR out of bounds memory access attempt"; flow:to_client,established; file_data; content:"|57 4D 50 48 4F 54 4F 00 19 80 C1 71 00 1F 00 1F 00 10 00 00 42 84 C0 10 93 24 C9 30 00 04 6F FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4141; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39281; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Primetime SDK object type confusion overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|5D 2A 60 02 66 29 D0 66 05 4F 2A 02 5D 2B 24 02 4A 2B 01 80 2B D7 D3 24 00 5D 06 4A 06 00 61 2C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4149; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39280; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Primetime SDK object type confusion overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|5D 2A 60 02 66 29 D0 66 05 4F 2A 02 5D 2B 24 02 4A 2B 01 80 2B D7 D3 24 00 5D 06 4A 06 00 61 2C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4149; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39279; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player loadSound use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|8E 08 00 00 00 00 03 29 00|"; content:"|4E 96 07 00 07 01 00 00 00 08|"; within:25; byte_extract:1,0,root,relative; content:"|1C 96 02 00 08|"; within:6; content:"|4E 96 02 00 08|"; within:6; content:"|52 17 96 07 00 07 00 00 00 00 08|"; within:12; fast_pattern; content:"|40 87 01 00|"; within:5; content:"|17 96 02 00 08|"; within:6; byte_test:1,=,root,0,relative; content:"|1C 3E|"; within:3; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4143; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39276; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player loadSound use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|8E 08 00 00 00 00 03 29 00|"; content:"|4E 96 07 00 07 01 00 00 00 08|"; within:25; byte_extract:1,0,root,relative; content:"|1C 96 02 00 08|"; within:6; content:"|4E 96 02 00 08|"; within:6; content:"|52 17 96 07 00 07 00 00 00 00 08|"; within:12; fast_pattern; content:"|40 87 01 00|"; within:5; content:"|17 96 02 00 08|"; within:6; byte_test:1,=,root,0,relative; content:"|1C 3E|"; within:3; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4143; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39275; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt"; flow:to_server,established; file_data; content:"ATF"; depth:3; content:"|FF|"; within:1; distance:3; isdataat:15; byte_test:1,<,13,13; byte_test:1,<,4,14; byte_test:1,<,14,15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1002; reference:cve,2016-1102; reference:cve,2016-4135; reference:cve,2017-2927; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:39274; rev:8;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt"; flow:to_client,established; file_data; content:"ATF"; depth:3; content:"|FF|"; within:1; distance:3; isdataat:15; byte_test:1,<,13,13; byte_test:1,<,4,14; byte_test:1,<,14,15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1002; reference:cve,2016-1102; reference:cve,2016-4135; reference:cve,2017-2927; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:39273; rev:8;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ShimContentFactory uninitialized pointer use attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|1D|retrieveOpportunityGenerators"; fast_pattern:only; content:"|12|ShimContentFactory"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4150; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39272; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ShimContentFactory uninitialized pointer use attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1D|retrieveOpportunityGenerators"; fast_pattern:only; content:"|12|ShimContentFactory"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4150; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39271; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash TextFormat.setTabStops use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|4E 96 02 00 08 11 52 17 96 02 00 08 01 1C 96 07 00 08 12 07 00 00 00 00 42 4F 96 05 00 07 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service pop3, service smtp; reference:cve,2016-4142; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39270; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash TextFormat.setTabStops use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|4E 96 02 00 08 11 52 17 96 02 00 08 01 1C 96 07 00 08 12 07 00 00 00 00 42 4F 96 05 00 07 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4142; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39269; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player unhandled recursion limit out of bounds read attempt"; flow:to_server,established; file_data; content:"|FC 92 1C 4A FC 48 0D E5 B3 23 40 E0 53 18 E1 55 10 72 D2 66 96 40 57 38 66 98 48 A0 99 66 86 58|"; fast_pattern:only; metadata:service smtp; reference:cve,2016-4132; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; reference:url,www.talosintel.com/vulnerability-reports; classtype:attempted-user; sid:39265; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player unhandled recursion limit out of bounds read attempt"; flow:to_client,established; file_data; content:"|FC 92 1C 4A FC 48 0D E5 B3 23 40 E0 53 18 E1 55 10 72 D2 66 96 40 57 38 66 98 48 A0 99 66 86 58|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4132; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; reference:url,www.talosintel.com/vulnerability-reports; classtype:attempted-user; sid:39264; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player unhandled recursion limit out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|09|ByteArray"; fast_pattern:only; content:"|08|toString"; content:"|21 82 6D|"; content:"|20 80|"; within:20; content:"|20 80|"; within:20; content:"|82 6D|"; within:20; metadata:service smtp; reference:cve,2016-4132; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; reference:url,www.talosintel.com/vulnerability-reports; classtype:attempted-user; sid:39263; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player unhandled recursion limit out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|09|ByteArray"; fast_pattern:only; content:"|08|toString"; content:"|21 82 6D|"; content:"|20 80|"; within:20; content:"|20 80|"; within:20; content:"|82 6D|"; within:20; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4132; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; reference:url,www.talosintel.com/vulnerability-reports; classtype:attempted-user; sid:39262; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ShimOpportunityGenerator out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|18|ShimOpportunityGenerator"; fast_pattern:only; content:"|04|PSDK"; content:"|09|configure"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4153; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39319; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ShimOpportunityGenerator out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|18|ShimOpportunityGenerator"; fast_pattern:only; content:"|04|PSDK"; content:"|09|configure"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4153; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39318; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player integer overflow attempt"; flow:to_server,established; file_data; content:"|7A 42 84 35 D3 1C 0E 87 E5 E1 6A 39 E0 5D B3 B2 B1 B1 61 5A 55 B3 5A 2D 49 46 29 1A FB 82 8E 4A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3087; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:39441; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player integer overflow attempt"; flow:to_server,established; file_data; content:"|03 2A 63 08 2A 30 2B 6D 01 1D 08 08 62 05 2D 01 4F 05 01 10 0F 00 00 D0 30 5A 04 2A 63 08 2A 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3087; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:39440; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player integer overflow attempt"; flow:to_client,established; file_data; content:"|7A 42 84 35 D3 1C 0E 87 E5 E1 6A 39 E0 5D B3 B2 B1 B1 61 5A 55 B3 5A 2D 49 46 29 1A FB 82 8E 4A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3087; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:39439; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player integer overflow attempt"; flow:to_client,established; file_data; content:"|03 2A 63 08 2A 30 2B 6D 01 1D 08 08 62 05 2D 01 4F 05 01 10 0F 00 00 D0 30 5A 04 2A 63 08 2A 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3087; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:39438; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS (msg:"FILE-FLASH Adobe Flash Player integer underflow attempt"; flow:to_client,established; file_data; content:"|E8 1D 76 83 E4 69 CF 0D BA 0A 1B FA AE F0 93 DF 12 FD FE 30 03 6D 2A 06 AE 3C 94 A2 AE BB D3 85|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0497; classtype:attempted-user; sid:39458; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player integer underflow attempt"; flow:to_server,established; file_data; content:"|E8 1D 76 83 E4 69 CF 0D BA 0A 1B FA AE F0 93 DF 12 FD FE 30 03 6D 2A 06 AE 3C 94 A2 AE BB D3 85|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0497; classtype:attempted-user; sid:39457; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Transform object use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|00|colorTransform|00|"; fast_pattern:only; content:"|00|geom|00|"; content:"|00|Transform|00|"; content:"|00|addProperty|00|"; content:"|1C 4E 25 96 02 00 08|"; content:"|53 3C 96 02 00 08|"; content:"|52 17 96 02 00 08|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4173; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39572; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Transform object use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|00|colorTransform|00|"; fast_pattern:only; content:"|00|geom|00|"; content:"|00|Transform|00|"; content:"|00|addProperty|00|"; content:"|1C 4E 25 96 02 00 08|"; content:"|53 3C 96 02 00 08|"; content:"|52 17 96 02 00 08|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4173; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39571; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt"; flow:to_server,established; file_data; content:"|24 00 61|"; content:"|24 64 2C|"; within:15; content:"|27 24 02 4F|"; within:4; distance:1; byte_extract:2,0,loadPCM,relative; content:"|27 24 02 4F|"; within:100; byte_test:2,=,loadPCM,0,relative; content:"|30 5A 00 2A|"; within:30; content:"|2A 30 2B 6D 01|"; within:10; fast_pattern; content:"|24 01 24 00 4F|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0984; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:39568; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt"; flow:to_client,established; file_data; content:"|24 00 61|"; content:"|24 64 2C|"; within:15; content:"|27 24 02 4F|"; within:4; distance:1; byte_extract:2,0,loadPCM,relative; content:"|27 24 02 4F|"; within:100; byte_test:2,=,loadPCM,0,relative; content:"|30 5A 00 2A|"; within:30; content:"|2A 30 2B 6D 01|"; within:10; fast_pattern; content:"|24 01 24 00 4F|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0984; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:39567; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt"; flow:to_server,established; file_data; content:"FWS"; depth:3; content:"|BF 15|"; fast_pattern; content:"|00 00 00|"; within:3; distance:1; content:"|00|"; within:1; distance:1; content:!"|00|"; within:1; byte_jump:1,-6,relative,little; isdataat:3,relative; content:!"|00|"; within:1; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4177; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39566; rev:6;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt"; flow:to_client,established; file_data; content:"FWS"; depth:3; content:"|BF 15|"; fast_pattern; content:"|00 00 00|"; within:3; distance:1; content:"|00|"; within:1; distance:1; content:!"|00|"; within:1; byte_jump:1,-6,relative,little; isdataat:3,relative; content:!"|00|"; within:1; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4177; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39565; rev:6;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TimedEvent memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0A|TimedEvent"; fast_pattern:only; content:"|0B|description"; content:"|5D 01|"; distance:0; content:"|4A 01 01 80 01|"; within:20; content:"|29|"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4188; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39564; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TimedEvent memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0A|TimedEvent"; fast_pattern:only; content:"|0B|description"; content:"|5D 01|"; distance:0; content:"|4A 01 01 80 01|"; within:20; content:"|29|"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4188; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39563; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0A|(?!e|7C|())37"; offset:21; content:"|07|sh(?!e|7C|"; offset:21; content:"|06|RegExp"; offset:21; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0310; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-02.html; classtype:denial-of-service; sid:39561; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0A|(?!e|7C|())37"; offset:21; content:"|07|sh(?!e|7C|"; offset:21; content:"|06|RegExp"; offset:21; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0310; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-02.html; classtype:denial-of-service; sid:39560; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Stage align use aftre free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"removeMovieClip|00|"; nocase; content:"createEmptyMovieClip|00|"; nocase; content:"toString|00|"; nocase; content:"ASnative|00|"; fast_pattern:only; nocase; content:"|07 04 00 00 00 07 9A 02 00 00|"; content:"|96|"; distance:-15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4226; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39559; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Stage align use aftre free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"removeMovieClip|00|"; nocase; content:"createEmptyMovieClip|00|"; nocase; content:"toString|00|"; nocase; content:"ASnative|00|"; fast_pattern:only; nocase; content:"|07 04 00 00 00 07 9A 02 00 00|"; content:"|96|"; distance:-15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4226; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39558; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AdBreakPlacement object memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"com.adobe.tvsdk.mediacore"; content:"|07|adBreak"; content:"AdBreakPlacement"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4225; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39555; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AdBreakPlacement object memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"com.adobe.tvsdk.mediacore"; content:"|07|adBreak"; content:"AdBreakPlacement"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4225; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39554; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray type confusion memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|07|valueOf"; fast_pattern:only; content:"|0E|ColorTransform"; content:"|10|writeUnsignedInt"; content:"|0A|readDouble"; content:"_ENDIAN"; content:"|25 F8 07|"; content:"|25 F8 07|"; within:50; content:"|25 F8 07|"; within:50; content:"|25 F8 07|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4249; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39553; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray type confusion memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|07|valueOf"; fast_pattern:only; content:"|0E|ColorTransform"; content:"|10|writeUnsignedInt"; content:"|0A|readDouble"; content:"_ENDIAN"; content:"|25 F8 07|"; content:"|25 F8 07|"; within:50; content:"|25 F8 07|"; within:50; content:"|25 F8 07|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4249; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39552; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player MovieClip method loop use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"addProperty"; fast_pattern:only; content:"removeMovieClip"; content:"createEmptyMovieClip"; within:400; distance:-100; content:"|96 02 00 08 07|"; distance:0; content:"|96 02 00 08 0A|"; within:40; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4231; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39551; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MovieClip method loop use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"addProperty"; fast_pattern:only; content:"removeMovieClip"; content:"createEmptyMovieClip"; within:400; distance:-100; content:"|96 02 00 08 07|"; distance:0; content:"|96 02 00 08 0A|"; within:40; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4231; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39550; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AdTimelineItem object memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"com.adobe.tvsdk.mediacore"; content:"|07|adBreak"; content:"AdTimelineItem"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4223; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39549; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AdTimelineItem object memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"com.adobe.tvsdk.mediacore"; content:"|07|adBreak"; content:"AdTimelineItem"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4223; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39548; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player local-with-filesystem security bypass attempt"; flow:to_server,established; file_data; content:".swf?"; nocase; content:"|5C 5C 2E 5C|127.0.0.1"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4178; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39545; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player local-with-filesystem security bypass attempt"; flow:to_client,established; file_data; content:".swf?"; nocase; content:"|5C 5C 2E 5C|127.0.0.1"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4178; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39544; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player local-with-filesystem security bypass attempt"; flow:to_server,established; content:"|5C 5C 2E 5C|127.0.0.1"; fast_pattern:only; content:".swf?"; nocase; http_raw_uri; content:"|5C 5C 2E 5C|127.0.0.1"; distance:0; http_raw_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-4178; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39543; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player local-with-filesystem security bypass attempt"; flow:to_server,established; file_data; content:".swf?"; nocase; content:"|5C 5C 2E 5C|localhost"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4178; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39542; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player local-with-filesystem security bypass attempt"; flow:to_client,established; file_data; content:".swf?"; nocase; content:"|5C 5C 2E 5C|localhost"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4178; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39541; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player local-with-filesystem security bypass attempt"; flow:to_server,established; content:"|5C 5C 2E 5C|localhost"; fast_pattern:only; content:".swf?"; nocase; http_raw_uri; content:"|5C 5C 2E 5C|localhost"; distance:0; nocase; http_raw_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-4178; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39540; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed tag out of bounds read attempt"; flow:to_server,established; file_data; content:"|00 13 41 51 61 43 01 00 D9 40 00 13 41 51 0D BA A5 D5 00 00 20 15 B7 54 BA A5 E0 8A C7 8A 2B 1E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4176; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39539; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed tag out of bounds read attempt"; flow:to_client,established; file_data; content:"|00 13 41 51 61 43 01 00 D9 40 00 13 41 51 0D BA A5 D5 00 00 20 15 B7 54 BA A5 E0 8A C7 8A 2B 1E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4176; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39538; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed TagTypeAndLength field attempt"; flow:to_server,established; file_data; content:"|BC 7E FA 3F B6 F8 30 F8 8A F4 09 2F B5 27 66 04 8E 21 8C 1C 2A 28 EC 00 F4 AF 3A 62 7C C2 41 23|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4175; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39592; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed TagTypeAndLength field attempt"; flow:to_client,established; file_data; content:"|BC 7E FA 3F B6 F8 30 F8 8A F4 09 2F B5 27 66 04 8E 21 8C 1C 2A 28 EC 00 F4 AF 3A 62 7C C2 41 23|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4175; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39591; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Transform getter use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"removeMovieClip|00|"; content:"createEmptyMovieClip|00|"; content:"Transform|00|"; content:"addProperty|00|"; content:"ASnative|00|"; fast_pattern:only; content:"|A3 01 00 00 07 84 03 00 00|"; content:"|96|"; distance:-15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4230; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39659; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Transform getter use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"removeMovieClip|00|"; content:"createEmptyMovieClip|00|"; content:"Transform|00|"; content:"addProperty|00|"; content:"ASnative|00|"; fast_pattern:only; content:"|A3 01 00 00 07 84 03 00 00|"; content:"|96|"; distance:-15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4230; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39658; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player JPEG handling memory corruption attempt"; flow:to_server,established; file_data; content:"|96 02 00 08 08 4E 96 02 00 08 09 53 3C 96 04 00 08 0A 08 06 1C 96 02 00 08 0B 4E 3C 96 02 00 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4229; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39657; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player JPEG handling memory corruption attempt"; flow:to_client,established; file_data; content:"|96 02 00 08 08 4E 96 02 00 08 09 53 3C 96 04 00 08 0A 08 06 1C 96 02 00 08 0B 4E 3C 96 02 00 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4229; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39656; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player swapDepths use after free attempt"; flow:to_server,established; file_data; content:"|1C 96 05 00 07 01 00 00 00 43 3C 96 02 00 08|"; fast_pattern; content:"|96 06 00 08|"; within:4; distance:-24; byte_extract:1,2,toString,relative; content:"|1C 96 07 00 07 01 00 00 00 08|"; within:50; content:"|1C 96 02 00 08|"; within:5; distance:1; byte_extract:1,0,swapDepths,relative; content:"|1C 96 05 00 07 01 00 00 00 43 1D 96 02 00 08|"; distance:0; content:"|96 06 00 08|"; within:4; distance:-24; byte_test:1,=,toString,2,relative; content:"|1C 96 07 00 07 01 00 00 00 08|"; within:100; content:"|1C 96 02 00 08|"; within:5; distance:1; byte_test:1,=,swapDepths,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0999; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:39652; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player swapDepths use after free attempt"; flow:to_client,established; file_data; content:"|1C 96 05 00 07 01 00 00 00 43 3C 96 02 00 08|"; fast_pattern; content:"|96 06 00 08|"; within:4; distance:-24; byte_extract:1,2,toString,relative; content:"|1C 96 07 00 07 01 00 00 00 08|"; within:50; content:"|1C 96 02 00 08|"; within:5; distance:1; byte_extract:1,0,swapDepths,relative; content:"|1C 96 05 00 07 01 00 00 00 43 1D 96 02 00 08|"; distance:0; content:"|96 06 00 08|"; within:4; distance:-24; byte_test:1,=,toString,2,relative; content:"|1C 96 07 00 07 01 00 00 00 08|"; within:100; content:"|1C 96 02 00 08|"; within:5; distance:1; byte_test:1,=,swapDepths,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0999; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:39651; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player MediaPlayerItemLoader out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|15|MediaPlayerItemLoader"; fast_pattern:only; content:"|19|com.adobe.tvsdk.mediacore"; content:"|49 00|"; content:"|21|"; within:2; distance:-6; content:"|21|"; within:2; distance:-4; content:"|21|"; within:2; distance:-4; content:"|21|"; within:2; distance:-4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4182; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39702; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MediaPlayerItemLoader out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|15|MediaPlayerItemLoader"; fast_pattern:only; content:"|19|com.adobe.tvsdk.mediacore"; content:"|49 00|"; content:"|21|"; within:2; distance:-6; content:"|21|"; within:2; distance:-4; content:"|21|"; within:2; distance:-4; content:"|21|"; within:2; distance:-4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4182; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39701; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"ABRControlParameters"; fast_pattern:only; content:"minBitRate"; content:"|80 02|"; distance:0; content:"|5D 01 4A 01 00 80 01|"; within:20; content:"|80 02|"; distance:0; content:"|66 0A|"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4185; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39698; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"ABRControlParameters"; fast_pattern:only; content:"maxTrickPlayBitRate"; content:"|80 02|"; distance:0; content:"|5D 01 4A 01 00 80 01|"; within:20; content:"|80 02|"; distance:0; content:"|66 0A|"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4185; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39697; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"ABRControlParameters"; fast_pattern:only; content:"maxTrickPlayBandwidthUsage"; content:"|80 02|"; distance:0; content:"|5D 01 4A 01 00 80 01|"; within:20; content:"|80 02|"; distance:0; content:"|66 0A|"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4185; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39696; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"ABRControlParameters"; fast_pattern:only; content:"maxPlayoutRate"; content:"|80 02|"; distance:0; content:"|5D 01 4A 01 00 80 01|"; within:20; content:"|80 02|"; distance:0; content:"|66 0A|"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4185; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39695; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ABRControlParameters"; fast_pattern:only; content:"minBitRate"; content:"|80 02|"; distance:0; content:"|5D 01 4A 01 00 80 01|"; within:20; content:"|80 02|"; distance:0; content:"|66 0A|"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4185; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39694; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ABRControlParameters"; fast_pattern:only; content:"maxTrickPlayBitRate"; content:"|80 02|"; distance:0; content:"|5D 01 4A 01 00 80 01|"; within:20; content:"|80 02|"; distance:0; content:"|66 0A|"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4185; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39693; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ABRControlParameters"; fast_pattern:only; content:"maxTrickPlayBandwidthUsage"; content:"|80 02|"; distance:0; content:"|5D 01 4A 01 00 80 01|"; within:20; content:"|80 02|"; distance:0; content:"|66 0A|"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4185; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39692; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ABRControlParameters"; fast_pattern:only; content:"maxPlayoutRate"; content:"|80 02|"; distance:0; content:"|5D 01 4A 01 00 80 01|"; within:20; content:"|80 02|"; distance:0; content:"|66 0A|"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4185; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39691; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"ABRControlParameters"; fast_pattern:only; content:"initialBitRate"; content:"|80 02|"; distance:0; content:"|5D 01 4A 01 00 80 01|"; within:20; content:"|80 02|"; distance:0; content:"|66 0A|"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4185; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39690; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ABRControlParameters"; fast_pattern:only; content:"initialBitRate"; content:"|80 02|"; distance:0; content:"|5D 01 4A 01 00 80 01|"; within:20; content:"|80 02|"; distance:0; content:"|66 0A|"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4185; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39689; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player PrintJobOptions use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0D|printAsBitmap"; fast_pattern:only; content:"|0F|PrintJobOptions"; content:"|00 82|"; distance:0; content:"|00 82|"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4222; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39712; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player PrintJobOptions use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0D|printAsBitmap"; fast_pattern:only; content:"|0F|PrintJobOptions"; content:"|00 82|"; distance:0; content:"|00 82|"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4222; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39711; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Rectangle constructor use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"scrollRect"; offset:21; content:"flash|00|geom"; offset:21; content:"addProperty"; offset:21; content:"Rectangle"; offset:21; content:"ASnative"; offset:21; fast_pattern; content:"|07 84 03 00 00|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4228; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39728; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Rectangle constructor use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"scrollRect"; offset:21; content:"flash|00|geom"; offset:21; content:"addProperty"; offset:21; content:"Rectangle"; offset:21; content:"ASnative"; offset:21; fast_pattern; content:"|07 84 03 00 00|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4228; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39727; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt"; flow:to_server,established; file_data; content:"|52 17 96 25 00 08|"; content:"|07 64 00 00 00 07 90 01 00 00 07|"; within:12; content:"|00 00 00 06 00 00 23 40 00 00 00 00 06 00 00 00 00 00 00 00 00 08|"; within:23; fast_pattern; byte_extract:1,0,var1,relative; content:"|1C 96 02 00 08|"; within:5; content:"|52 96 09 00 08|"; within:5; distance:1; byte_extract:1,0,var2,relative; content:"|1C 96 07 00 07 01 00 00 00 08|"; within:20; distance:70; byte_test:1,=,var2,0,relative; content:"|52 17 96 25 00 08|"; within:20; content:"|07 64 00 00 00 07 90 01 00 00 07|"; within:12; content:"|00 00 00 06 00 00 23 40 00 00 00 00 06 00 00 00 00 00 00 00 00 08|"; within:30; byte_test:1,=,var1,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7652; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:39789; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt"; flow:to_client,established; file_data; content:"|52 17 96 25 00 08|"; content:"|07 64 00 00 00 07 90 01 00 00 07|"; within:12; content:"|00 00 00 06 00 00 23 40 00 00 00 00 06 00 00 00 00 00 00 00 00 08|"; within:23; fast_pattern; byte_extract:1,0,var1,relative; content:"|1C 96 02 00 08|"; within:5; content:"|52 96 09 00 08|"; within:5; distance:1; byte_extract:1,0,var2,relative; content:"|1C 96 07 00 07 01 00 00 00 08|"; within:20; distance:70; byte_test:1,=,var2,0,relative; content:"|52 17 96 25 00 08|"; within:20; content:"|07 64 00 00 00 07 90 01 00 00 07|"; within:12; content:"|00 00 00 06 00 00 23 40 00 00 00 00 06 00 00 00 00 00 00 00 00 08|"; within:30; byte_test:1,=,var1,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7652; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:39788; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"atomicCompareAndSwapLength"; fast_pattern:only; content:"|25 80 10 61 04|"; content:"|25 80 10 24 00 4F 08 02|"; within:40; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0569; reference:url,www.adobe.com/support/security/bulletins/apsb14-22.html; classtype:attempted-user; sid:40010; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"atomicCompareAndSwapLength"; fast_pattern:only; content:"|25 80 10 61 04|"; content:"|25 80 10 24 00 4F 08 02|"; within:40; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0569; reference:url,www.adobe.com/support/security/bulletins/apsb14-22.html; classtype:attempted-user; sid:40009; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player FileReference type confusion attempt"; flow:to_server,established; file_data; content:"|4F 96 04 00 04 01 08 07 4E 87 01 00 02 17 96 04 00 04 02 08 02 8E 08 00 00 00 00 03 19 00 34 00 96|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1105; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:39957; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player FileReference type confusion attempt"; flow:to_client,established; file_data; content:"|4F 96 04 00 04 01 08 07 4E 87 01 00 02 17 96 04 00 04 02 08 02 8E 08 00 00 00 00 03 19 00 34 00 96|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1105; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-15.html; classtype:attempted-user; sid:39956; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player attachMovie use after free attempt"; flow:to_server,established; file_data; content:"|96 02 00 08 01 52 17 96 02 00 08 02 3E 07 96 08 00 08 03 08 04 08 05 08 06 1C 96 05 00 07 01 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5551; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-admin; sid:39955; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player attachMovie use after free attempt"; flow:to_client,established; file_data; content:"|96 02 00 08 01 52 17 96 02 00 08 02 3E 07 96 08 00 08 03 08 04 08 05 08 06 1C 96 05 00 07 01 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5551; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-admin; sid:39954; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player local-with-filesystem sandbox escape attempt"; flow:to_server,established; file_data; content:"|0D|navigateToURL"; fast_pattern:only; content:"|0A|URLRequest"; content:"|06|repeat"; content:"|65 01 6C|"; content:"|A0 4A|"; within:25; content:"|01 2C|"; within:2; distance:1; content:"|02 29|"; within:2; distance:3; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4271; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-user; sid:40181; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player local-with-filesystem sandbox escape attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|0D|navigateToURL"; fast_pattern:only; content:"|0A|URLRequest"; content:"|06|repeat"; content:"|65 01 6C|"; content:"|A0 4A|"; within:25; content:"|01 2C|"; within:2; distance:1; content:"|02 29|"; within:2; distance:3; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4271; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-user; sid:40180; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player local-with-filesystem sandbox escape attempt"; flow:to_server,established; file_data; content:"|69 FE 05 6F C3 34 12 65 54 F8 63 1E B1 5F C2 3C CD C8 4A 48 7C B2 5F C2 04 61 CC EB 6E F2 94 C0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4271; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-user; sid:40179; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player local-with-filesystem sandbox escape attempt"; flow:to_client,established; file_data; content:"|69 FE 05 6F C3 34 12 65 54 F8 63 1E B1 5F C2 3C CD C8 4A 48 7C B2 5F C2 04 61 CC EB 6E F2 94 C0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4271; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-user; sid:40178; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash ContextMenu Clone memory corruption vulnerability attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|5D 01 4A 01 00 82 D5 F0 0B D1 20 61 02 F0 0C D1 46 03 00|"; fast_pattern:only; content:"|0B|ContextMenu"; content:"|0E|clipboardItems"; content:"|05|clone"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4284; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-user; sid:40177; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash ContextMenu Clone memory corruption vulnerability attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|5D 01 4A 01 00 82 D5 F0 0B D1 20 61 02 F0 0C D1 46 03 00|"; fast_pattern:only; content:"|0B|ContextMenu"; content:"|0E|clipboardItems"; content:"|05|clone"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4284; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-user; sid:40176; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|F0 0A D0 49 00 EF 01 04 00 0B F0 0B 5D 01 24 01 4A 01 01 82 D5 F0 0C D1 20 46 02 01 29 F0 0D 47|"; fast_pattern:only; metadata:service smtp; reference:cve,2016-4281; classtype:attempted-admin; sid:40175; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|F0 0A D0 49 00 EF 01 04 00 0B F0 0B 5D 01 24 01 4A 01 01 82 D5 F0 0C D1 20 46 02 01 29 F0 0D 47|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4281; classtype:attempted-admin; sid:40174; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Standalone Flash Player out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|F0 0A D0 49 00 EF 01 04 00 0B F0 0B 5D 01 24 02 4A 01 01 80 01 D5 F0 0C D1 20 20 46 02 02 29 F0|"; fast_pattern:only; metadata:service smtp; reference:cve,2016-4282; classtype:attempted-admin; sid:40173; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Standalone Flash Player out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|F0 0A D0 49 00 EF 01 04 00 0B F0 0B 5D 01 24 02 4A 01 01 80 01 D5 F0 0C D1 20 20 46 02 02 29 F0|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4282; classtype:attempted-admin; sid:40172; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Standalone Flash Player use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|3C 96 05 00 07 6F 00 00 00 26 8E 08 00 00 00 00 04 59 00 81 00 96 05 00 07 7B 00 00 00 26 96 0D|"; metadata:service smtp; reference:cve,2016-4279; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-admin; sid:40171; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Standalone Flash Player use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|3C 96 05 00 07 6F 00 00 00 26 8E 08 00 00 00 00 04 59 00 81 00 96 05 00 07 7B 00 00 00 26 96 0D|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4279; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-admin; sid:40170; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player DisplacementMapFilter use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"DisplacementMapFilter"; fast_pattern:only; content:"removeMovieClip"; content:"|96 04 00 04 04 08 07|"; distance:0; content:"|96 04 00 04 04 08 07|"; within:20; content:"|96 04 00 04 04 08 07|"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4272; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-user; sid:40169; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player DisplacementMapFilter use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"DisplacementMapFilter"; fast_pattern:only; content:"removeMovieClip"; content:"|96 04 00 04 04 08 07|"; distance:0; content:"|96 04 00 04 04 08 07|"; within:20; content:"|96 04 00 04 04 08 07|"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4272; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-user; sid:40168; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ShimContentResolver out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"ShimContentResolver"; fast_pattern:only; content:"Opportunity"; content:"|5E 03 5D 04 24 02 4A 04 01 61 03|"; distance:0; content:"|5E 0E 5D 0F 2C 1B 5D 05 66 05 5D 01 66 01 5D 01 66 01 4A 0F 04 61 0E|"; within:100; content:"|5D 03 66 03 5D 0E 66 0E 46 10 01|"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4283; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-user; sid:40167; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ShimContentResolver out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ShimContentResolver"; fast_pattern:only; content:"Opportunity"; content:"|5E 03 5D 04 24 02 4A 04 01 61 03|"; distance:0; content:"|5E 0E 5D 0F 2C 1B 5D 05 66 05 5D 01 66 01 5D 01 66 01 4A 0F 04 61 0E|"; within:100; content:"|5D 03 66 03 5D 0E 66 0E 46 10 01|"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4283; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-user; sid:40166; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player navigatetoURL sandbox escape attempt"; flow:to_server,established; content:" shel:"; fast_pattern:only; http_uri; content:"+shel:"; nocase; http_raw_uri; metadata:service http; reference:cve,2016-4277; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-admin; sid:40165; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player navigatetoURL sandbox escape attempt"; flow:to_server,established; content:" ms-help:"; fast_pattern:only; http_uri; content:"+ms-help:"; nocase; http_raw_uri; metadata:service http; reference:cve,2016-4277; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-admin; sid:40164; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player navigatetoURL sandbox escape attempt"; flow:to_server,established; content:" its:"; fast_pattern:only; http_uri; content:"+its:"; nocase; http_raw_uri; metadata:service http; reference:cve,2016-4277; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-admin; sid:40163; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player navigatetoURL sandbox escape attempt"; flow:to_server,established; content:" mk-its:"; fast_pattern:only; http_uri; content:"+mk-its:"; nocase; http_raw_uri; metadata:service http; reference:cve,2016-4277; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-admin; sid:40162; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player navigatetoURL sandbox escape attempt"; flow:to_server,established; content:" mk:"; fast_pattern:only; http_uri; content:"+mk:"; nocase; http_raw_uri; metadata:service http; reference:cve,2016-4277; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-admin; sid:40161; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetStream type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|00|NetStream|00|"; content:"|00|TextSnapshot|00|"; content:"|00|getCount|00|"; content:"|96 0A 00 02 07 01 00 00 00 04 03 08 0B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4280; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-user; sid:40160; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetStream type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|00|NetStream|00|"; content:"|00|TextSnapshot|00|"; content:"|00|getCount|00|"; content:"|96 0A 00 02 07 01 00 00 00 04 03 08 0B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4280; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-user; sid:40159; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed placeObject2 memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|00 BF 06|"; byte_test:4,<,0x0100,0,relative,little; byte_test:1,<=,0x3F,4,relative; byte_test:1,>=,0x20,4,relative; byte_jump:4,0,relative,little; content:!"|00|"; within:1; distance:-1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4276; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-user; sid:40158; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed placeObject2 memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|00 BF 06|"; byte_test:4,<,0x0100,0,relative,little; byte_test:1,<=,0x3F,4,relative; byte_test:1,>=,0x20,4,relative; byte_jump:4,0,relative,little; content:!"|00|"; within:1; distance:-1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4276; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-user; sid:40157; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash AVC Decoder Memory Corruption attempt"; flow:to_server,established; file_data; content:"|D3 A9 7B 45 07 8D 14 01 00 81 00 00 0F 2F 08 00 01 04 00 25 2D 00 00 00 00 AF 01 21 0A CF FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4275; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-user; sid:40156; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash AVC Decoder Memory Corruption attempt"; flow:to_client,established; file_data; content:"|D3 A9 7B 45 07 8D 14 01 00 81 00 00 0F 2F 08 00 01 04 00 25 2D 00 00 00 00 AF 01 21 0A CF FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4275; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-user; sid:40155; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed VideoFrame memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|16 00 02 00 09 3E 00 01 00 00 01 64 C5 00 00 88 00 01 03 95 06 30 BF 00 00 FC CD FA D4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4274; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-user; sid:40154; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed VideoFrame memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|16 00 02 00 09 3E 00 01 00 00 01 64 C5 00 00 88 00 01 03 95 06 30 BF 00 00 FC CD FA D4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4274; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-user; sid:40153; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player DRMManager memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0E|DRMDeviceGroup"; fast_pattern:only; content:"|0A|DRMManager"; content:"|10|addToDeviceGroup"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4285; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-admin; sid:40152; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player DRMManager memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0E|DRMDeviceGroup"; fast_pattern:only; content:"|0A|DRMManager"; content:"|10|addToDeviceGroup"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4285; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-29.html; classtype:attempted-admin; sid:40151; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS2 custom getter addProperty use after free attempt"; flow:to_server,established; file_data; content:"ColorTransform|00|"; content:"addProperty|00|"; content:"|52 17 96 35 00|"; content:"|4E 96 02 00 08|"; within:5; distance:59; byte_extract:1,0,ColorTransform,relative; byte_extract:1,-7,geom,relative; content:"|53 3C 96|"; within:3; distance:6; content:"|52 17 96|"; within:100; content:"|4E 96 02 00 08|"; within:20; byte_test:1,=,ColorTransform,0,relative; byte_test:1,=,geom,-6,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4232; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:40219; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS2 custom getter addProperty use after free attempt"; flow:to_client,established; file_data; content:"ColorTransform|00|"; content:"addProperty|00|"; content:"|52 17 96 35 00|"; content:"|4E 96 02 00 08|"; within:5; distance:59; byte_extract:1,0,ColorTransform,relative; byte_extract:1,-7,geom,relative; content:"|53 3C 96|"; within:3; distance:6; content:"|52 17 96|"; within:100; content:"|4E 96 02 00 08|"; within:20; byte_test:1,=,ColorTransform,0,relative; byte_test:1,=,geom,-6,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4232; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:40218; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player FrameLabel memory corruption attempt"; flow:to_server,established; file_data; content:"|C9 0A 3E 0B 9C 53 C7 65 4E 72 52 EC 57 63 12 CB 41 B4 0C 1A A2 12 8C 5A 61 F4 7C 11 96 AE C7 63|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6986; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-32.html; classtype:attempted-user; sid:40443; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player FrameLabel memory corruption attempt"; flow:to_client,established; file_data; content:"|C9 0A 3E 0B 9C 53 C7 65 4E 72 52 EC 57 63 12 CB 41 B4 0C 1A A2 12 8C 5A 61 F4 7C 11 96 AE C7 63|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6986; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-32.html; classtype:attempted-user; sid:40442; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Standalone Flash Player AS3 NetStream object use after free attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|49 00 5D|"; content:"|00 80|"; within:2; distance:3; content:"|D6 D2 21 20 4F|"; within:5; distance:1; content:"|D1 20 4F|"; within:100; content:"|01 D1 24 00 4F|"; within:5; distance:1; content:"|01 47|"; within:3; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6981; classtype:attempted-user; sid:40439; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Standalone Flash Player AS3 NetStream object use after free attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|49 00 5D|"; content:"|00 80|"; within:2; distance:3; content:"|D6 D2 21 20 4F|"; within:5; distance:1; content:"|D1 20 4F|"; within:100; content:"|01 D1 24 00 4F|"; within:5; distance:1; content:"|01 47|"; within:3; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6981; classtype:attempted-user; sid:40438; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed ActionConstantPool memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|3F 03|"; content:"|00 00 88|"; within:3; distance:2; content:"|00|"; within:1; distance:1; content:"|00|"; within:1; distance:1; pcre:"/\x00\x00\x88.\x00.\x00[\x00\x20-\x7E]{1,255}?[\xC0-\xFF][\x20-\x7F]/"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service smtp; reference:cve,2016-4273; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-32.html; classtype:attempted-user; sid:40435; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed ActionConstantPool memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|3F 03|"; content:"|00 00 88|"; within:3; distance:2; content:"|00|"; within:1; distance:1; content:"|00|"; within:1; distance:1; pcre:"/\x00\x00\x88.\x00.\x00[\x00\x20-\x7E]{1,255}?[\xC0-\xFF][\x20-\x7F]/"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4273; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-32.html; classtype:attempted-user; sid:40434; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Standalone Flash Player AS3 Primetime timeline ShimContentResolver out of bounds read attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"ShimContentResolver"; fast_pattern:only; content:"com.adobe.tvsdk.mediacore.timeline"; content:"|24 00 4A|"; content:"|20 20 5D|"; within:3; distance:4; byte_extract:3,0,ConstructAudSet,relative; content:"|00 5D|"; within:2; byte_test:3,=,ConstructAudSet,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6983; classtype:attempted-user; sid:40453; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Standalone Flash Player AS3 Primetime timeline ShimContentResolver out of bounds read attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"ShimContentResolver"; fast_pattern:only; content:"com.adobe.tvsdk.mediacore.timeline"; content:"|24 00 4A|"; content:"|20 20 5D|"; within:3; distance:4; byte_extract:3,0,ConstructAudSet,relative; content:"|00 5D|"; within:2; byte_test:3,=,ConstructAudSet,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6983; classtype:attempted-user; sid:40452; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player QOSProvider use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|11|createQOSProvider"; content:"|11|attachMediaPlayer"; content:"|1B|detachMediaPlayerItemLoader"; fast_pattern:only; content:"|46|"; content:"|46|"; within:1; distance:5; content:"|29|"; within:1; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6984; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-32.html; classtype:attempted-user; sid:40503; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player QOSProvider use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|11|createQOSProvider"; content:"|11|attachMediaPlayer"; content:"|1B|detachMediaPlayerItemLoader"; fast_pattern:only; content:"|46|"; content:"|46|"; within:1; distance:5; content:"|29|"; within:1; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6984; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-32.html; classtype:attempted-user; sid:40502; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Standalone Flash Player PSDK FlashRuntime mediaplayer pause attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|13|PSDKEventDispatcher"; content:"|11|createMediaPlayer"; content:"|0B|MediaPlayer"; content:"|05|pause"; content:!"|04|play"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6982; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-32.html; classtype:attempted-user; sid:40496; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Standalone Flash Player PSDK FlashRuntime mediaplayer pause attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|13|PSDKEventDispatcher"; content:"|11|createMediaPlayer"; content:"|0B|MediaPlayer"; content:"|05|pause"; content:!"|04|play"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6982; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-32.html; classtype:attempted-user; sid:40495; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Standalone Flash Player IExternalizable deserialization use after free attempt"; flow:to_server,established; file_data; content:"|0A|readObject"; content:"|0B|writeObject"; content:"|0C|readExternal"; content:"|0D|writeExternal"; content:"|12|registerClassAlias"; fast_pattern:only; content:"|D2 24 00 61|"; byte_extract:1,0,position,relative; content:"|D2 D1 4F|"; within:3; content:"|01 D2 24 00 61|"; within:5; distance:1; byte_test:1,=,position,0,relative; content:"|D2 4F|"; within:2; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7855; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-36.html; classtype:attempted-user; sid:40545; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Standalone Flash Player IExternalizable deserialization use after free attempt"; flow:to_client,established; file_data; content:"|0A|readObject"; content:"|0B|writeObject"; content:"|0C|readExternal"; content:"|0D|writeExternal"; content:"|12|registerClassAlias"; fast_pattern:only; content:"|D2 24 00 61|"; byte_extract:1,0,position,relative; content:"|D2 D1 4F|"; within:3; content:"|01 D2 24 00 61|"; within:5; distance:1; byte_test:1,=,position,0,relative; content:"|D2 4F|"; within:2; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7855; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-36.html; classtype:attempted-user; sid:40544; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player event handler out of bounds memory access attempt"; flow:to_server,established; file_data; content:"|2C 0E 24 01 4A 05 02 80 05 6D 01 F0 0E 65 01 40 01 80 06 6D 02 F1 04 F0 13 65 01 6C 01 2C 10 65 01 6C 02 46 07 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6985; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-32.html; classtype:attempted-user; sid:40584; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player event handler out of bounds memory access attempt"; flow:to_client,established; file_data; content:"|2C 0E 24 01 4A 05 02 80 05 6D 01 F0 0E 65 01 40 01 80 06 6D 02 F1 04 F0 13 65 01 6C 01 2C 10 65 01 6C 02 46 07 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6985; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-32.html; classtype:attempted-user; sid:40583; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player sentEvent use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|00|removeMovieClip|00|"; content:"|00|Accessibility|00|"; fast_pattern:only; content:"|4E 96 05 00 07|"; content:"|0B 87 01 00|"; within:8; distance:4; content:"|96 0B 00 06 00 00 00 00 00 00 00 00 08|"; within:50; content:"|1C 96 02 00 04|"; within:6; distance:1; content:"|4E 96 02 00 08|"; within:6; distance:1; content:"|52 17|"; within:3; distance:1; content:"|1C 96 02 00 08|"; content:"|4E 48 12 9D 02 00|"; within:7; distance:1; content:"|1C 96 02 00 08|"; within:150; content:"|4E 4F|"; within:3; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6987; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-32.html; classtype:attempted-user; sid:40582; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player sentEvent use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|00|removeMovieClip|00|"; content:"|00|Accessibility|00|"; fast_pattern:only; content:"|4E 96 05 00 07|"; content:"|0B 87 01 00|"; within:8; distance:4; content:"|96 0B 00 06 00 00 00 00 00 00 00 00 08|"; within:50; content:"|1C 96 02 00 04|"; within:6; distance:1; content:"|4E 96 02 00 08|"; within:6; distance:1; content:"|52 17|"; within:3; distance:1; content:"|1C 96 02 00 08|"; content:"|4E 48 12 9D 02 00|"; within:7; distance:1; content:"|1C 96 02 00 08|"; within:150; content:"|4E 4F|"; within:3; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6987; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-32.html; classtype:attempted-user; sid:40581; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASnative setFocus use after free attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"ASnative|00|"; fast_pattern:only; content:"addProperty|00|"; content:"createEmptyMovieClip|00|"; content:"removeMovieClip|00|"; content:"|07 03 00 00 00 08|"; content:"|1C 96 02 00 08|"; within:5; distance:1; content:"|52 17 96|"; within:3; distance:1; content:"|07 02 00 00 00 08|"; within:50; content:"|3D 4F|"; within:2; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7864; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-37.html; classtype:attempted-user; sid:40749; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASnative setFocus use after free attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"ASnative|00|"; fast_pattern:only; content:"addProperty|00|"; content:"createEmptyMovieClip|00|"; content:"removeMovieClip|00|"; content:"|07 03 00 00 00 08|"; content:"|1C 96 02 00 08|"; within:5; distance:1; content:"|52 17 96|"; within:3; distance:1; content:"|07 02 00 00 00 08|"; within:50; content:"|3D 4F|"; within:2; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7864; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-37.html; classtype:attempted-user; sid:40748; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TextField use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"createTextField"; fast_pattern:only; content:"createEmptyMovieClip"; content:"removeMovieClip"; content:"|96 02 00 08|"; content:"|52 3C 96 02 00 08|"; within:6; distance:1; content:"|1C 96 04 00 08|"; within:5; distance:1; byte_extract:1,2,textField,relative; content:"|96 09 00 08|"; distance:0; byte_test:1,=,textField,0,relative; content:"|1C 96 02 00 08|"; within:5; distance:8; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7863; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-37.html; classtype:attempted-user; sid:40747; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TextField use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"createTextField"; fast_pattern:only; content:"createEmptyMovieClip"; content:"removeMovieClip"; content:"|96 02 00 08|"; content:"|52 3C 96 02 00 08|"; within:6; distance:1; content:"|1C 96 04 00 08|"; within:5; distance:1; byte_extract:1,2,textField,relative; content:"|96 09 00 08|"; distance:0; byte_test:1,=,textField,0,relative; content:"|1C 96 02 00 08|"; within:5; distance:8; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7863; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-37.html; classtype:attempted-user; sid:40746; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Primetime SDK setObject type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|22|com.adobe.tvsdk.mediacore.metadata"; fast_pattern:only; content:"|09|setObject"; content:"|4A 03 00 80 03 D5|"; content:"|4F 04 02 47|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7861; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-37.html; classtype:attempted-recon; sid:40745; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Primetime SDK setObject type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|22|com.adobe.tvsdk.mediacore.metadata"; fast_pattern:only; content:"|09|setObject"; content:"|4A 03 00 80 03 D5|"; content:"|4F 04 02 47|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7861; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-37.html; classtype:attempted-recon; sid:40744; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AVSegmentedSource use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|11|AVSegmentedSource"; fast_pattern:only; content:"|1A|loadWithBackgroundManifest"; content:"|08|AVStream"; content:"|07|dispose"; content:"|4A 0A 00 80|"; content:"|4A 0B 01 80|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7857; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-37.html; classtype:attempted-user; sid:40743; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AVSegmentedSource use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|11|AVSegmentedSource"; fast_pattern:only; content:"|1A|loadWithBackgroundManifest"; content:"|08|AVStream"; content:"|07|dispose"; content:"|4A 0A 00 80|"; content:"|4A 0B 01 80|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7857; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-37.html; classtype:attempted-user; sid:40742; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player addCallback use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|4E 96 02 00 08 11 4E 96 02 00 08 12 4E 4F 96 0E 00 08 03 07 00 20 00 00 07 01 00 00 00 08 06 40|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7858; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-37.html; classtype:attempted-user; sid:40741; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player addCallback use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|4E 96 02 00 08 11 4E 96 02 00 08 12 4E 4F 96 0E 00 08 03 07 00 20 00 00 07 01 00 00 00 08 06 40|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7858; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-37.html; classtype:attempted-user; sid:40740; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionExtends use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 04 00 04 04 04 07 69|"; fast_pattern:only; content:"getNextHighestDepth"; nocase; content:"removeTextField"; nocase; content:"createTextField"; content:"addProperty"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7859; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-37.html; classtype:attempted-admin; sid:40739; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Adobe Flash Player ActionExtends use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 04 00 04 04 04 07 69|"; fast_pattern:only; content:"getNextHighestDepth"; nocase; content:"removeTextField"; nocase; content:"createTextField"; content:"addProperty"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7859; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-37.html; classtype:attempted-admin; sid:40738; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Primetime SDK AdvertisingMetadata type confustion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"AdvertisingMetadata"; content:".tvsdk.mediacore.metadata"; content:"|2C 07 85 D6 D1 D2 2F 01 4F 04 02 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7860; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-37.html; classtype:attempted-admin; sid:40737; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Primetime SDK AdvertisingMetadata type confustion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"AdvertisingMetadata"; content:".tvsdk.mediacore.metadata"; content:"|2C 07 85 D6 D1 D2 2F 01 4F 04 02 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7860; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-37.html; classtype:attempted-admin; sid:40736; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash MovieClip proto chain manipulation targeting constructor use after free attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"__proto__|00|"; content:"__constructor__|00|"; fast_pattern:only; content:"_global|00|"; content:"removeMovieClip|00|"; content:"|43 4F 96 04 00|"; content:"|4E 96 04 00|"; within:4; distance:4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7865; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-37.html; classtype:attempted-user; sid:40735; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash MovieClip proto chain manipulation targeting constructor use after free attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"__proto__|00|"; content:"__constructor__|00|"; fast_pattern:only; content:"_global|00|"; content:"removeMovieClip|00|"; content:"|43 4F 96 04 00|"; content:"|4E 96 04 00|"; within:4; distance:4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7865; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-37.html; classtype:attempted-user; sid:40734; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash EnableDebugger2 obfuscation attempt"; flow:to_client,established; file_data; content:"FWS"; depth:3; content:"|1F 10 75 19 24 31 24|"; content:"|00|"; within:1; distance:25; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.virustotal.com/en/file/1613acd34bfb85121bef0cd7a5cc572967912f9f674eefd7175f42ad2099e3d1/analysis/; classtype:attempted-user; sid:40755; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Standalone Flash Player IExternalizable deserialization use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|00 00 D2 24 00 61|"; byte_extract:1,0,position,relative; content:"|D2 D3 4F|"; within:15; content:"|01 62|"; within:2; distance:1; content:"|D2 24 00 61|"; within:10; byte_test:1,=,position,0,relative; content:"|D2 4F|"; within:10; content:"|00 47|"; within:2; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7855; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-36.html; classtype:attempted-user; sid:40799; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Standalone Flash Player IExternalizable deserialization use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|00 00 D2 24 00 61|"; fast_pattern; byte_extract:1,0,position,relative; content:"|D2 D3 4F|"; within:15; content:"|01 62|"; within:2; distance:1; content:"|D2 24 00 61|"; within:10; byte_test:1,=,position,0,relative; content:"|D2 4F|"; within:10; content:"|00 47|"; within:2; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7855; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-36.html; classtype:attempted-user; sid:40798; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player LoadVars use-after-free attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"removeTextField|00|"; content:"LoadVars|00|"; fast_pattern:only; content:"decode|00|"; content:"createTextField|00|"; content:"watch|00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0974; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:40781; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player LoadVars use-after-free attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"removeTextField|00|"; content:"LoadVars|00|"; fast_pattern:only; content:"decode|00|"; content:"createTextField|00|"; content:"watch|00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0974; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-04.html; classtype:attempted-user; sid:40780; rev:2;) # alert tcp $SMTP_SERVERS any -> $HOME_NET 25 (msg:"FILE-FLASH Adobe Flash Player TextField text use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"createTextField"; content:"removeMovieClip"; content:"text"; content:"toString"; content:"|1C 96 06 00|"; content:"|1C 96 05 00 07 01 00 00 00 43 4F|"; within:11; distance:6; fast_pattern; metadata:service smtp; reference:cve,2015-8430; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-admin; sid:40819; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TextField text use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"createTextField"; content:"removeMovieClip"; content:"text"; content:"toString"; content:"|1C 96 06 00|"; content:"|1C 96 05 00 07 01 00 00 00 43 4F|"; within:11; distance:6; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-8430; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-admin; sid:40818; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player addProperty use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"removeMovieClip"; content:"addProperty"; content:"ASSetPropFlags"; content:"|8E 08 00 00 00|"; content:"|8E 08 00 00 00|"; within:5; distance:6; content:"|00 00|"; within:2; distance:4; content:"|96 0F 00 07 01 00 00 00 02 04 01 07 03 00 00 00 08|"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7872; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-admin; sid:41025; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player addProperty use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"removeMovieClip"; content:"addProperty"; content:"ASSetPropFlags"; content:"|8E 08 00 00 00|"; content:"|8E 08 00 00 00|"; within:5; distance:6; content:"|00 00|"; within:2; distance:4; content:"|96 0F 00 07 01 00 00 00 02 04 01 07 03 00 00 00 08|"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7872; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-admin; sid:41024; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player addProperty use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"removeMovieClip"; content:"addProperty"; content:"ASSetPropFlags"; content:"|8E 08 00 00 00|"; content:"|00 00 8E 08 00 00 00|"; within:7; distance:4; content:"|96 0F 00 07 01 00 00 00 02 04 01 07 03 00 00 00 08|"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7872; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-admin; sid:41023; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player addProperty use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"removeMovieClip"; content:"addProperty"; content:"ASSetPropFlags"; content:"|8E 08 00 00 00|"; content:"|00 00 8E 08 00 00 00|"; within:7; distance:4; content:"|96 0F 00 07 01 00 00 00 02 04 01 07 03 00 00 00 08|"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7872; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-admin; sid:41022; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player onSetFocus movie clip use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"createTextField|00|"; content:"onKillFocus|00|"; content:"removeMovieClip|00|"; content:"onSetFocus|00|"; content:"setFocus|00|"; content:"|07 06 00 00 00 08|"; content:"|52 3C|"; within:10; content:"|9B 05 00 00 00|"; within:50; content:"|96 0B 00 06 00 00 00 00 00 00 00 00 08|"; within:20; content:"|1C 96 02 00 08|"; within:5; distance:1; content:"|52 17 4F|"; within:3; distance:1; content:"|9B 05 00 00 00|"; within:50; content:"|96 0B 00 06 00 00 00 00 00 00 00 00 08|"; within:20; content:"|1C 96 02 00 08|"; within:5; distance:1; content:"|52 17 4F|"; within:3; distance:1; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7892; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41021; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player onSetFocus movie clip use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"createTextField|00|"; content:"onKillFocus|00|"; content:"removeMovieClip|00|"; content:"onSetFocus|00|"; content:"setFocus|00|"; content:"|07 06 00 00 00 08|"; content:"|52 3C|"; within:10; content:"|9B 05 00 00 00|"; within:50; content:"|96 0B 00 06 00 00 00 00 00 00 00 00 08|"; within:20; content:"|1C 96 02 00 08|"; within:5; distance:1; content:"|52 17 4F|"; within:3; distance:1; content:"|9B 05 00 00 00|"; within:50; content:"|96 0B 00 06 00 00 00 00 00 00 00 00 08|"; within:20; content:"|1C 96 02 00 08|"; within:5; distance:1; content:"|52 17 4F|"; within:3; distance:1; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7892; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41020; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player writeDynamicProperties use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|16|writeDynamicProperties"; fast_pattern:only; content:"|16|IDynamicPropertyOutput"; content:"|15|dynamicPropertyWriter"; content:"|0E|ObjectEncoding"; content:"|00 68|"; content:"|24 00 61|"; within:3; distance:4; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7877; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41017; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player writeDynamicProperties use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|16|writeDynamicProperties"; fast_pattern:only; content:"|16|IDynamicPropertyOutput"; content:"|15|dynamicPropertyWriter"; content:"|0E|ObjectEncoding"; content:"|00 68|"; content:"|24 00 61|"; within:3; distance:4; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7877; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41016; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Acrobat Flash WorkerDomain memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0C|WorkerDomain"; fast_pattern:only; content:"|09|ByteArray"; content:"|0C|createWorker"; content:"|06|Worker"; content:"|00 80|"; distance:0; content:"|5D|"; within:1; distance:-6; content:"|27 46|"; within:15; content:"|02 80|"; within:2; distance:1; content:"|4F|"; within:10; content:"|00 47|"; within:2; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7871; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41015; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Acrobat Flash WorkerDomain memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0C|WorkerDomain"; fast_pattern:only; content:"|09|ByteArray"; content:"|0C|createWorker"; content:"|06|Worker"; content:"|00 80|"; distance:0; content:"|5D|"; within:1; distance:-6; content:"|27 46|"; within:15; content:"|02 80|"; within:2; distance:1; content:"|4F|"; within:10; content:"|00 47|"; within:2; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7871; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41014; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetConnection use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|00|__proto__|00|"; content:"|00|__constructor__|00|"; content:"|00|NetConnection|00|"; content:"|00|connect|00|"; content:"|00|call|00|"; content:"|00|NetStream|00|"; content:"|00|watch|00|"; content:"|8E 08 00 00 00 00|"; content:"|8E 08 00 00 00 00|"; within:6; distance:5; content:"|96 0B 00 06 00 00 00 00 00 00 00 00 08|"; content:"|40 87 01 00 03 17|"; within:6; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7879; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41013; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetConnection use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|00|__proto__|00|"; content:"|00|__constructor__|00|"; content:"|00|NetConnection|00|"; content:"|00|connect|00|"; content:"|00|call|00|"; content:"|00|NetStream|00|"; content:"|00|watch|00|"; content:"|8E 08 00 00 00 00|"; content:"|8E 08 00 00 00 00|"; within:6; distance:5; content:"|96 0B 00 06 00 00 00 00 00 00 00 00 08|"; content:"|40 87 01 00 03 17|"; within:6; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7879; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41012; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BitmapData applyFilter integer overflow attempt"; flow:to_server,established; file_data; content:"|08 63 09 5D 06 25 94 0F D3 24 40 24 11 4A 06 04 D6 5D 07 24 00 25 80 01 4A 07 02 63 06 5D 08 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7875; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41011; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BitmapData applyFilter integer overflow attempt"; flow:to_client,established; file_data; content:"|08 63 09 5D 06 25 94 0F D3 24 40 24 11 4A 06 04 D6 5D 07 24 00 25 80 01 4A 07 02 63 06 5D 08 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7875; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41010; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|19|com.adobe.tvsdk.mediacore"; content:"|10|createDispatcher"; within:500; content:"|11|createQOSProvider"; within:500; content:"|15|MediaPlayerItemLoader"; within:1500; distance:-1000; content:"|1B|attachMediaPlayerItemLoader"; within:2000; distance:-1500; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7878; reference:cve,2018-4877; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-03.html; classtype:attempted-user; sid:41005; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|19|com.adobe.tvsdk.mediacore"; content:"|10|createDispatcher"; within:500; content:"|11|createQOSProvider"; within:500; content:"|15|MediaPlayerItemLoader"; within:1500; distance:-1000; content:"|1B|attachMediaPlayerItemLoader"; within:2000; distance:-1500; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7878; reference:cve,2018-4877; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-03.html; classtype:attempted-user; sid:41004; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Primetime SDK out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|18|retrieveAdPolicySelector"; fast_pattern:only; content:"|04|PSDK"; content:"|BF 14|"; byte_extract:4,0,len,relative,little; content:"|20 46|"; within:len; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7873; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41003; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Primetime SDK out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|18|retrieveAdPolicySelector"; fast_pattern:only; content:"|04|PSDK"; content:"|BF 14|"; byte_extract:4,0,len,relative,little; content:"|20 46|"; within:len; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7873; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41002; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetConnection proxyType invalid value out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0D|NetConnection"; content:"|09|flash.net"; content:"|09|proxyType"; fast_pattern:only; content:!"|04|none"; content:!"|04|HTTP"; content:!"|0B|CONNECTOnly"; content:!"|07|CONNECT"; content:!"|04|best"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7874; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:40999; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetConnection proxyType invalid value out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0D|NetConnection"; content:"|09|flash.net"; content:"|09|proxyType"; fast_pattern:only; content:!"|04|none"; content:!"|04|HTTP"; content:!"|0B|CONNECTOnly"; content:!"|07|CONNECT"; content:!"|04|best"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7874; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:40998; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TextField setter use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|1C 96 02 00 08|"; content:"|07 06 00 00 00 08|"; within:6; distance:-12; content:"|96|"; within:15; distance:-50; content:"|1C 96 05 00 07 01 00 00 00 43|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-3137; reference:cve,2015-8420; reference:cve,2015-8421; reference:cve,2015-8422; reference:cve,2015-8424; reference:cve,2015-8425; reference:cve,2015-8426; reference:cve,2015-8427; reference:cve,2015-8428; reference:cve,2015-8429; reference:cve,2015-8430; reference:cve,2015-8431; reference:cve,2015-8434; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-admin; sid:41046; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TextField setter use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1C 96 02 00 08|"; content:"|07 06 00 00 00 08|"; within:6; distance:-12; content:"|96|"; within:15; distance:-50; content:"|1C 96 05 00 07 01 00 00 00 43|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3137; reference:cve,2015-8420; reference:cve,2015-8421; reference:cve,2015-8422; reference:cve,2015-8424; reference:cve,2015-8425; reference:cve,2015-8426; reference:cve,2015-8427; reference:cve,2015-8428; reference:cve,2015-8429; reference:cve,2015-8430; reference:cve,2015-8431; reference:cve,2015-8434; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-admin; sid:41045; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Acrobat Flash FileReference class use-after-free memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"FileReference|00|"; fast_pattern:only; content:"browse|00|"; content:"|96|"; content:"|00 08|"; within:2; distance:1; byte_extract:1,0,possArr,relative; content:"|40 3C|"; within:2; distance:7; content:"|00 08|"; distance:0; byte_test:1,=,possArr,0,relative; content:"|1C 96|"; within:2; distance:1; content:"|00 08|"; within:2; distance:1; byte_test:1,=,0x4f,3,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2936; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:41166; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Acrobat Flash FileReference class use-after-free memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"FileReference|00|"; fast_pattern:only; content:"browse|00|"; content:"|96|"; content:"|00 08|"; within:2; distance:1; byte_extract:1,0,possArr,relative; content:"|40 3C|"; within:2; distance:7; content:"|00 08|"; distance:0; byte_test:1,=,possArr,0,relative; content:"|1C 96|"; within:2; distance:1; content:"|00 08|"; within:2; distance:1; byte_test:1,=,0x4f,3,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2936; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:41165; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Acrobat Flash FileReference class use-after-free memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"FileReference|00|"; fast_pattern:only; content:"watch|00|"; content:"|4F 8E|"; content:"|00 00 00 00|"; within:4; distance:1; content:"|96|"; within:1; distance:5; content:"|00 08|"; within:2; distance:1; content:"|1C 96|"; within:2; distance:1; content:"|00 08|"; within:2; distance:1; content:"|4F|"; within:1; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2937; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:41161; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Acrobat Flash FileReference class use-after-free memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"FileReference|00|"; fast_pattern:only; content:"watch|00|"; content:"|4F 8E|"; content:"|00 00 00 00|"; within:4; distance:1; content:"|96|"; within:1; distance:5; content:"|00 08|"; within:2; distance:1; content:"|1C 96|"; within:2; distance:1; content:"|00 08|"; within:2; distance:1; content:"|4F|"; within:1; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2937; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:41160; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player visual blend out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"attachMovie|00|"; content:"ASnative|00|"; fast_pattern; content:"|96|"; within:500; byte_extract:2,0,szPush,relative; content:"|07 0B 00 00 00 07 69 00 00 00|"; within:szPush; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2928; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:41159; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player visual blend out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"attachMovie|00|"; content:"ASnative|00|"; fast_pattern; content:"|96|"; within:500; byte_extract:2,0,szPush,relative; content:"|07 0B 00 00 00 07 69 00 00 00|"; within:szPush; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2928; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:41158; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed ATF file length heap overflow attempt"; flow:to_server,established; flowbits:isset,file.atf; file_data; content:"ATF"; depth:3; content:"|FF|"; within:1; distance:3; byte_test:1,>=,0x80,1,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2934; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:41157; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed ATF file length heap overflow attempt"; flow:to_client,established; flowbits:isset,file.atf; file_data; content:"ATF"; depth:3; content:"|FF|"; within:1; distance:3; byte_test:1,>=,0x80,1,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2934; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:41156; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player display list structure memory corruption attempt"; flow:to_server,established; file_data; content:"|96 13 00 08 05 07 02 00 00 00 08 05 07 03 00 00 00 07 64 00 00 00 87 01 00 00 23 96 02 00 04 00 23 00 8D 06 06 99|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2930; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:41139; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player display list structure memory corruption attempt"; flow:to_client,established; file_data; content:"|96 13 00 08 05 07 02 00 00 00 08 05 07 03 00 00 00 07 64 00 00 00 87 01 00 00 23 96 02 00 04 00 23 00 8D 06 06 99|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2930; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:41138; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player onSetFocus movie clip use after free attempt"; flow:to_server,established; content:"|96 04 00 08 2D 08 00 1C 47 96 07 00 07 01 00 00 00 08 02 3D 17 96 04 00 08 2E 08 07 1C 47 96 07|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2932; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:41215; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player onSetFocus movieclip use after free attempt"; flow:to_client,established; file_data; content:"|96 04 00 08 2D 08 00 1C 47 96 07 00 07 01 00 00 00 08 02 3D 17 96 04 00 08 2E 08 07 1C 47 96 07|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2932; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:41214; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed PlaceObject3 memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|BF 11 3F 00 00 00 06 40 00 00 03 00 14 8D 00 00 3F FE D9 1E 29 E1 AE 44 B3 CB 05 E7 B6 84 B9 AD|"; fast_pattern:only; metadata:service smtp; reference:cve,2017-2931; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:41208; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed PlaceObject3 memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; content:"|BF 11 3F 00 00 00 06 40 00 00 03 00 14 8D 00 00 3F FE D9 1E 29 E1 AE 44 B3 CB 05 E7 B6 84 B9 AD|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2931; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:41207; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player FileReferenceList.browse type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|00|FileReferenceList"; fast_pattern:only; content:"|00|browse"; content:"|00|watch"; content:"|00|addListener"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3120; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-admin; sid:41333; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player FileReferenceList.browse type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|00|FileReferenceList"; fast_pattern:only; content:"|00|browse"; content:"|00|watch"; content:"|00|addListener"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3120; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-admin; sid:41332; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player StyleSheets use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"TextField"; content:"styleSheet"; content:"parseCSS"; content:"exitFrame"; content:"|5E|"; byte_extract:1,0,cssElem,relative; content:"|2B 61|"; within:2; byte_test:1,=,cssElem,0,relative; content:"|2B 61|"; byte_extract:1,0,handler,relative; content:"|5E|"; byte_test:1,=,handler,0,relative; content:"|2B|"; within:2; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4174; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:41354; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player StyleSheets use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"TextField"; content:"styleSheet"; content:"parseCSS"; content:"exitFrame"; content:"|5E|"; byte_extract:1,0,cssElem,relative; content:"|2B 61|"; within:2; byte_test:1,=,cssElem,0,relative; content:"|2B 61|"; byte_extract:1,0,handler,relative; content:"|5E|"; byte_test:1,=,handler,0,relative; content:"|2B|"; within:2; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4174; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:41353; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Primetime SDK ShimContentResolver memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|13|ShimContentResolver"; fast_pattern:only; content:"|09|configure"; nocase; content:"|24 00 4A 01|"; content:"|80|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4152; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:41358; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Primetime SDK ShimContentResolver memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|13|ShimContentResolver"; fast_pattern:only; content:"|09|configure"; nocase; content:"|24 00 4A 01|"; content:"|80|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4152; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:41357; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player custom toString function attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|3F 03|"; byte_extract:4,0,codeSize,relative,little; content:"|88|"; within:1; byte_extract:2,0,cPoolSize,relative,little; content:"toString"; within:cPoolSize; content:"|1C 96 05 00 07 01 00 00 00 43 3C|"; within:codeSize; fast_pattern; content:"|96 06 00 08|"; within:4; distance:-20; content:"|08|"; within:2; content:"|08|"; within:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-4428; reference:cve,2015-8043; reference:cve,2015-8044; reference:cve,2015-8046; reference:cve,2017-2951; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; reference:url,helpx.adobe.com/security/products/reader/apsb17-01.html; classtype:attempted-user; sid:41412; rev:5;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player custom toString function attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|3F 03|"; byte_extract:4,0,codeSize,relative,little; content:"|88|"; within:1; byte_extract:2,0,cPoolSize,relative,little; content:"toString"; within:cPoolSize; content:"|1C 96 05 00 07 01 00 00 00 43 3C|"; within:codeSize; fast_pattern; content:"|96 06 00 08|"; within:4; distance:-20; content:"|08|"; within:2; content:"|08|"; within:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-4428; reference:cve,2015-8043; reference:cve,2015-8044; reference:cve,2015-8046; reference:cve,2017-2951; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; reference:url,helpx.adobe.com/security/products/reader/apsb17-01.html; classtype:attempted-user; sid:41411; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|B7 0D A0 E9 A4 9B D0 96 44 BA B1 3D 96 2E A0 B3 3A 85 A0 46 F0 04 13 31 DD CE 5A 02 CD 30 99 83|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-user; sid:41482; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|66 E4 03 24 01 D0 66 31 61 E4 03 D0 66 4B D1 66 E4 03 24 02 D0 66 49 61 E4 03 D0 66 4B D1 66 E4|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-user; sid:41481; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|B7 0D A0 E9 A4 9B D0 96 44 BA B1 3D 96 2E A0 B3 3A 85 A0 46 F0 04 13 31 DD CE 5A 02 CD 30 99 83|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-user; sid:41480; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|66 E4 03 24 01 D0 66 31 61 E4 03 D0 66 4B D1 66 E4 03 24 02 D0 66 49 61 E4 03 D0 66 4B D1 66 E4|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-user; sid:41479; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player broker arbitrary file write attempt"; flow:to_client,established; file_data; content:"|8B 30 56 43 53 68 24 F2 01 10 E8 17 06 00 00 8B 44 24 34 8B 08 83 C4 0C 8D 54 24 1C 52 6A 00 6A 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0301; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-01.html; classtype:attempted-user; sid:41473; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player broker arbitrary file write attempt"; flow:to_client,established; file_data; content:"|04 E8 44 1F 00 00 83 C4 0C 8B F0 8D 44 24 18 56 50 68 AC 76 41 00 E8 C6 19 00 00 83 C4 0C 8D 44 24 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0301; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-01.html; classtype:attempted-user; sid:41472; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetConnection type confusion attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|4E 96 05 00 07 01 00 00 00 43 87 01 00 04 17 96 08 00 04|"; fast_pattern; content:"|4E 4F 96 08 00 04|"; within:15; content:"|4E 4F 96 0D 00 04|"; within:15; content:"|06 00 00 00 00 00 00 00 00 43 4F|"; within:15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-4433; classtype:attempted-user; sid:41419; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetConnection type confusion attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|4E 96 05 00 07 01 00 00 00 43 87 01 00 04 17 96 08 00 04|"; fast_pattern; content:"|4E 4F 96 08 00 04|"; within:15; content:"|4E 4F 96 0D 00 04|"; within:15; content:"|06 00 00 00 00 00 00 00 00 43 4F 96|"; within:15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-4433; classtype:attempted-user; sid:41418; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AS2 TextField antiAliasType use after free attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"TextField|00|"; nocase; content:"createTextField|00|"; nocase; content:"antiAliasType|00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8046; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:41486; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AS2 TextField antiAliasType use after free attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"TextField|00|"; nocase; content:"createTextField|00|"; nocase; content:"antiAliasType|00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8046; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-28.html; classtype:attempted-user; sid:41485; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-FLASH Adobe Flash Player PSDK EventDispatch removeEventListener use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|60 06 60 08 46 0B 01 D1 2B 6D 04 60 0C 4F 0D 00 60 06 46 07 00 D1 2B 6D 05 60 0E 24 FF 60 09 4F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2994; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-user; sid:41630; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player PSDK EventDispatch removeEventListener use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|60 06 60 08 46 0B 01 D1 2B 6D 04 60 0C 4F 0D 00 60 06 46 07 00 D1 2B 6D 05 60 0E 24 FF 60 09 4F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2994; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-user; sid:41629; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player garbage collection use after free attempt"; flow:to_server,established; file_data; content:"|63 57 2B 56 0F 8F 2C 79 62 5C 66 E5 5D C7 4E 3B F1 6E 55 BC 1F 1D 58 97 2F 26 5F CC 67 65 4C C7 96 46 62 DC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2988; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-user; sid:41628; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player garbage collection use after free attempt"; flow:to_client,established; file_data; content:"|63 57 2B 56 0F 8F 2C 79 62 5C 66 E5 5D C7 4E 3B F1 6E 55 BC 1F 1D 58 97 2F 26 5F CC 67 65 4C C7 96 46 62 DC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2988; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-user; sid:41627; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player MessageChannel type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"createMessageChannel"; fast_pattern:only; content:"defaultObjectEncoding"; content:"|24 00 61|"; content:"|60|"; within:1; distance:1; content:"|66|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2995; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-admin; sid:41624; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MessageChannel type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"createMessageChannel"; fast_pattern:only; content:"defaultObjectEncoding"; content:"|24 00 61|"; content:"|60|"; within:1; distance:1; content:"|66|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2995; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-admin; sid:41623; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash malformed FLV heap overflow attempt"; flow:to_server,established; flowbits:isset,file.flv; file_data; content:"|DC B6 B8 48 CC 5F 92 CE A9 4D 7D 98 91 0D 75 E5 79 3F 57 29 B1 C0 28 BF 6A BF 40 0C 80 EA 58 B3|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2986; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-recon; sid:41622; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash malformed FLV heap overflow attempt"; flow:to_client,established; flowbits:isset,file.flv; file_data; content:"|DC B6 B8 48 CC 5F 92 CE A9 4D 7D 98 91 0D 75 E5 79 3F 57 29 B1 C0 28 BF 6A BF 40 0C 80 EA 58 B3|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2986; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-recon; sid:41621; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player addEventListener use after free attempt"; flow:to_server,established; file_data; content:"|80 05 6D BB 06 F0 8D 24 65 01 6C EA 03 65 01 6C BB 06 61 6A F0 8E 24 65 01 2F 01 75 6D DB 0B F0|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2982; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-user; sid:41620; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player addEventListener use after free attempt"; flow:to_client,established; file_data; content:"|80 05 6D BB 06 F0 8D 24 65 01 6C EA 03 65 01 6C BB 06 61 6A F0 8E 24 65 01 2F 01 75 6D DB 0B F0|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2982; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-user; sid:41619; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash player BitmapData class use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0A|BitmapData"; content:"|0C|BitmapFilter"; content:"|13|BitmapFilterQuality"; fast_pattern:only; content:"|0A|GlowFilter"; metadata:service smtp; reference:cve,2017-2985; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-user; sid:41604; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash player BitmapData class use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0A|BitmapData"; content:"|0C|BitmapFilter"; content:"|13|BitmapFilterQuality"; fast_pattern:only; content:"|0A|GlowFilter"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2985; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-user; sid:41603; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed DefineSprite tag memory corruption attempt"; flow:to_server,established; file_data; content:"|E1 7A B4 3F 7B 14 AE 47 07 64 00 00 00 08 00 1C 96 02 00 08 01 4E 0B 0C 47 9B 00 00 00 00 00 40|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3123; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-admin; sid:41645; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed DefineSprite tag memory corruption attempt"; flow:to_client,established; file_data; content:"|E1 7A B4 3F 7B 14 AE 47 07 64 00 00 00 08 00 1C 96 02 00 08 01 4E 0B 0C 47 9B 00 00 00 00 00 40|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3123; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-admin; sid:41644; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ShimContentResolver out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|13|ShimContentResolver"; fast_pattern:only; content:"|0B|Opportunity"; content:"|07|resolve"; content:"|20 4A 01|"; content:"|80|"; within:1; distance:1; content:"|D5|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2996; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-user; sid:41680; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ShimContentResolver out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|13|ShimContentResolver"; fast_pattern:only; content:"|0B|Opportunity"; content:"|07|resolve"; content:"|20 4A 01|"; content:"|80|"; within:1; distance:1; content:"|D5|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2996; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-user; sid:41679; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TextField object event handler use after free attempt"; flow:to_server,established; file_data; content:"|96 02 00 08 0F 52 17 96 09 00 08 10 07 01 00 00 00 08 11 1C 96 02 00 08 12 4E 96 02 00 08 13 4E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2993; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-user; sid:41674; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TextField object event handler use after free attempt"; flow:to_client,established; file_data; content:"|96 02 00 08 0F 52 17 96 09 00 08 10 07 01 00 00 00 08 11 1C 96 02 00 08 12 4E 96 02 00 08 13 4E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2993; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-user; sid:41673; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player custom valueOf function attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|3F 03|"; byte_extract:4,0,codeSize,relative,little; content:"|88|"; within:1; byte_extract:2,0,cPoolSize,relative,little; content:"valueOf"; within:cPoolSize; content:"|1C 96 05 00 07 01 00 00 00 43 3C|"; within:codeSize; fast_pattern; content:"|96 06 00 08|"; within:4; distance:-20; content:"|08|"; within:2; content:"|08|"; within:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3130; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:41709; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player custom valueOf function attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|3F 03|"; byte_extract:4,0,codeSize,relative,little; content:"|88|"; within:1; byte_extract:2,0,cPoolSize,relative,little; content:"valueOf"; within:cPoolSize; content:"|1C 96 05 00 07 01 00 00 00 43 3C|"; within:codeSize; fast_pattern; content:"|96 06 00 08|"; within:4; distance:-20; content:"|08|"; within:2; content:"|08|"; within:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3130; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:41708; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player invalid package script information use after free attempt"; flow:to_server,established; file_data; content:"|6E 54 69 6D 65 6C 69 6E 65 00 40 00 02 07 01 00 C0 16 F2 11 10 80 03 80 04 4D 79 72 69 61 64 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-4430; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:41706; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player invalid package script information use after free attempt"; flow:to_client,established; file_data; content:"|6E 54 69 6D 65 6C 69 6E 65 00 40 00 02 07 01 00 C0 16 F2 11 10 80 03 80 04 4D 79 72 69 61 64 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-4430; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:41705; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player custom toString and valueOf function attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|3F 03|"; byte_extract:4,0,codeSize,relative,little; content:"|88|"; within:1; byte_extract:2,0,cPoolSize,relative,little; content:"toString"; within:cPoolSize; content:"valueOf"; within:10; content:"|1C 96 05 00 07 02 00 00 00 43 3C|"; within:codeSize; fast_pattern; content:"|96 06 00 08|"; within:4; distance:-28; content:"|08|"; within:2; content:"|08|"; within:2; content:"|1C 96 04 00 08|"; within:5; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3129; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:41741; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player custom toString and valueOf function attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|3F 03|"; byte_extract:4,0,codeSize,relative,little; content:"|88|"; within:1; byte_extract:2,0,cPoolSize,relative,little; content:"toString"; within:cPoolSize; content:"valueOf"; within:10; content:"|1C 96 05 00 07 02 00 00 00 43 3C|"; within:codeSize; fast_pattern; content:"|96 06 00 08|"; within:4; distance:-28; content:"|08|"; within:2; content:"|08|"; within:2; content:"|1C 96 04 00 08|"; within:5; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3129; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-16.html; classtype:attempted-user; sid:41740; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AuditudeSettings stack overflow attempt"; flow:to_server,established; file_data; content:"|10|AuditudeSettings"; fast_pattern:only; content:"|10|customParameters"; content:"|05|clone"; content:"|5D|"; within:1000; content:"|4A|"; within:1; distance:1; content:"|00 80|"; within:2; distance:1; content:"|61|"; within:15; content:"|46|"; within:15; content:"|00 29|"; within:2; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2997; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-07.html; classtype:attempted-user; sid:42013; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AuditudeSettings stack overflow attempt"; flow:to_client,established; file_data; content:"|10|AuditudeSettings"; fast_pattern:only; content:"|10|customParameters"; content:"|05|clone"; content:"|5D|"; within:1000; content:"|4A|"; within:1; distance:1; content:"|00 80|"; within:2; distance:1; content:"|61|"; within:15; content:"|46|"; within:15; content:"|00 29|"; within:2; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2997; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-07.html; classtype:attempted-user; sid:42012; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TextField use after free attempt"; flow:to_server,established; file_data; content:"createTextField"; content:"removeTextField"; within:500; content:"|3C 9B 05 00 00 00 00 00 00 9B 05 00 00 00 00|"; within:500; content:"|96 0B 00 06 00 00 00 00 00 00 00 00 08|"; within:13; content:"|1C 96 02 00 08|"; within:6; content:"|52 17|"; within:3; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3002; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-07.html; classtype:attempted-user; sid:42011; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TextField use after free attempt"; flow:to_client,established; file_data; content:"createTextField"; content:"removeTextField"; within:500; content:"|3C 9B 05 00 00 00 00 00 00 9B 05 00 00 00 00|"; within:500; content:"|96 0B 00 06 00 00 00 00 00 00 00 00 08|"; within:15; content:"|1C 96 02 00 08|"; within:6; content:"|52 17|"; within:3; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3002; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-07.html; classtype:attempted-user; sid:42010; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Camera use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"Camera"; fast_pattern:only; content:"createEmptyMovieClip"; content:"attachVideo"; content:"removeMovieClip"; content:"|96 09 00|"; byte_extract:1,1,myCam,relative; content:"|96 02 00|"; distance:0; byte_test:1,=,myCam,1,relative; content:"|4F|"; within:1; distance:-4; content:"|96 02 00|"; distance:0; byte_test:1,=,myCam,1,relative; content:"|17|"; within:1; distance:-4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3003; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-07.html; classtype:attempted-user; sid:42007; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Camera use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"Camera"; fast_pattern:only; content:"createEmptyMovieClip"; content:"attachVideo"; content:"removeMovieClip"; content:"|96 09 00|"; byte_extract:1,1,myCam,relative; content:"|96 02 00|"; distance:0; byte_test:1,=,myCam,1,relative; content:"|4F|"; within:1; distance:-4; content:"|96 02 00|"; distance:0; byte_test:1,=,myCam,1,relative; content:"|17|"; within:1; distance:-4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3003; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-07.html; classtype:attempted-user; sid:42006; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player custom object garbage collection use after free"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"onSelect|00|"; content:"removeMovieClip|00|"; content:"addProperty|00|"; content:"_level0|00|"; content:"|1C 3E 96 09 00 08|"; content:"|1C 96 02 00 08|"; within:5; distance:8; content:"|52 17 00|"; within:3; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3001; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-07.html; classtype:attempted-user; sid:42047; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player custom object garbage collection use after free"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"push|00|"; content:"createEmptyMovieClip|00|"; content:"|07 00 20 00 00 07 01 00 00 00 08|"; content:"|96|"; within:4; distance:-18; content:"|96 02 00 08|"; content:"|8E 08 00 00 00 00|"; within:6; distance:1; content:"|96|"; within:8; distance:5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3001; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-07.html; classtype:attempted-user; sid:42046; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player custom object garbage collection use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"onSelect|00|"; content:"removeMovieClip|00|"; fast_pattern:only; content:"addProperty|00|"; content:"_level0|00|"; content:"|1C 3E 96 09 00 08|"; content:"|1C 96 02 00 08|"; within:5; distance:8; content:"|52 17 00|"; within:3; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3001; reference:cve,2017-3059; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-07.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-10.html; classtype:attempted-user; sid:42045; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player custom object garbage collection use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"push|00|"; content:"createEmptyMovieClip|00|"; fast_pattern:only; content:"|07 00 20 00 00 07 01 00 00 00 08|"; content:"|96|"; within:4; distance:-18; content:"|96 02 00 08|"; content:"|8E 08 00 00 00 00|"; within:6; distance:1; content:"|96|"; within:8; distance:5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3001; reference:cve,2017-3059; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-07.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-10.html; classtype:attempted-user; sid:42044; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Primetime TVSDK memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|19|com.adobe.tvsdk.mediacore"; fast_pattern:only; content:"|0F|MediaPlayerView"; content:"|09|focusRect"; content:"|05|stage"; content:"|20 4A|"; content:"|20 61|"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,96866; reference:cve,2017-2999; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-07.html; classtype:attempted-user; sid:42053; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Primetime TVSDK memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|19|com.adobe.tvsdk.mediacore"; fast_pattern:only; content:"|0F|MediaPlayerView"; content:"|09|focusRect"; content:"|05|stage"; content:"|20 4A|"; content:"|20 61|"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,96866; reference:cve,2017-2999; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-07.html; classtype:attempted-user; sid:42052; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player On2 VP6 video codec fragment read access violation attempt"; flow:to_server,established; file_data; content:"|00 00 00 25 00 00 05 FE 24 40 A0 3E EF 06 2B 06 5E 8E 45 E2 4B B4 37 1D 9D 37 30 7F 33 0B C4 1D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3788; reference:url,www.talosintelligence.com/reports/TALOS-2015-0012; classtype:denial-of-service; sid:36230; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player On2 VP6 video codec fragment read access violation attempt"; flow:to_client,established; file_data; content:"|00 00 00 25 00 00 05 FE 24 40 A0 3E EF 06 2B 06 5E 8E 45 E2 4B B4 37 1D 9D 37 30 7F 33 0B C4 1D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3788; reference:url,www.talosintelligence.com/reports/TALOS-2015-0012; classtype:denial-of-service; sid:36229; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Resolution Opportunity parameter memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"ShimContentResolver"; fast_pattern:only; content:"timeline"; content:"resolvers"; content:"Opportunity"; content:"|4A 02 01|"; content:"|4A 03 04|"; within:15; content:"|46 05|"; within:5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2998; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-07.html; classtype:attempted-user; sid:42097; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Resolution Opportunity parameter memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ShimContentResolver"; fast_pattern:only; content:"timeline"; content:"resolvers"; content:"Opportunity"; content:"|4A 02 01|"; content:"|4A 03 04|"; within:15; content:"|46 05|"; within:5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2998; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-07.html; classtype:attempted-user; sid:42096; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player NetStream use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"Object"; content:"__constructor__"; fast_pattern:only; content:"NetStream"; content:"NetConnection"; content:"connect"; content:"|17 96 02 00|"; byte_extract:2,0,subclass,relative; content:"|69 96 04 00|"; distance:0; byte_test:2,=,subclass,0,relative; content:"|1C 96 02 00|"; byte_extract:2,0,mysub,relative; content:"|1C 96 02 00|"; distance:0; byte_test:2,=,mysub,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3063; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-10.html; classtype:attempted-user; sid:42215; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player NetStream use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"Object"; content:"__constructor__"; fast_pattern:only; content:"NetStream"; content:"NetConnection"; content:"connect"; content:"|17 96 02 00|"; byte_extract:2,0,subclass,relative; content:"|69 96 04 00|"; distance:0; byte_test:2,=,subclass,0,relative; content:"|1C 96 02 00|"; byte_extract:2,0,mysub,relative; content:"|1C 96 02 00|"; distance:0; byte_test:2,=,mysub,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3036; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-10.html; classtype:attempted-user; sid:42214; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player allocator use-after-free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"createTextField|00|"; fast_pattern:only; content:"ExternalInterface|00|"; content:"addProperty|00|"; content:"|07 00 12 00 00 07 01 00 00 00 08|"; content:"|07 01 00 00 00 07 01 00 00 00 07 00 00 00 00 07 00 00 00 00 07 00 00 00 00|"; content:"|4F 99 02 00|"; content:"|8E 08 00 00 00 00|"; within:12; content:"|8E 08 00 00 00 00|"; within:12; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3062; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-10.html; classtype:attempted-user; sid:42207; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player allocator use-after-free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"createTextField|00|"; fast_pattern:only; content:"ExternalInterface|00|"; content:"addProperty|00|"; content:"|07 00 12 00 00 07 01 00 00 00 08|"; content:"|07 01 00 00 00 07 01 00 00 00 07 00 00 00 00 07 00 00 00 00 07 00 00 00 00|"; content:"|4F 99 02 00|"; content:"|8E 08 00 00 00 00|"; within:12; content:"|8E 08 00 00 00 00|"; within:12; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3062; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-10.html; classtype:attempted-user; sid:42206; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player DisplayObject use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|06|Sprite"; content:"|04|mask"; fast_pattern:only; content:"rotation"; content:"|0D|DisplayObject"; content:"|01 5D|"; distance:0; content:"|4A|"; within:1; distance:1; content:"|00 80|"; within:2; distance:1; content:"|63|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3071; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-15.html; classtype:attempted-user; sid:42818; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player DisplayObject use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|06|Sprite"; content:"|04|mask"; fast_pattern:only; content:"rotation"; content:"|0D|DisplayObject"; content:"|01 5D|"; distance:0; content:"|4A|"; within:1; distance:1; content:"|00 80|"; within:2; distance:1; content:"|63|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3071; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-15.html; classtype:attempted-user; sid:42817; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player display object mask use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|5D 06 24 37 24 14 27 2F 01 4A 06 04 61 07 D2 D3 4F 04 01 5D 03 4A 03 00 80 03 63 04 D1 62 04 4F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3073; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-15.html; classtype:attempted-user; sid:42816; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player display object mask use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|5D 06 24 37 24 14 27 2F 01 4A 06 04 61 07 D2 D3 4F 04 01 5D 03 4A 03 00 80 03 63 04 D1 62 04 4F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3073; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-15.html; classtype:attempted-user; sid:42815; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BitmapData out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|2F 01 4A 0C 04 61 0D D2 D3 4F 0A 01 D3 66 0D 5D 0C 24 78 24 57 27 2D 01 4A 0C 04 5D 0E 2F 02 2F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3072; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-15.html; classtype:attempted-user; sid:42810; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BitmapData out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|2F 01 4A 0C 04 61 0D D2 D3 4F 0A 01 D3 66 0D 5D 0C 24 78 24 57 27 2D 01 4A 0C 04 5D 0E 2F 02 2F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3072; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-15.html; classtype:attempted-user; sid:42809; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Standalone Flash Player BlendMode memory corruption attempt"; flow:to_server,established; file_data; content:"|D5 D0 D1 4F 08 01 5D 09 4A 09 00 80 09 D6 D1 D2 4F 08 01 5D 02 4A 02 00 80 02 D7 D2 D3 4F 08 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3069; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-15.html; classtype:attempted-user; sid:42808; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Standalone Flash Player BlendMode memory corruption attempt"; flow:to_client,established; file_data; content:"|D5 D0 D1 4F 08 01 5D 09 4A 09 00 80 09 D6 D1 D2 4F 08 01 5D 02 4A 02 00 80 02 D7 D2 D3 4F 08 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3069; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-15.html; classtype:attempted-user; sid:42807; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionPush out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|80 00 32 01 00 FF 09 06 00 00 00 04 00 00 00 00 00 FF 0E D6 02 00 00 04 00 88 72 00 0D 00 5F 67|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3060; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-10.html; classtype:attempted-user; sid:42801; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionPush out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|80 00 32 01 00 FF 09 06 00 00 00 04 00 00 00 00 00 FF 0E D6 02 00 00 04 00 88 72 00 0D 00 5F 67|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3060; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-10.html; classtype:attempted-user; sid:42800; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ConvolutionFilter memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|24 A9 24 40 24 F6 24 46 24 B1 24 1D 24 8F 24 6E 24 B4 56 09 24 3E 24 8C 27 27 2D 01 2F 01 4A 04 09 56 01 68|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3070; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-15.html; classtype:attempted-user; sid:42797; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ConvolutionFilter memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|24 A9 24 40 24 F6 24 46 24 B1 24 1D 24 8F 24 6E 24 B4 56 09 24 3E 24 8C 27 27 2D 01 2F 01 4A 04 09 56 01 68|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3070; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-15.html; classtype:attempted-user; sid:42796; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player beginGradientFill color array out of bounds read attempt"; flow:to_server,established; file_data; content:"|03 2F 04 56 04 24 57 24 58 25 D4 01 25 BB 01 56 04 20 2C 0C 2C 0D 2F 05 4F 09 08 D2 66 08 5D 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3074; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-15.html; classtype:attempted-user; sid:42795; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player beginGradientFill color array out of bounds read attempt"; flow:to_client,established; file_data; content:"|03 2F 04 56 04 24 57 24 58 25 D4 01 25 BB 01 56 04 20 2C 0C 2C 0D 2F 05 4F 09 08 D2 66 08 5D 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3074; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-15.html; classtype:attempted-user; sid:42794; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player FLV invalid tag buffer overflow attempt"; flow:to_server,established; file_data; content:"|09 08 00 2F 00 00 00 00 00 00 00 17 00 00 00 00 01 64 00 1F FF E1 82 0E 67 64 00 1F AC D6 01 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3068; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-15.html; classtype:attempted-user; sid:42793; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player FLV invalid tag buffer overflow attempt"; flow:to_client,established; file_data; content:"|09 08 00 2F 00 00 00 00 00 00 00 17 00 00 00 00 01 64 00 1F FF E1 82 0E 67 64 00 1F AC D6 01 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3068; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-15.html; classtype:attempted-user; sid:42792; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player javascript decompressor use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|1F|loadCompressedDataFromByteArray"; fast_pattern:only; content:"|14|loadPCMFromByteArray"; nocase; content:"|05|Sound"; nocase; content:"|04|play"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3037; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-10.html; classtype:attempted-user; sid:42933; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player javascript decompressor use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1F|loadCompressedDataFromByteArray"; fast_pattern:only; content:"|14|loadPCMFromByteArray"; nocase; content:"|05|Sound"; nocase; content:"|04|play"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3037; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-10.html; classtype:attempted-user; sid:42932; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player DefineBitsJPEG2 invalid length memory corruption attempt"; flow:to_server,established; file_data; content:"FWS"; depth:3; content:"|7F 05 6F 41 00 00 01 00 FF D8 FF E1 00 18 45 78 69 66 00 00 49 49 2A 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4179; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:42931; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player DefineBitsJPEG2 invalid length memory corruption attempt"; flow:to_client,established; file_data; content:"FWS"; depth:3; content:"|7F 05 6F 41 00 00 01 00 FF D8 FF E1 00 18 45 78 69 66 00 00 49 49 2A 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4179; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:42930; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH RealNetworks RealPlayer FLV integer overflow attempt"; flow:to_server,established; file_data; content:"FLV|01|"; depth:4; content:"|12|"; within:1; distance:9; byte_jump:2,11,relative; byte_test:1,>=,0x08,0,relative; byte_test:1,<=,0x0a,0,relative; byte_test:4,>,0x7507507,1,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,42775; reference:cve,2010-3000; classtype:attempted-user; sid:43727; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_server,established; file_data; content:"|4A 10 06 26 27 4F 11 04 D1 66 06 24 00 2D 03 2F 06 27 2C 25 2C 26 2C 27 25 CA 01 4F 08 08 D1 66 06 24 7B 25 D9 FE FF FF 0F 24 19 25 DE 01 4F 12 04 D0 24|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3099; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-21.html; classtype:attempted-user; sid:43533; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_server,established; file_data; content:"|04 2F 04 61 11 2A 24 05 2F 05 61 11 2A 24 06 2F 06 61 11 2A 24 07 24 18 61 11 2A 24 08 2F 07 61 11 2A 24 09 24 01 61 11 2A 24 0A 2F 08 61 11 2A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3099; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-21.html; classtype:attempted-user; sid:43532; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_server,established; file_data; content:"|0A 25 B7 FE FF FF 0F 61 49 62 0A 2C 73 61 4A 62 0A 2D 05 61 4B 62 0A 2C 89 01 61 42 62 0A 2C 8A 01 61 4C 62 0A 2C 8B 01 61 4D 62 0A 5D 4E 2C 8C 01 2C 6B 2C 6B 2C 6C 2C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3099; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-21.html; classtype:attempted-user; sid:43531; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; file_data; content:"|0A 25 B7 FE FF FF 0F 61 49 62 0A 2C 73 61 4A 62 0A 2D 05 61 4B 62 0A 2C 89 01 61 42 62 0A 2C 8A 01 61 4C 62 0A 2C 8B 01 61 4D 62 0A 5D 4E 2C 8C 01 2C 6B 2C 6B 2C 6C 2C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3099; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-21.html; classtype:attempted-user; sid:43530; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; file_data; content:"|04 2F 04 61 11 2A 24 05 2F 05 61 11 2A 24 06 2F 06 61 11 2A 24 07 24 18 61 11 2A 24 08 2F 07 61 11 2A 24 09 24 01 61 11 2A 24 0A 2F 08 61 11 2A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3099; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-21.html; classtype:attempted-user; sid:43529; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; file_data; content:"|4A 10 06 26 27 4F 11 04 D1 66 06 24 00 2D 03 2F 06 27 2C 25 2C 26 2C 27 25 CA 01 4F 08 08 D1 66 06 24 7B 25 D9 FE FF FF 0F 24 19 25 DE 01 4F 12 04 D0 24|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3099; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-21.html; classtype:attempted-user; sid:43528; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player applyFilter memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 23 00 06|"; fast_pattern; content:"|1C 96 02 00 08|"; within:5; distance:34; content:"|4E 96 02 00 08|"; within:5; distance:1; content:"|53 87 01 00|"; within:4; distance:1; content:"|96 10 00 04|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3100; classtype:attempted-user; sid:43480; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player applyFilter memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 23 00 06|"; fast_pattern; content:"|1C 96 02 00 08|"; within:5; distance:34; content:"|4E 96 02 00 08|"; within:5; distance:1; content:"|53 87 01 00|"; within:4; distance:1; content:"|96 10 00 04|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3100; classtype:attempted-user; sid:43479; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player writeExternal type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|A2 00 92 04 8C 1F 28 BE 7E|"; depth:9; offset:1222; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7645; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-05.html; classtype:attempted-user; sid:43455; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player writeExternal type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|A2 00 92 04 8C 1F 28 BE 7E|"; depth:9; offset:1222; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7645; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-05.html; classtype:attempted-user; sid:43454; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player writeExternal type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0D|writeExternal"; fast_pattern:only; content:"|09|ByteArray"; nocase; content:"|4F 44 02 5D 45 4A 45 00 82 D6 D2 D1 4F 46 01|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7645; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-05.html; classtype:attempted-user; sid:43453; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player custom toString function attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|FF 0E|"; byte_extract:4,0,codeSize,relative,little; content:"|88|"; within:1; distance:2; byte_extract:2,0,cPoolSize,relative,little; content:"|00|toString|00|"; within:cPoolSize; content:"|07 01 00 00 00 43 87 01 00|"; within:codeSize; fast_pattern; content:"|17|"; within:1; distance:1; content:"|96 09 00 08|"; within:4; distance:-18; content:"|04|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3075; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:43421; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player custom toString function attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|FF 0E|"; byte_extract:4,0,codeSize,relative,little; content:"|88|"; within:1; distance:2; byte_extract:2,0,cPoolSize,relative,little; content:"|00|toString|00|"; within:cPoolSize; content:"|07 01 00 00 00 43 87 01 00|"; within:codeSize; fast_pattern; content:"|17|"; within:1; distance:1; content:"|96 09 00 08|"; within:4; distance:-18; content:"|04|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3075; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:43420; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BitmapData object out of bounds access attempt"; flow:to_server,established; file_data; content:"|66 03 5D 04 24 01 25 C8 01 27 2F 01 4A 04 04 20 26 26 4F 05 04 D0 66 03 5D 06 66 07 60 08 53 01 24 06 42 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,99025; reference:cve,2017-3079; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:43419; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player BitmapData object out of bounds access attempt"; flow:to_server,established; file_data; content:"|24 20 25 B0 01 4A 0D 06 5D 13 2F 05 24 01 2F 10 2F 07 24 53 24 72 25 FC FE FF FF 0F 25 A7 01 4A 13 08 2C 26|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,99025; reference:cve,2017-3079; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:43418; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BitmapData object out of bounds access attempt"; flow:to_client,established; file_data; content:"|66 03 5D 04 24 01 25 C8 01 27 2F 01 4A 04 04 20 26 26 4F 05 04 D0 66 03 5D 06 66 07 60 08 53 01 24 06 42 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,99025; reference:cve,2017-3079; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:43417; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player BitmapData object out of bounds access attempt"; flow:to_client,established; file_data; content:"|24 20 25 B0 01 4A 0D 06 5D 13 2F 05 24 01 2F 10 2F 07 24 53 24 72 25 FC FE FF FF 0F 25 A7 01 4A 13 08 2C 26|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,99025; reference:cve,2017-3079; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:43416; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player DisplayObject use after free attempt"; flow:to_server,established; file_data; content:"|1C 96 07 00 08 0E 07 05 00 00 00 4F 96 02 00 08 01 1C 96 2F 00 08 0F 05 01 05 00 07 01 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3081; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:43415; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player DisplayObject use after free attempt"; flow:to_client,established; file_data; content:"|1C 96 07 00 08 0E 07 05 00 00 00 4F 96 02 00 08 01 1C 96 2F 00 08 0F 05 01 05 00 07 01 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3081; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:43414; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player DisplayObject use after free attempt"; flow:to_server,established; file_data; content:"|20 2C 20 4F 0E 04 D0 24 D7 24 C3 26 4F 0F 03 D0 D0 4F 10 01 D1 5D 11 2C 25 20 2D 02 27 20 20 2C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3081; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:43413; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player DisplayObject use after free attempt"; flow:to_client,established; file_data; content:"|20 2C 20 4F 0E 04 D0 24 D7 24 C3 26 4F 0F 03 D0 D0 4F 10 01 D1 5D 11 2C 25 20 2D 02 27 20 20 2C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3081; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:43412; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player DisplayObject use after free attempt"; flow:to_server,established; file_data; content:"|62 04 66 0D 24 0F 24 36 24 3B 24 29 24 0A 60 0E 4F 0F 06 62 05 66 0C 5D 0B 24 7D 25 F8 01 26 2D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3081; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:43411; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player DisplayObject use after free attempt"; flow:to_client,established; file_data; content:"|62 04 66 0D 24 0F 24 36 24 3B 24 29 24 0A 60 0E 4F 0F 06 62 05 66 0C 5D 0B 24 7D 25 F8 01 26 2D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3081; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:43410; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player determinePreferredLocales out of bounds memory read attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|66 04 D5 10 0D 00 00 D0 30 5A 01 2A 63 06 2A 30 2B 6D 01 1D D1 5D 05 2C 11 2C 12 55 01 4A 05 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3082; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:43406; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player determinePreferredLocales out of bounds memory read attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|66 04 D5 10 0D 00 00 D0 30 5A 01 2A 63 06 2A 30 2B 6D 01 1D D1 5D 05 2C 11 2C 12 55 01 4A 05 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3082; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:43405; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Acrobat Reader profile use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0C|ProfileEvent"; fast_pattern:only; content:"|07|valueOf"; nocase; content:"|24 79 20 20 20 20 20 4A|"; content:"|06|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3083; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:43396; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Acrobat Reader profile use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0C|ProfileEvent"; fast_pattern:only; content:"|07|valueOf"; nocase; content:"|24 79 20 20 20 20 20 4A|"; content:"|06|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3083; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:43395; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player MPEG-4 AVC decoding out of bounds read attempt"; flow:to_server,established; file_data; content:"|C1 48 6A 18 FE 68 E9 BB DE C9 1B 32 40 85 FE 41 FE 3C 13 F1 E6 31 03 98 0A 58 AB 4A 70 5B 13 DE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3076; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:43394; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MPEG-4 AVC decoding out of bounds read attempt"; flow:to_client,established; file_data; content:"|C1 48 6A 18 FE 68 E9 BB DE C9 1B 32 40 85 FE 41 FE 3C 13 F1 E6 31 03 98 0A 58 AB 4A 70 5B 13 DE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3076; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:43393; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AdvertisingMetadata use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"AdvertisingMetadata"; fast_pattern:only; content:"|19|com.adobe.tvsdk.mediacore"; content:"|04|PSDK"; content:"|05|clone"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3084; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:43383; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AdvertisingMetadata use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"AdvertisingMetadata"; fast_pattern:only; content:"|19|com.adobe.tvsdk.mediacore"; content:"|04|PSDK"; content:"|05|clone"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3084; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:43382; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASnative null pointer dereference attempt"; flow:to_server,established; file_data; content:"|00|ASnative|00|"; fast_pattern:only; content:"|07 2D 01 00 00|"; content:"|96 02|"; content:"|52|"; within:1; distance:3; metadata:service smtp; classtype:attempted-user; sid:43303; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASnative null pointer dereference attempt"; flow:to_server,established; file_data; content:"|00|ASnative|00|"; fast_pattern:only; content:"|07 0F 00 00 00|"; content:"|96 02|"; content:"|52|"; within:1; distance:3; metadata:service smtp; classtype:attempted-user; sid:43302; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASnative null pointer dereference attempt"; flow:to_client,established; file_data; content:"|00|ASnative|00|"; fast_pattern:only; content:"|07 2D 01 00 00|"; content:"|96 02|"; content:"|52|"; within:1; distance:3; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:43301; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASnative null pointer dereference attempt"; flow:to_client,established; file_data; content:"|00|ASnative|00|"; fast_pattern:only; content:"|07 0F 00 00 00|"; content:"|96 02|"; content:"|52|"; within:1; distance:3; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:43300; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player invalid DefinedEditText tag memory corruption attempt"; flow:to_server,established; flowbits:isset, file.swf; file_data; content:" $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player invalid DefinedEditText tag memory corruption attempt"; flow:to_client,established; flowbits:isset, file.swf; file_data; content:" $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player JSON stringify memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|55 9B BB 5C 27 F5 B9 E2 55 C9 0C 4B 3C 6E 36 4E 62 2E 73 0C AB 6B 74 A6 B1 F7 74 C2 0E 0D 6A EA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72514; reference:cve,2015-0324; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:43048; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player SMB sandbox bypass attempt"; flow:to_server,established; file_data; content:"|66 D2 02 4A F9 07 01 80 F9 07 6D 01 D0 5D F5 01 4A F5 01 00 68 D3 02 D0 66 D3 02 25 C4 04 61 71|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3085; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-23.html; classtype:attempted-user; sid:44003; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SMB sandbox bypass attempt"; flow:to_client,established; file_data; content:"|66 D2 02 4A F9 07 01 80 F9 07 6D 01 D0 5D F5 01 4A F5 01 00 68 D3 02 D0 66 D3 02 25 C4 04 61 71|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3085; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-23.html; classtype:attempted-user; sid:44002; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player overly large cpool index out of bounds read attempt"; flow:to_server,established; file_data; content:"|89 16 06 00 B7 01 00 8A 16 06 00 B7 01 00 8B 16 06 00 B7 01 00 8C 16 06 00 B7 01 00 8D 16 06 00 B7 01 00 8E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3106; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-23.html; classtype:attempted-user; sid:43996; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player overly large cpool index out of bounds read attempt"; flow:to_client,established; file_data; content:"|89 16 06 00 B7 01 00 8A 16 06 00 B7 01 00 8B 16 06 00 B7 01 00 8C 16 06 00 B7 01 00 8D 16 06 00 B7 01 00 8E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3106; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-23.html; classtype:attempted-user; sid:43995; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Rectangle constructor use after free attempt"; flow:to_server,established; file_data; content:"|A6 0D 06 83 FC A0 90 A7 AC A3 19 E5 72 59 D3 4D CD 34 73 42 91 8B 46 01 47 C3 5C 10 DD CF D6 D4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4228; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:44017; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Rectangle constructor use after free attempt"; flow:to_client,established; file_data; content:"|A6 0D 06 83 FC A0 90 A7 AC A3 19 E5 72 59 D3 4D CD 34 73 42 91 8B 46 01 47 C3 5C 10 DD CF D6 D4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4228; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:44016; rev:2;) alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET any (msg:"FILE-FLASH Adobe Flash Player SharedObject use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"ASnative"; fast_pattern:only; content:"ASSetPropFlags"; nocase; content:"SharedObject"; nocase; content:"flush"; distance:0; nocase; content:"display"; nocase; content:"BitmapData"; within:11; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3132; classtype:attempted-user; sid:44174; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player SharedObject use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ASnative"; fast_pattern:only; content:"ASSetPropFlags"; nocase; content:"SharedObject"; nocase; content:"flush"; distance:0; nocase; content:"display"; nocase; content:"BitmapData"; within:11; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3132; classtype:attempted-user; sid:44173; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player text handling memory corruption attempt"; flow:to_server,established; file_data; content:"|96 11 00 08 0B 07 FF FF FF 00 07 00 00 1F FF 07 02 00 00 00 42 4F 96 02 00 08 07 1C 96 07 00 07 01 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11282; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-28.html; classtype:attempted-user; sid:44352; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player text handling memory corruption attempt"; flow:to_client,established; file_data; content:"|96 11 00 08 0B 07 FF FF FF 00 07 00 00 1F FF 07 02 00 00 00 42 4F 96 02 00 08 07 1C 96 07 00 07 01 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11282; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-28.html; classtype:attempted-user; sid:44351; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MP4 atom parser memory corruption attempt"; flow:to_client,established; file_data; content:"|00 00 00 6B FF FF 00 04 00 00 08 FF 59 FF FF 7F FF 10 00 A2 73 74 63 6F 00 E5 3F FF 00 00 D6 71|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11281; classtype:attempted-user; sid:44348; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player MP4 atom parser memory corruption attempt"; flow:to_server,established; file_data; content:"|00 00 DE 00 00 02 E7 00 02 E9 40 00 80 FF 20 FF FF 2D 54 65 73 D6 74 30 00 53 00 13 41 43 20 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11281; classtype:attempted-user; sid:44347; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MP4 atom parser memory corruption attempt"; flow:to_client,established; file_data; content:"|00 00 DE 00 00 02 E7 00 02 E9 40 00 80 FF 20 FF FF 2D 54 65 73 D6 74 30 00 53 00 13 41 43 20 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11281; classtype:attempted-user; sid:44346; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player MP4 atom parser memory corruption attempt"; flow:to_server,established; file_data; content:"|00 00 00 6B FF FF 00 04 00 00 08 FF 59 FF FF 7F FF 10 00 A2 73 74 63 6F 00 E5 3F FF 00 00 D6 71|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11281; classtype:attempted-user; sid:44345; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt"; flow:to_server,established; file_data; content:"|D0 30 D1 24 09 0D 06 00 00 D1 46 ED 01 00 48 60 1C 2D 08 46 5E 01 D1 24 10 46 ED 01 01 A0 48 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1019; reference:url,helpx.adobe.com/security/products/flash-player/apsa16-01.html; classtype:attempted-user; sid:44553; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt"; flow:to_client,established; file_data; content:"|D0 30 D1 24 09 0D 06 00 00 D1 46 ED 01 00 48 60 1C 2D 08 46 5E 01 D1 24 10 46 ED 01 01 A0 48 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1019; reference:url,helpx.adobe.com/security/products/flash-player/apsa16-01.html; classtype:attempted-user; sid:44552; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player array type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"com.adobe.tvsdk.mediacore"; fast_pattern:only; content:"BufferControlParameters"; content:"initialBufferTime"; content:"playBufferTime"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11292; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-32.html; classtype:attempted-user; sid:44584; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player array type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"com.adobe.tvsdk.mediacore"; fast_pattern:only; content:"BufferControlParameters"; content:"initialBufferTime"; content:"playBufferTime"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11292; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-32.html; classtype:attempted-user; sid:44583; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player tvsdk object use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"QOSProvider"; fast_pattern:only; content:"|19|com.adobe.tvsdk.mediacore"; content:"|04|PSDK"; content:"createMetadata"; content:"getObject"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11225; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-33.html; classtype:attempted-user; sid:44964; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player tvsdk object use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"QOSProvider"; fast_pattern:only; content:"|19|com.adobe.tvsdk.mediacore"; content:"|04|PSDK"; content:"createMetadata"; content:"getObject"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11225; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-33.html; classtype:attempted-user; sid:44963; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Primetime SDK use after free attempt"; flow:to_server,established; file_data; content:"|10 0E 00 00 D0 30 5A 09 2A D5 2A 30 2B 6D 01 1D 08 01 D0 66 0C D0 66 0E 4F 33 01 10 0E 00 00 D0|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11215; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-33.html; classtype:attempted-user; sid:44952; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Primetime SDK use after free attempt"; flow:to_client,established; file_data; content:"|10 0E 00 00 D0 30 5A 09 2A D5 2A 30 2B 6D 01 1D 08 01 D0 66 0C D0 66 0E 4F 33 01 10 0E 00 00 D0|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11215; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-33.html; classtype:attempted-user; sid:44951; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player PSDK Metadata memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0E|createMetadata"; content:"|09|setObject"; fast_pattern:only; content:"|08|toString"; content:"|40|"; content:"|2B 6D|"; within:2; distance:2; content:"|55 01|"; content:"|2B 6D|"; within:2; distance:1; content:"|4F|"; content:"|02|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3112; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-33.html; classtype:attempted-user; sid:44903; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player PSDK Metadata memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0E|createMetadata"; content:"|09|setObject"; fast_pattern:only; content:"|08|toString"; content:"|40|"; content:"|2B 6D|"; within:2; distance:2; content:"|55 01|"; content:"|2B 6D|"; within:2; distance:1; content:"|4F|"; content:"|02|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3112; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-33.html; classtype:attempted-user; sid:44902; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player determinePreferredLocales memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|07|unshift"; fast_pattern:only; content:"|19|determinePreferredLocales"; content:"|21 4F|"; content:"|01|"; within:1; distance:1; content:"|4F|"; distance:0; content:"|03|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3114; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-33.html; classtype:attempted-user; sid:44892; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player determinePreferredLocales memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|07|unshift"; fast_pattern:only; content:"|19|determinePreferredLocales"; content:"|21 4F|"; content:"|01|"; within:1; distance:1; content:"|4F|"; distance:0; content:"|03|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3114; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-33.html; classtype:attempted-user; sid:44891; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player bitmap hitTest integer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|00|hitTest"; nocase; content:"|00|BitmapData"; nocase; content:"|96 1C 00 06|"; content:"|1C 96 02 00 08|"; within:5; distance:27; content:"|4E 96 02 00 08|"; within:5; distance:1; content:"|96 19 00 07|"; distance:0; content:"|52 17|"; within:2; distance:24; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11213; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-admin; sid:44888; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player bitmap hitTest integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|00|hitTest"; nocase; content:"|00|BitmapData"; nocase; content:"|96 1C 00 06|"; content:"|1C 96 02 00 08|"; within:5; distance:27; content:"|4E 96 02 00 08|"; within:5; distance:1; content:"|96 19 00 07|"; distance:0; content:"|52 17|"; within:2; distance:24; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11213; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-admin; sid:44887; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player use after free attempt"; flow:to_server,established; file_data; content:"|1C 96 05 00 07 01 00 00 00 43 3C 96 09 00 08 1B 07 01 00 00 00 08 16 1C 96 02 00 08 1C 52 17 96|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-8434; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-admin; sid:45085; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash memory corruption exploit attempt"; flow:to_client,established; content:"|28 09 74 3E 87 B1 A7 CB E0 3D 8B 04 A1 01 D8 86 6F 7C 38 9C C0 76 5F 5B DF 2B 8A 0B 1E F9 5C 2F|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,37275; reference:cve,2009-3798; classtype:attempted-user; sid:45225; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash memory corruption exploit attempt"; flow:to_server,established; content:"|28 09 74 3E 87 B1 A7 CB E0 3D 8B 04 A1 01 D8 86 6F 7C 38 9C C0 76 5F 5B DF 2B 8A 0B 1E F9 5C 2F|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,37275; reference:cve,2009-3798; classtype:attempted-user; sid:45224; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player null pointer dereference attempt"; flow:to_server,established; file_data; content:"|01 B1 04 00 8E 00 10 0D CF 55 5C 11 EC 89 47 0D 09 48 00 86 C3 72 D4 52 37 2C F1 B8 C1 95 0D 77|"; fast_pattern:only; metadata:service smtp; reference:cve,2011-0626; reference:url,www.adobe.com/support/security/bulletins/apsb11-12.html; classtype:attempted-user; sid:45356; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ConvolutionFilter Matrix use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|00|matrix"; content:"|00|flash"; content:"|00|ConvolutionFilter"; fast_pattern:only; content:"|00|toString"; content:"|00|valueOf"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-3039; classtype:attempted-user; sid:45310; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ConvolutionFilter Matrix use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|00|matrix"; content:"|00|flash"; content:"|00|ConvolutionFilter"; fast_pattern:only; content:"|00|toString"; content:"|00|valueOf"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3039; classtype:attempted-user; sid:45309; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed ATF buffer overflow attempt"; flow:to_server,established; file_data; content:"|CB ED 0F B0 9C A1 00 00 21 F9 04 05 0A 00 FB FF 2B 05 00 0A 00 07 00 07 00 01 00 FF 00 40 A9 CB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4871; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-10.html; classtype:attempted-user; sid:45405; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed ATF buffer overflow attempt"; flow:to_client,established; file_data; content:"|CB ED 0F B0 9C A1 00 00 21 F9 04 05 0A 00 FB FF 2B 05 00 0A 00 07 00 07 00 01 00 FF 00 40 A9 CB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4871; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-10.html; classtype:attempted-user; sid:45404; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player movieclip attachbitmap use-after-free attempt"; flow:to_server,established; file_data; content:"removeMovieClip|00|"; fast_pattern:only; content:"createEmptyMovieClip|00|"; content:"valueOf|00|"; content:"attachBitmap|00|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8410; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:45459; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player movieclip attachbitmap use-after-free attempt"; flow:to_client,established; file_data; content:"removeMovieClip|00|"; fast_pattern:only; content:"createEmptyMovieClip|00|"; content:"valueOf|00|"; content:"attachBitmap|00|"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8410; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:45458; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player movieclip startdrag use-after-free attempt"; flow:to_server,established; file_data; content:"removeMovieClip|00|"; content:"valueOf|00|"; content:"startDrag|00|"; content:"|1C 96 05 00 07 01 00 00 00 43 96 09 00 05 01|"; distance:0; content:"|1C 96 02 00 08|"; within:5; distance:1; content:"|52 17|"; within:2; distance:1; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-8411; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:45501; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player movieclip startdrag use-after-free attempt"; flow:to_client,established; file_data; content:"removeMovieClip|00|"; content:"valueOf|00|"; content:"startDrag|00|"; content:"|1C 96 05 00 07 01 00 00 00 43 96 09 00 05 01 07 06 00 00 00 08|"; distance:0; content:"|1C 96 02 00 08|"; within:5; distance:1; content:"|52 17|"; within:2; distance:1; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8411; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:45500; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player DefineFont3 tag overly large NumGlyphs out of bounds read attempt"; flow:to_server,established; file_data; content:"|FF 12 77 83 00 00 03 00 84 01 14 48 65 6C 76 5F 29 D5 26 1A A2 00 A9 35 4F EC 84 58 5A B1 53 83 2B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3064; classtype:attempted-user; sid:45547; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player DefineFont3 tag overly large NumGlyphs out of bounds read attempt"; flow:to_client,established; file_data; content:"|FF 12 77 83 00 00 03 00 84 01 14 48 65 6C 76 5F 29 D5 26 1A A2 00 A9 35 4F EC 84 58 5A B1 53 83 2B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3064; classtype:attempted-user; sid:45546; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Selection.SetSelection use-after-free attempt"; flow:to_server,established; file_data; content:"removeMovieClip|00|"; fast_pattern:only; content:"valueOf|00|"; content:"setSelection|00|"; content:"|1C 96 05 00 07 01 00 00 00 43 3C|"; distance:0; content:"|1C 96 07 00 07 02 00 00 00 08|"; within:10; distance:10; content:"|1C 96 02 00 08 35 52 17|"; within:8; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8413; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:45614; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Selection.SetSelection use-after-free attempt"; flow:to_client,established; file_data; content:"removeMovieClip|00|"; fast_pattern:only; content:"valueOf|00|"; content:"setSelection|00|"; content:"|1C 96 05 00 07 01 00 00 00 43 3C|"; distance:0; content:"|1C 96 07 00 07 02 00 00 00 08|"; within:10; distance:10; content:"|1C 96 02 00 08 35 52 17|"; within:8; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8413; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:45613; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt"; flow:to_server,established; file_data; content:"removeMovieClip|00|"; fast_pattern:only; content:"valueOf|00|"; content:"duplicateMovieClip|00|"; content:"|1C 96 05 00 07 01 00 00 00 43|"; distance:0; content:"|1C 96 02 00 08|"; within:5; distance:12; content:"|52 17|"; within:2; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8412; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:45616; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt"; flow:to_client,established; file_data; content:"removeMovieClip|00|"; fast_pattern:only; content:"valueOf|00|"; content:"duplicateMovieClip|00|"; content:"|1C 96 05 00 07 01 00 00 00 43|"; distance:0; content:"|1C 96 02 00 08|"; within:5; distance:12; content:"|52 17|"; within:2; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8412; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:45615; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt"; flow:to_server,established; file_data; content:"|DE EC 76 71 B1 AD 5A B7 49 7A 2F A9 55 52 EB A4 36 DE 81 17 13 56 99 5D 2A 57 0B A4 87 39 1C AB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4878; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-03.html; classtype:attempted-user; sid:45595; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt"; flow:to_server,established; file_data; content:"|04|PSDK"; content:"|11|createMediaPlayer"; content:"|10|createDispatcher"; content:"|0A|drmManager"; fast_pattern; content:"|0A|initialize"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4878; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-03.html; classtype:attempted-user; sid:45594; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt"; flow:to_client,established; file_data; content:"|04|PSDK"; content:"|11|createMediaPlayer"; content:"|10|createDispatcher"; content:"|0A|drmManager"; fast_pattern; content:"|0A|initialize"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4878; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-03.html; classtype:attempted-user; sid:45593; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt"; flow:to_server,established; file_data; content:"|CC 99 87 66 BE 52 F6 F9 67 FD E8 28 9D 9A CB 14 4A 87 46 65 C1 28 16 73 D9 94 41 DD F9 8E 67 CA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4878; reference:url,helpx.adobe.com/security/products/flash-player/apsa18-01.html; classtype:attempted-user; sid:45683; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"Shader"; content:"ByteArray"; within:1000; content:"_pbj$"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,74617; reference:bugtraq,75086; reference:cve,2015-3091; reference:cve,2015-3105; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:attempted-recon; sid:45744; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"Shader"; content:"ByteArray"; within:1000; content:"_pbj$"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,74617; reference:bugtraq,75086; reference:cve,2015-3091; reference:cve,2015-3105; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; classtype:attempted-recon; sid:45743; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader BlurFilter object out of bounds write attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|D0 30 D0 60 0F F1 14 68 0D 5D 11 60 02 66 12 D0 66 0C 4F 11 02 D0 5D 07 24 0A 24 00 24 0A 4A 07 03 68 06|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4937; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-08.html; classtype:attempted-user; sid:46248; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader BlurFilter object out of bounds write attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D0 30 D0 60 0F F1 14 68 0D 5D 11 60 02 66 12 D0 66 0C 4F 11 02 D0 5D 07 24 0A 24 00 24 0A 4A 07 03 68 06|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4937; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-08.html; classtype:attempted-user; sid:46247; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player use after free attempt"; flow:to_server,established; file_data; content:"|B3 0B CE 07 4D E4 0F 42 E3 57 9C 62 F5 F1 00 86 D9 1D 40 EC C7 B8 04 98 08 30 E4 9A 52 D2 F1 CF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4932; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-08.html; classtype:attempted-admin; sid:46263; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player use after free attempt"; flow:to_client,established; file_data; content:"|B3 0B CE 07 4D E4 0F 42 E3 57 9C 62 F5 F1 00 86 D9 1D 40 EC C7 B8 04 98 08 30 E4 9A 52 D2 F1 CF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4932; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-08.html; classtype:attempted-admin; sid:46262; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|BF 03|"; byte_test:1,=,7,6,relative,bitmask 0xF0; content:"|00 00 FF E2|"; within:4; distance:11; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4936; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-08.html; classtype:attempted-user; sid:46261; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|BF 03|"; byte_test:1,=,7,6,relative,bitmask 0xF0; content:"|00 00 FF E2|"; within:4; distance:11; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4936; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-08.html; classtype:attempted-user; sid:46260; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player MovieClip out of bounds write attempt"; flow:to_server,established; file_data; content:"|09 0A 93 02 F1 10 F0 10 D0 30 F0 10 D0 49 00 F0 13 60 0B 60 0B 66 0C 61 0D F0 14 60 0A 60 0E 66|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-4935; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-08.html; classtype:attempted-user; sid:46259; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player MovieClip out of bounds write attempt"; flow:to_client,established; file_data; content:"|09 0A 93 02 F1 10 F0 10 D0 30 F0 10 D0 49 00 F0 13 60 0B 60 0B 66 0C 61 0D F0 14 60 0A 60 0E 66|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-4935; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-08.html; classtype:attempted-user; sid:46258; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR"; depth:16; byte_test:4,>,0x10000000,17,relative,big; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-4934; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-08.html; classtype:attempted-user; sid:46257; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt"; flow:to_client,established; file_data; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR"; depth:16; byte_test:4,>,0x10000000,17,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4934; classtype:attempted-user; sid:46256; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|07 02 11 07 05 12 07 02 15 07 02 16 07 02 18 07 03 19 07 02 1A 07 06 10 07 02 1C 07 07 1D 07 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4934; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-08.html; classtype:attempted-user; sid:46255; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|07 02 11 07 05 12 07 02 15 07 02 16 07 02 18 07 03 19 07 02 1A 07 06 10 07 02 1C 07 07 1D 07 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4934; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-08.html; classtype:attempted-user; sid:46254; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt"; flow:to_server,established; file_data; content:"|C6 B9 F7 2C DF F3 3D DF F3 3D E7 7C B7 73 27 9D 1C F5 A2 68 8C 2A D4 31 08 A1 FE 69 E8 CA B0 13|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4878; reference:url,helpx.adobe.com/security/products/flash-player/apsa18-01.html; classtype:attempted-user; sid:46324; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ASnative MovieClip type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|00|createEmptyMovieClip"; content:"|00|ASnative"; fast_pattern:only; content:"|00|call"; content:"|1C 96|"; content:"|3D|"; within:25; content:"|52 17|"; within:2; distance:5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4944; reference:cve,2018-4945; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-16.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-19.html; classtype:attempted-user; sid:46599; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ASnative MovieClip type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|00|createEmptyMovieClip"; content:"|00|ASnative"; fast_pattern:only; content:"|00|call"; content:"|1C 96|"; content:"|3D|"; within:25; content:"|52 17|"; within:2; distance:5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4944; reference:cve,2018-4945; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-16.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-19.html; classtype:attempted-user; sid:46598; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player out of bounds write attempt"; flow:to_server,established; file_data; content:"|18 CD 01 DD 28 3A EE 0D E0 8F 81 A1 D3 0C 8F 1D 92 AE 92 90 BE 4B 9A EF 5E 69 7A 2B 64 FC 55 E2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5002; classtype:attempted-user; sid:46920; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player out of bounds write attempt"; flow:to_client,established; file_data; content:"|18 CD 01 DD 28 3A EE 0D E0 8F 81 A1 D3 0C 8F 1D 92 AE 92 90 BE 4B 9A EF 5E 69 7A 2B 64 FC 55 E2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5002; classtype:attempted-user; sid:46919; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player out of bounds write attempt"; flow:to_server,established; file_data; content:"|E3 01 02 42 03 48 D0 5D E3 01 D1 24 10 4A E3 01 02 5D CE 03 D2 24 10 46 CE 03 02 5D E3 01 D3 24|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5002; classtype:attempted-user; sid:46918; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player out of bounds write attempt"; flow:to_client,established; file_data; content:"|E3 01 02 42 03 48 D0 5D E3 01 D1 24 10 4A E3 01 02 5D CE 03 D2 24 10 46 CE 03 02 5D E3 01 D3 24|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5002; classtype:attempted-user; sid:46917; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|96 10 00 04 02 03 04 04 04 03 07 04 00 00 00 04 03 08 0C 52 17 99 02 00 2A 00 96 02 00 08 05 1C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5001; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-19.html; classtype:attempted-user; sid:46950; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|96 10 00 04 02 03 04 04 04 03 07 04 00 00 00 04 03 08 0C 52 17 99 02 00 2A 00 96 02 00 08 05 1C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5001; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-19.html; classtype:attempted-user; sid:46949; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player COM server BrokerCreateFile sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"BrokerCreateFile"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15967; reference:url,helpx.adobe.com/security/products/flash-player/APSB18-31.html; classtype:attempted-user; sid:47834; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player COM server BrokerCreateFile sandbox escape attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"BrokerCreateFile"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15967; reference:url,helpx.adobe.com/security/products/flash-player/APSB18-31.html; classtype:attempted-user; sid:47833; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player out of bounds write attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|10 20 00 00|"; content:"|35 29 47 01 00|"; within:5; distance:34; content:"|2D|"; within:1; distance:-7; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5002; classtype:attempted-user; sid:47787; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player out of bounds write attempt"; flow:to_client,established; file_data; content:"FWS"; depth:3; content:"|10 20 00 00|"; content:"|35 29 47 01 00|"; within:5; distance:34; content:"|2D|"; within:1; distance:-7; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5002; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-19.html; classtype:attempted-user; sid:47786; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Vector.String class out-of-bounds read attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"Vector"; nocase; content:"String"; within:20; nocase; content:"|60 03 60 04 53 01 F0 0E 2C 02 2C 02 2C 02 42 03 80 05 D5 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12826; reference:url,helpx.adobe.com/security/products/flash-player/APSB18-25.html; classtype:attempted-user; sid:47532; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player Vector.String class out-of-bounds read attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"Vector"; nocase; content:"String"; within:20; nocase; content:"|60 03 60 04 53 01 F0 0E 2C 02 2C 02 2C 02 42 03 80 05 D5 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12826; reference:url,helpx.adobe.com/security/products/flash-player/APSB18-25.html; classtype:attempted-user; sid:47531; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ActionScript NetConnection type confusion attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"NetConnection|00|"; content:"__constructor__|00|"; fast_pattern:only; content:"watch|00|"; content:"__proto__|00|"; content:"|96 01 00 03|"; content:"|43 4F 96|"; within:50; content:"|1C 4F 96|"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5007; reference:url,helpx.adobe.com/security/products/flash-player/APSB18-24.html; classtype:attempted-user; sid:47192; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript NetConnection type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"NetConnection|00|"; content:"__constructor__|00|"; fast_pattern:only; content:"watch|00|"; content:"__proto__|00|"; content:"|96 01 00 03|"; content:"|43 4F 96|"; within:50; content:"|1C 4F 96|"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5007; reference:url,helpx.adobe.com/security/products/flash-player/APSB18-24.html; classtype:attempted-user; sid:47191; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed ActionSetTarget record information disclosure attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|8B 0A 00 73 69 67 6E 61 6C 5F 6D 11 1A 8D E9 67 CD 87 1C 87 57 45 88 9D 3D 42 75 F1 CF 3C F3 99|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5008; reference:url,helpx.adobe.com/security/products/flash-player/APSB18-24.html; classtype:attempted-user; sid:47128; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed ActionSetTarget record information disclosure attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|8B 0A 00 73 69 67 6E 61 6C 5F 6D 11 1A 8D E9 67 CD 87 1C 87 57 45 88 9D 3D 42 75 F1 CF 3C F3 99|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5008; reference:url,helpx.adobe.com/security/products/flash-player/APSB18-24.html; classtype:attempted-user; sid:47127; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player out of bounds read attempt"; flow:to_server,established; file_data; content:"|4A 03 00 80 03 D5 D1 2C 07 61 04 D1 26 61 05 5D 06 24 01 2A 4A 06 02 D1 5D 07 4A 07 00 4F 08 02 47|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-15978; classtype:attempted-recon; sid:48401; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player out of bounds read attempt"; flow:to_client,established; file_data; content:"|4A 03 00 80 03 D5 D1 2C 07 61 04 D1 26 61 05 5D 06 24 01 2A 4A 06 02 D1 5D 07 4A 07 00 4F 08 02 47|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-15978; classtype:attempted-recon; sid:48400; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player AVM type confusion attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|D0 30|"; content:"|D0 1C 24|"; within:20; content:"|03 02|"; within:4; content:"|30|"; within:20; content:"|5E|"; within:4; content:"|6C|"; within:4; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15981; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-44.html; classtype:attempted-user; sid:48426; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player AVM type confusion attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|D0 30|"; content:"|D0 1C 24|"; within:20; content:"|03 02|"; within:4; content:"|30|"; within:20; content:"|5E|"; within:4; content:"|6C|"; within:4; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15981; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-44.html; classtype:attempted-user; sid:48425; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"com.adobe.tvsdk.mediacore.metadata"; fast_pattern:only; content:"|4A 0F 00 61 1B F0 38 D2 75 91 74 D6 D2 D0 F0 35 66 07 15 E1 FF FF 47|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15982; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-42.html; classtype:attempted-user; sid:48496; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"com.adobe.tvsdk.mediacore.metadata"; fast_pattern:only; content:"|4A 0F 00 61 1B F0 38 D2 75 91 74 D6 D2 D0 F0 35 66 07 15 E1 FF FF 47|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15982; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-42.html; classtype:attempted-user; sid:48495; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt"; flow:to_server,established; file_data; content:"|0F 79 61 BC 38 84 D1 69 DC B0 2C E3 6B 19 3E 44 AF 8C 99 78 A1 0D 3F 04 0B 53 40 F4 17 AD 1F 86|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15982; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-42.html; classtype:attempted-user; sid:48494; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt"; flow:to_server,established; file_data; content:"|21 89 98 36 3B DB 1F BB 53 5F FB DD 8F F3 75 CF 3D F7 DC 73 AE 1E 52 E2 D5 FC B7 2F 7D B5 F4 1D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15982; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-42.html; classtype:attempted-user; sid:48493; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt"; flow:to_client,established; file_data; content:"|0F 79 61 BC 38 84 D1 69 DC B0 2C E3 6B 19 3E 44 AF 8C 99 78 A1 0D 3F 04 0B 53 40 F4 17 AD 1F 86|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15982; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-42.html; classtype:attempted-user; sid:48492; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt"; flow:to_client,established; file_data; content:"|21 89 98 36 3B DB 1F BB 53 5F FB DD 8F F3 75 CF 3D F7 DC 73 AE 1E 52 E2 D5 FC B7 2F 7D B5 F4 1D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15982; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-42.html; classtype:attempted-user; sid:48491; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"com.adobe.tvsdk.mediacore.metadata"; fast_pattern:only; content:"keySet"; content:"setObject"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15982; reference:url,helpx.adobe.com/security/products/flash-player/APSB18-42.html; classtype:attempted-user; sid:48567; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"com.adobe.tvsdk.mediacore.metadata"; fast_pattern:only; content:"keySet"; content:"setObject"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15982; reference:url,helpx.adobe.com/security/products/flash-player/APSB18-42.html; classtype:attempted-user; sid:48566; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt"; flow:to_server,established; file_data; content:"com.adobe.tvsdk.mediacore.metadata"; fast_pattern:only; content:"|06|keySet"; content:"|09|setObject"; content:"|06|Vector"; pcre:"/\x5d(?P.{1}).{0,5}\x4a(?P=findpropstrict_oprnd_1)\x00.{0,10}\x20.{20,35}\x4f.{1}\x02.{1,5}\x91(\x74|\x75)/"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-15982; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-42.html; classtype:attempted-user; sid:48906; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt"; flow:to_client,established; file_data; content:"com.adobe.tvsdk.mediacore.metadata"; fast_pattern:only; content:"|06|keySet"; content:"|09|setObject"; content:"|06|Vector"; pcre:"/\x5d(?P.{1}).{0,5}\x4a(?P=findpropstrict_oprnd_1)\x00.{0,10}\x20.{20,35}\x4f.{1}\x02.{1,5}\x91(\x74|\x75)/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15982; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-42.html; classtype:attempted-user; sid:48905; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player drawTriangles out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|4F 0F 05 65 01 24 00 6D 05 10 13 00 00 09 65 01 6C 04 64 41 00 29 65 01 6C 05 C0 65 01 2B 6D 05 65 01 6C 05 25 AA 01 15 E2 FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7090; reference:url,helpx.adobe.com/security/products/flash-player/apsb19-06.html; classtype:attempted-user; sid:49232; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player drawTriangles out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|4F 0F 05 65 01 24 00 6D 05 10 13 00 00 09 65 01 6C 04 64 41 00 29 65 01 6C 05 C0 65 01 2B 6D 05 65 01 6C 05 25 AA 01 15 E2 FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7090; reference:url,helpx.adobe.com/security/products/flash-player/apsb19-06.html; classtype:attempted-user; sid:49231; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player writeExternal type confusion attempt"; flow:to_client,established; file_data; content:"|D6 53 0B 0B DE 7A F6 FC C9 1B F3 C7 F6 66 DD DC EA 7F 83 EB 8E 2B E2 77 9D E2 F1 8A 33 C9 FC D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7645; reference:cve,2015-7647; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-05.html; classtype:attempted-user; sid:49312; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player writeExternal type confusion attempt"; flow:to_server,established; file_data; content:"|D6 53 0B 0B DE 7A F6 FC C9 1B F3 C7 F6 66 DD DC EA 7F 83 EB 8E 2B E2 77 9D E2 F1 8A 33 C9 FC D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7645; reference:cve,2015-7647; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-05.html; classtype:attempted-user; sid:49311; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|09|ByteArray"; content:"|0A|uncompress"; content:"|11|setSharedProperty"; fast_pattern:only; content:"|09|shareable"; content:"|06|Worker"; metadata:service smtp; reference:cve,2014-8440; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:49586; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|09|ByteArray"; content:"|0A|uncompress"; content:"|11|setSharedProperty"; fast_pattern:only; content:"|09|shareable"; content:"|06|Worker"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-8440; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:49585; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|09|ByteArray"; content:"|07|inflate"; content:"|11|setSharedProperty"; fast_pattern:only; content:"|09|shareable"; content:"|06|Worker"; metadata:service smtp; reference:cve,2014-8440; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:49584; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|09|ByteArray"; content:"|07|inflate"; content:"|11|setSharedProperty"; fast_pattern:only; content:"|09|shareable"; content:"|06|Worker"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-8440; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-24.html; classtype:attempted-user; sid:49583; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt"; flow:to_server,established; file_data; content:"|76 7F 5D 66 9C B9 F8 65 F5 94 34 B4 5F D0 A4 95 98 6F CC 05 41 14 77 64 64 BE C0 1A 5D 06 15 41 AA B1 AF 0F B8 22 2E 9F BD 47 F7 5C B3 92 65 29 64 46 1B 2E 06 8C C1 78|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0318; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:denial-of-service; sid:49656; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt"; flow:to_client,established; file_data; content:"|5E 28 02 2A 29 03 28 41 29 01 5C 02 34 31 01 41 01|"; content:"|03 EC 82 80 09 2A 29 3F 28 3F 37 30 29 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0318; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:denial-of-service; sid:49655; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt"; flow:to_server,established; file_data; content:"|5E 28 02 2A 29 03 28 41 29 01 5C 02 34 31 01 41 01|"; content:"|03 EC 82 80 09 2A 29 3F 28 3F 37 30 29 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0318; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:denial-of-service; sid:49654; rev:1;)