# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. # # This file contains (i) proprietary rules that were created, tested and certified by # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by # Sourcefire and other third parties (the "GPL Rules") that are distributed under the # GNU General Public License (GPL), v2. # # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a # list of third party owners and their respective copyrights. # # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer # to the VRT Certified Rules License Agreement (v2.0). # #------------------- # FILE-OFFICE RULES #------------------- # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel malformed CellXF memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|E0 00 14 00|"; byte_test:2,<=,0x3FE,0,relative,little; byte_test:2,<=,0x188,2,relative,little; byte_test:1,!&,0x20,4,relative; content:!"|FF|"; within:1; distance:7; byte_test:1,>,0xB5,7,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-014; classtype:attempted-user; sid:41582; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel malformed CellXF memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|E0 00 14 00|"; byte_test:2,<=,0x3FE,0,relative,little; byte_test:2,<=,0x188,2,relative,little; byte_test:1,!&,0x20,4,relative; content:!"|FF|"; within:1; distance:7; byte_test:1,>,0xB5,7,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-014; classtype:attempted-user; sid:41581; rev:5;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF footnote format use after free attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|rtlch"; nocase; content:"|5C|fcs1"; within:50; nocase; content:!"|5C|af"; within:50; nocase; content:"|5C|ltrch"; within:50; nocase; content:!"|5C|fcs"; within:50; nocase; content:"|5C|chftnsep"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0019; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-014; classtype:attempted-user; sid:41578; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF footnote format use after free attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|rtlch"; nocase; content:"|5C|fcs1"; within:50; nocase; content:!"|5C|af"; within:50; nocase; content:"|5C|ltrch"; within:50; nocase; content:!"|5C|fcs"; within:50; nocase; content:"|5C|chftnsep"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0019; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-014; classtype:attempted-user; sid:41577; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt"; flow:to_server,established; file_data; content:"|10 49 66 65 56 CA 50 89 08 A1 12 49 89 D4 57 9D D3 71 ED EF FF F9 F6 7B D6 3A 6B E9 D4 CA BB 0F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0020; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-014; classtype:attempted-user; sid:41566; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt"; flow:to_client,established; file_data; content:"|10 49 66 65 56 CA 50 89 08 A1 12 49 89 D4 57 9D D3 71 ED EF FF F9 F6 7B D6 3A 6B E9 D4 CA BB 0F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0020; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-014; classtype:attempted-user; sid:41565; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office imjp12k.dll dll-load exploit attempt"; flow:to_server,established; content:"/imjp12k.dll"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2017-0039; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-012; classtype:attempted-user; sid:41564; rev:4;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OFFICE Microsoft Office request for imjp12k.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"i|00|m|00|j|00|p|00|1|00|2|00|k|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2017-0039; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-012; classtype:attempted-user; sid:41563; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Works 4.x converter font name buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.works; file_data; content:"Timesffffffffff|01 10 12|fffff ffffffffffff|02 00 FF|fffff fffffffffffff|03 10 15|fffffffffffffffffffff|04 10 13|fffffffffffffffffffffffffffffffffffffffffffff|29 06 10 18|ffffffffffffffffffffffff|07 10 16|ffffffffffffffffffffff|08 10 1C|ffffffffffffffffffffffffffff|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-1533; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-024; classtype:attempted-user; sid:15526; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office WordPad and Office Text Converters XST parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"|01 00 90|hNIr|8F 1E 23 FF 0F FF 0F FF 0F FF 0F FF 0F FF 0F FF 0F FF 0F FF 0F 00 00 01 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0D 10 00 00 0F 84|h|01 11 84 98 FE|^|84|h|01|`|84 98 FE|o|28 00 87|h|00 00 00 00 88|H|00 00|BB"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-4841; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-010; classtype:attempted-user; sid:15455; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word Converter XST structure buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|5F B3 AC 33 42 1E DA DE 51 CA FA 0D 4F 71 3C 4B BE EC 72 87 2B 4D 06 22 A7 4C 49 75 6A E0 37 20 BB 29 CB A9 2E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-4841; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-010; classtype:attempted-user; sid:17406; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word Converter XST structure buffer overflow attempt"; flow:to_client,established; file_data; content:"|00 00 0D 10 00 00 0F 84 D0 02 11 84 98 FE 5E 84 D0 02 60 84 98 FE 6F 28 00 87 68 00 00 00 00 88 48 00 00 1F 05|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-4841; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-010; classtype:attempted-user; sid:17405; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel SLK file excessive Picture records exploit attempt"; flow:to_client,established; flowbits:isset,file.slk; file_data; content:"|0D 0A|P|3B|FABC"; content:"|0D 0A|P|3B|FABC"; distance:0; content:"|0D 0A|P|3B|FABC"; distance:0; content:"|0D 0A|P|3B|FABC"; distance:0; content:"|0D 0A|P|3B|FABC"; distance:0; content:"|0D 0A|P|3B|FABC"; distance:0; pcre:"/(\x0d\x0aP\x3bFABC\d{3}){200}/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1276; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:19229; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel ObjBiff exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|00 14|"; within:8; content:"|00 01 06 00 00|"; within:55; byte_test:1,!=,0x02,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1272; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:19200; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel GhostRw record exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|20 00 05 19 40 00 01 1E 01 00 19 40 00 01 03 1F 00 00 00 00 00 00 10 41 1E 00 04 05 19 40 00 01 1E 01 00 19 40 00 01 03 1E 10 00 1E 00 01 05 19 40|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-3242; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17763; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word unchecked index value remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|E0 10 11 84 00 00 15 C6 05 00 01 48 12 06 5E 84 E0 10 60 84 00 00 6F 28 00 87 68 00 00 00 00 88|"; fast_pattern:only; content:"|0F 84 1C 11 11 84 4C FF 15 C6 05 00 01 1C 11 06|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-3219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-079; classtype:attempted-user; sid:17755; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word bookmark bound check remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 00 62 00 00 00 75 00 00 00 7E 00 00 00 8A 00 00 00 02 00 00 00 02 00 00 00 00 00 02 00 01|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-3216; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-079; classtype:attempted-user; sid:17754; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio improper attribute code execution attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|19 00 1A 00 1B 00 1C 00 1D 00 1E 00 1F 00| |00|h|00 00 00 02|U|00 00 F8 00 00 00 00 00 00 00|@"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-0254; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-028; classtype:attempted-user; sid:16535; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio off-by-one in array index code execution attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"h|00 07 00 01|T|00 00 C8 01 00 00 00 00 00 00|I|00 00 00 00 00 00 F0|?A|00 00 00 00 00 00 E0|?A|00 00 00 00 00 00 B0|?A|00 00 00 00 00 00 B0 BF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-0256; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-028; classtype:attempted-user; sid:16536; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt"; flow:to_client,established; file_data; content:"|94|!|00 00 14 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 0A 00 00 00|V|00|@|03| |00 00 00 03 00 04 00 00 00 00 00 00 00 00 00 04 00 00 00 0A 00 00 00 17 00|@|0B| |00 00 00 03 00 04 00 00 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-0102; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-074; classtype:attempted-user; sid:16328; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows WordPad and Office text converter integer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|C0 00 00 00 16 00 00 00 C8 00 00 00 0D 00 00 00 D0 00 00 00 0C 00 00 00 E1 00 00 00|"; byte_test:4,>,357913941,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2506; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-073; classtype:attempted-user; sid:16314; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel GDI+ Office Art Property Table remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"3|01 0B F0 8C 02 00 00 7F 00 08 00 08 00|E|C1 A8 01 00 00|F|C1 1C 00 00 00|Q|C1|&|00 00 00|U|C1 00 00 00 00|V|C1 00 00 00 00|W|C1 16 00 00 00|V|00|AAAA"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2528; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16178; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 00 0D 0A 11|h|01 13 98 FE 0C|4|00 FF 8F 08 00 00 FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0565; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:15525; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word GDI+ Office Art Property Table remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"c|00 0B F0 24 00 00 00 7F 00 04 00 04 00|X|01 00 00 00 00|V|00|AAAA"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2528; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16177; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 00 E9 62 F9 FF FF 13 98 FE 0C|4|00 FF 8F FF E7 40 40 40|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0565; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:17691; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel oversized ptgFuncVar cparams value buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 00|J|00|"; content:"|03 1E 0A 00|B|04|G|00|"; within:8; distance:66; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-3132; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:16233; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel ptg index parsing code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 00 05 1E 02 00 1E 03 00 05 1E 04 00 05 1E 05 00 05 1E 06 00 05 1E 03 00 1E 04 00|B|04|G|00 D7 00 06 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-3132; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:16553; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel integer field in row record improper validation remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|08 00|P|00 00 FF 00 00 0A AA|A|8D 86 84|7|0E FF FF 00 00 00 00 00 FE 0D|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-3130; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:16226; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel file SXDB record exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|C6 00 1A 00|2|00 00 00 01 00|!|00 FF 07 FE FF 04 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-3127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:16235; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word .rtf file double free attempt"; flow:to_client,established; file_data; content:"|7B 5C|rtf"; depth:5; content:"|5C|do"; fast_pattern; content:"|5C|do"; within:5; pcre:"/\x5Cdo[\x20\x7D].{0,5}\x5Cdo[\x20\x7D]/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2008-4027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-072; classtype:attempted-user; sid:15083; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel file Window/Pane record exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:">|02 12 00 B6 06 00 00 00 00|@|00 00 00 00 00 00 00 00 00 00 00 1D 00 0F 00 03 0D 00 03 00 00 00 01 00 0D 00 0D 00 03 03|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-3133; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:16240; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|F6 03 00 00 FF 7F 12 D6 FC 12 D6 FC|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0563; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:15524; rev:13;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint with embedded Flash file attachment"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"S|00|h|00|o|00|c|00|k|00|w|00|a|00|v|00|e|00| F|00|l|00|a|00|s|00|h O|00|b|00|j|00|e|00|c|00|t|00|"; fast_pattern:only; metadata:service smtp; classtype:attempted-user; sid:18550; rev:14;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt"; flow:to_server,established; flowbits:isset,file.xls; content:"RldTC"; fast_pattern:only; pcre:"/RldTC[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuv][A-Za-z0-9\\x2b\x2f][A-Za-z0-9\\x2b\x2f]/"; metadata:service smtp; classtype:attempted-user; sid:19067; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt"; flow:to_server,established; flowbits:isset,file.xls; content:"Q1dTC"; fast_pattern:only; pcre:"/Q1dTC[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuv][A-Za-z0-9\\x2b\x2f][A-Za-z0-9\\x2b\x2f]/"; metadata:service smtp; classtype:attempted-user; sid:19070; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt"; flow:to_server,established; flowbits:isset,file.xls; content:"DV1M"; fast_pattern:only; pcre:"/[A-Za-z0-9\\x2b\x2f][A-Za-z0-9\\x2b\x2f][BFJNRVZdhlptx159]DV1M[IJK]/"; metadata:service smtp; classtype:attempted-user; sid:19068; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt"; flow:to_server,established; flowbits:isset,file.xls; content:"NXUw"; fast_pattern:only; pcre:"/[A-Za-z0-9\\x2b\x2f][EUk0]NXUw[ghijklmnopqr][A-Za-z0-9\\x2b\x2f]/"; metadata:service smtp; classtype:attempted-user; sid:19069; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word document with embedded TrueType font"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|EC A5 C1 00|"; isdataat:646,relative; content:!"|00 00 00 00 00 00 00 00|"; within:8; distance:638; metadata:service ftp-data, service http, service imap, service pop3; reference:url,msdn.microsoft.com/en-us/library/cc313153(v=office.12).aspx; classtype:policy-violation; sid:20540; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word Smart Tags code execution attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|EC A5 C1 00|"; depth:4; offset:512; content:"|0E 00|"; within:2; distance:28; content:"|16 00|"; within:2; distance:28; byte_jump:2,-2,relative,little,multiplier 4; pcre:"/^[\xa4\x88\xb7]\x00/R"; byte_test:4,!=,0,920,relative,little; byte_test:4,>,0,924,relative,little; byte_test:4,<,4,924,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,18037; reference:cve,2006-2492; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-027; classtype:attempted-user; sid:21674; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word Smart Tags code execution attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|00 00 C8 04 00 00 A9 56 00 00 6A 03 00 00 89 29 00 00 00 00 00 00 13 60 00 00 BC 02|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,18037; reference:cve,2006-2492; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-027; classtype:attempted-user; sid:21677; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word Smart Tags code execution attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|EC A5 C1 00|"; depth:4; offset:512; content:"|0E 00|"; within:2; distance:28; content:"|16 00|"; within:2; distance:28; byte_jump:2,-2,relative,little,multiplier 4; pcre:"/^[\xa4\x88\xb7]\x00/R"; byte_test:4,>,0x1000,920,relative,little; byte_extract:4,920,fcPlcBkfFactoid,relative,little; byte_test:4,<,fcPlcBkfFactoid,12,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,18037; reference:cve,2006-2492; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-027; classtype:attempted-user; sid:21675; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word Smart Tags code execution attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|EC A5 C1 00|"; depth:4; offset:512; content:"|0E 00|"; within:2; distance:28; content:"|16 00|"; within:2; distance:28; byte_jump:2,-2,relative,little,multiplier 4; pcre:"/^[\xa4\x88\xb7]\x00/R"; byte_test:4,!=,0,920,relative,little; byte_test:4,>,0x1000,924,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,18037; reference:cve,2006-2492; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-027; classtype:attempted-user; sid:21676; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office pptimpconv.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|pptimpconv.dll"; nocase; http_uri; metadata:service http; reference:cve,2010-3337; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18071; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Lbl record stack overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|18 00|"; byte_test:1,>,0x7f,5,relative; content:"|00 00|"; within:2; distance:7; content:"|00 00 00 00|"; within:4; distance:2; byte_jump:2,-15,relative,little; pcre:"/^([\x18\xDE\x19\xEB\xFC\xFF]\x00|[\x94\x99\x93\x13\x66]\x08|\xC1\x01)/R"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-1251; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16655; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word unicode parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|AA AA AA AA AA AA AA AA AA AA|"; content:"|F0 12 BF 00 00 00 00 00 00 10 00 00 00 00 00 06 00 00 01 08 00 00 0E 00 62 6A 62 6A AC 9B AC 9B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2004-0963; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-023; classtype:attempted-user; sid:21764; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"CHNKWKS "; content:"|F8 01|"; within:2; distance:16; byte_test:2,>,0x18,6,relative; content:!"|18 00|"; within:2; distance:6; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0177; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-028; classtype:attempted-user; sid:21794; rev:8;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OFFICE Microsoft Office pptimpconv.dll dll-load exploit attempt"; flow:to_server,established; content:"p|00|p|00|t|00|i|00|m|00|p|00|c|00|o|00|n|00|v|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2010-3337; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18070; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint OfficeArt atom memory corruption attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; content:"P|00|o|00|w|00|e|00|r|00|P|00|o|00|i|00|n|00|t|00 20 00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|"; nocase; content:"|00 00 00 00 0A 04 04 00 00 00|"; byte_extract:4,0,ref,little,relative; content:"|00 00 00 00 C1 0B|"; byte_test:4,>,4,0,little,relative; byte_test:4,=,ref,4,little,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0976; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-022; classtype:attempted-admin; sid:18637; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Outlook Saved Search download attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"S|00|a|00|v|00|e|00|d|00|S|00|e|00|a|00|r|00|c|00|h|00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-003; classtype:attempted-user; sid:9847; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office BMP header biClrUsed integer overflow attempt"; flow:to_client,established; flowbits:isset,file.bmp; file_data; content:"BM"; fast_pattern; content:"|00 00 00 00|"; within:4; distance:4; byte_test:4,>,536870911,36,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36651; reference:cve,2009-2518; classtype:attempted-admin; sid:16361; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint MCAtom remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|F9 0F 04 00 00 00|"; byte_test:4,>,2147483646,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,20495; reference:cve,2006-5296; classtype:attempted-user; sid:17320; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint MCAtom remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|FA 0F 04 00 00 00|"; byte_test:4,>,2147483646,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,20495; reference:cve,2006-5296; classtype:attempted-user; sid:17319; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:"|EC A5|"; within:2; distance:504; byte_test:4,>,0xFFFF,114,relative,little; content:"|00 00 00 00|"; within:4; distance:12; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,21589; reference:cve,2006-6561; classtype:attempted-user; sid:17505; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:"|EC A5|"; within:2; distance:504; byte_test:4,>,0xFFFF,138,relative,little; content:"|00 00 00 00|"; within:4; distance:12; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,21589; reference:cve,2006-6561; classtype:attempted-user; sid:17507; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint Legacy file format picture object code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|FF 03 00 00 00 60 16 8F 10 00 00 00 00 5F 07 90 08 28 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,34834; reference:cve,2009-0223; classtype:attempted-user; sid:17646; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office GIF image descriptor memory corruption attempt"; flow:to_client,established; file_data; content:"GIF8"; depth:4; content:"a"; within:1; distance:1; byte_test:1,!&,0x80,4,relative; pcre:"/^.{7}\x2C.{5}([\xE0-\xFF]|.{2}[\xE0-\xFF])/sR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18915; reference:bugtraq,22630; reference:cve,2006-0007; reference:cve,2007-1071; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-039; classtype:attempted-user; sid:17664; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Series record exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|03 10 0C 00|"; content:"|00 01 00|"; within:3; distance:1; byte_test:1,&,0x80,1,relative,little; content:"|33 10 00 00|"; within:4; distance:8; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1278; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:19231; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office Visio mfc71 dll-load exploit attempt"; flow:to_server,established; content:"|2F|mfc71"; fast_pattern; nocase; http_uri; content:".dll"; within:7; nocase; http_uri; metadata:service http; reference:cve,2010-3148; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-055; classtype:attempted-user; sid:19466; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|13 08|"; fast_pattern; content:!"|00 00|"; within:2; byte_extract:2,0,size_of_record,relative,little; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,size_of_record,0,relative,little; content:"|00|"; within:1; distance:2; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0101; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:18633; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Workspace file FontCount record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|09 04 06 00 00 04 00 01|"; content:"|30 00|"; distance:0; byte_test:2,>,2,0,relative,little; content:"|00 00|"; within:2; distance:2; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0103; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:18634; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Publisher oversized oti length attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|E8 AC|"; content:"|2C 01 04 00|"; within:4; distance:2; byte_test:2,>,94,26,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-3955; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-103; classtype:attempted-user; sid:18231; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint file LinkedSlide10Atom record parsing heap corruption attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 E7|.|08 00 00 00|"; byte_jump:4,4,relative,multiplier 16,little; content:"|00 00 E6|.|08 00 00 00|"; within:8; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-0030; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-004; classtype:attempted-user; sid:16410; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel file SxView record exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|B0 00|"; byte_test:2,>,44,0,relative,little; byte_test:2,<,8225,0,relative,little; byte_test:2,<,11,4,relative,little; byte_test:2,>,10,34,relative,little; byte_jump:2,0,relative,little; pcre:"/^[\xB1\xB4-\xB6\xC5\xF1]\x00/R"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-3128; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:16236; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint ParaBuildAtom memory corruption attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|01 00 09|+|10 00 00 00|"; pcre:"/\x0f\x00[\x04\x06]\x2B.{1,48}\x01\x00\x09\x2b/sm"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-0224; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:15501; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint DiagramBuildContainer memory corruption attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 06|+"; pcre:"/.{,48}[\x00\x01]\x00[\x05\x09]\x2B/smR"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-0224; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:15502; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio invalid ho tag attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|0D 14 00 03 00 01 00 16 00 03 00 01 01 02 FF 00 A4 02 A7 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33660; reference:cve,2009-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-005; classtype:attempted-user; sid:15299; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel FeatHdr BIFF record remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|67 08|"; content:"|67 08 00 00 00 00 00 00 00 00 04 00|"; within:12; distance:2; content:"|04 00 00 00|"; within:4; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-3129; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:16241; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office WordPad and Office text converters integer underflow attempt"; flow:to_client,established; file_data; content:"|D0 CF 11 E0|"; depth:4; content:"|FE FF|"; depth:2; offset:28; content:"|DC A5|"; byte_test:2,<,4,138,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-010; classtype:attempted-user; sid:15469; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word Document remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|DC A5|"; byte_test:2,<,38,0,relative,little; byte_test:4,>,0,22,relative,little; byte_test:4,<,250,22,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-3135; reference:cve,2016-3283; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-068; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-088; classtype:attempted-user; sid:16234; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word Document remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|EC A5|"; byte_test:2,<,38,0,relative,little; byte_test:4,>,0,22,relative,little; byte_test:4,<,250,22,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-3135; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-068; classtype:attempted-user; sid:16586; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel oversized ib memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 00|"; content:"9A|00|A|00|"; within:5; distance:24; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-3131; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:16229; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint paragraph format array inner header overflow attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|1C 00 00 00 00 80 41 41 41 41 41 41 95 00 FF FF 64|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,34833; reference:cve,2009-0220; classtype:attempted-user; sid:17695; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio Malformed IconBitsComponent arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|00 00| |00| |FF 00 00 14 01 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0095; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-005; classtype:attempted-user; sid:15303; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office eps filters memory corruption attempt"; flow:to_client,established; flowbits:isset,file.eps; file_data; content:"%!PS-Adobe-EPSF-3.0"; fast_pattern:only; content:"|C5 D0 D3 C6|"; depth:4; byte_test:2,>,32767,24,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,30595; reference:cve,2008-3019; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-044; classtype:attempted-user; sid:13970; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|C3 0B 08|"; fast_pattern; byte_test:1,<,0x03,0,relative,little; byte_test:1,>,0x18,7,relative,little; content:"|C3 0B|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,38104; reference:cve,2010-0032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-004; classtype:attempted-user; sid:20590; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Publisher PLC object memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|1C 00 04 04|"; byte_test:1,!&,2,14,relative; byte_test:1,=,0,15,relative; byte_extract:2,0,ivfMac,little,relative; byte_test:2,>,ivfMac,10,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-3412; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-091; classtype:attempted-user; sid:20721; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Outlook VEVENT overflow attempt"; flow:to_client,established; file_data; content:"BEGIN|3A|VEVENT"; fast_pattern; nocase; content:"DTSTART|3B|"; distance:0; nocase; pcre:!"/^(VALUE|TZID)/Ri"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,21931; reference:cve,2007-0033; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-003; classtype:attempted-user; sid:21163; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office XP URL Handling Buffer Overflow attempt"; flow:to_server,established; content:"|00|"; http_uri; pcre:"/\w{3}\x25\x30\x30[^\r\n]{2000}/Ii"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,12480; reference:cve,2004-0848; classtype:attempted-admin; sid:17568; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office XP URL Handling Buffer Overflow attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"%0a"; http_raw_uri; content:"|0A|"; http_uri; pcre:"/\x2e(doc|rtf|xls|ppt)\n[^\r\n]{500}/U"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,12480; reference:cve,2004-0848; classtype:attempted-admin; sid:18284; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Publisher 2007 conversion library code execution attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|01 00 00 00 FF FF FF 7F 01 00 00 80 01 00 00 00 10 0E FE 7F 01 00 00 00 58 00 7C 96 18 CB 7C 96|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,22702; reference:cve,2007-1754; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-037; classtype:attempted-user; sid:16051; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Web Components Spreadsheet ActiveX buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 22|clsid|3A|"; fast_pattern; nocase; content:"0002E51"; distance:0; content:"-0000-0000-C000-000000000046"; within:29; distance:1; pcre:"/0002E51[12]-0000-0000-C000-000000000046\x22/"; content:""; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35992; reference:cve,2009-1534; classtype:attempted-user; sid:16786; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel unspecified memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 00 00 00 0C 00 77 30 30 74 77 30 30 74 77 30 30 74 8C 00 04 00 21 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,15926; classtype:attempted-user; sid:17537; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel unspecified memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 00 00 00 00 0D 10 7E 00 00 00 3B 01 77 00 30 00 30 00 74 00 2C 00 20 00 4D 00 61 00 72 00 63 00 20 00 42 00 65 00 68 00 61 00 72 00 20 00 67 00 69 00 76 00 65 00 73 00 20 00 30 00 2E 00 30 00 31 00 24 00 20 00 62 00 6C 00 6F 00 77 00 6A 00 6F 00 62 00 20 00 61 00 74 00 20 00 65 00 62 00 61 00 79 00 2C 00 20 00 67 00 6F 00 67 00 6F 00 67 00 6F|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,15926; classtype:attempted-user; sid:17539; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel XF record exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|E0 00 14 00 00 00 00 00 01 00 22 00 00 F0 00 02 00 00 40 00 00 04 09 20 E0 00 14 00 00 00 00 00 01 FD 22 00 00 D0 00 00 00 00 00 00 00 04 09 20|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1279; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:19232; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Selection exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|1D 00 0F 00 03 AA CC CC 00 00 00 DD DD AA CC CC|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1277; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:19230; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel BIFF8 invalid Selection.cref exploit attempt"; flow:to_client,established; file_data; content:"|1D 00 0F 00 03 00 00 00 00 00 00 00 50 00 00 03 00 00 03 EF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1277; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:19261; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word STSH record parsing memory corruption"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|6D 00 65 00 6C 00 69 00 6B 00 20 00 32 00 39 00 2E 00 30 00 38 00 2E 00 32 00 30 00 30 00 33 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,48261; classtype:attempted-user; sid:19607; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word STSH record parsing memory corruption"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 00 00 00 14 00 0F 00 13 00 01 00 9C 00 0F 00 03 00 00 00 00 00 00 00 00 00 00 40 00 40 F1 FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,48261; classtype:attempted-user; sid:19606; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio invalid UMLDTOptions object exploit attempt"; flow:to_client,established; file_data; content:"|7A 0F 8C 0F 28 E8 F3 1E 41 E6 F5 1E ED 24 01 A9 11 76 60 4A|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1263; reference:cve,2011-1972; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-060; classtype:attempted-user; sid:19676; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint malformed record call to freed object attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|1F 00 44 F1|"; content:"|27 F1|"; within:8; content:"|0F 00 31 F1|"; within:750; content:"|1F 00 32 F1|"; within:750; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0655; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-022; classtype:attempted-admin; sid:19811; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel ShrFmla record use after free attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|7E 02 0A 00|"; content:"|06 00|"; within:50; distance:10; byte_jump:2,22,relative,little; content:"|BC 04|"; within:2; content:"|00|"; within:1; distance:8; byte_test:2,>,0x820,-9,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,49476; reference:cve,2011-1986; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-072; classtype:attempted-user; sid:20123; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel SLK file excessive Picture records exploit attempt"; flow:to_client,established; flowbits:isset,file.slk; file_data; content:"|0A|P|3B|PAAAA"; content:"|0A|P|3B|PAAAA"; distance:0; content:"|0A|P|3B|PAAAA"; distance:0; content:"|0A|P|3B|PAAAA"; distance:0; content:"|0A|P|3B|PAAAA"; distance:0; content:"|0A|P|3B|PAAAA"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1276; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:20049; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office BpscBulletProof uninitialized pointer dereference attempt"; flow:to_client,established; file_data; content:"|0F 00 03 18 79 3B 00 00 0F 00 04 F0 48 05 00 00 01 00 09|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1982; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-073; classtype:attempted-user; sid:20129; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel invalid Lbl record"; flow:to_client,established; file_data; flowbits:isset,file.xls; file_data; content:"|0A 00 73 63 65 6E 5F 75 73 65 72 32 17 01 66 03|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1988; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-072; classtype:attempted-user; sid:20126; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel invalid Lbl record"; flow:to_client,established; file_data; flowbits:isset,file.xls; file_data; content:"|29 18 00 28 00 00 40 6D 0A 00 73 63 65 6E 5F 6E|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1988; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-072; classtype:attempted-user; sid:20125; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint SlideAtom record exploit attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|02 00 EF 03 18 00 00 00 07 00 00 00 0D 00 00 00 00 00 00 00 02 00 00 80 5F 01 00 00 07 00 14 30 0F 00 0C 04 A2 03 00 00 0F 00 02|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0656; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-022; classtype:attempted-user; sid:18636; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio deserialization double free attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|FF FF FF FF 00 00 BF 8E 22 BD 3E 68 9C 83 00 00 01 00 1D 02|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0092; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-008; classtype:attempted-user; sid:18415; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Publisher memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|E8 AC|"; content:"|08 20 E0 AC 01 00 09 C0 6E 00 00 00 41 00 41 00|"; within:16; distance:30; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-3954; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-103; classtype:attempted-user; sid:18230; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint malformed record call to freed object attempt"; flow:to_client,established; file_data; content:"|1F 00 44 F1|"; content:"|27 F1|"; within:8; content:"|0F 00 31 F1|"; within:750; content:"|1F 00 2C F1|"; within:750; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0655; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-022; classtype:attempted-admin; sid:18635; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word Converter sprmTSplit overflow attempt"; flow:to_client,established; file_data; content:"|25 56 00 FF 05 D6 18 04 01 00 00 04 01|"; fast_pattern; content:"|08 D6 1A 00 01 94 FF 2C 22 00 06 98 22|"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,47236; reference:cve,2011-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-033; classtype:attempted-user; sid:18642; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office TIFFIM32.FLT filter memory corruption attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|01 02 00 03 00 00 FF FF 00 00 0D 00 01 03 00 03 00 00 00 01 00 03 00 00 01 06 00 03 00 00 00 01 00 00 00 00 01 0A 00 03|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-3949; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:18236; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel ADO Object Parsing Code Execution"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 00 FE C1 1E 1C 08 00 00 00 00 00 F9 BF 36 82 AA AA AA AA|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40531; reference:cve,2010-1253; classtype:attempted-user; sid:18772; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel ADO Object Parsing Code Execution"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|1C 00 03 08 00 00 07 00 01 00 03 00|"; content:"|CD 07 C1 80|"; within:4; distance:42; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40531; reference:cve,2010-1253; classtype:attempted-user; sid:18771; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Publisher 97 conversion remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|00 FF FF 67 7E 66 00 48 D4 03 00 57 D7 03 00 FF FF 14 00 1A|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2571; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-103; classtype:attempted-user; sid:18214; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|A7 00|"; content:"|DF D6 D5 3B|"; within:4; distance:11; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0097; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:20534; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Publisher Opltc memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|03 00 00 00 02 20 FF FF 00 00 03 20 03 00 00 00 04 20 03 00 00 00 0A 20|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-3410; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-091; classtype:attempted-user; sid:20719; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Lel record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|18 01 41 41 41 41 BE 00 12 00 19 01 00 00 1A 00 1B 00 1F 00 28 00 1E 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-3403; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-096; classtype:attempted-user; sid:20718; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel use after free attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|01 07 B0 00 41 20 41 20 41 20 0A 03 B0 02 42 00 10 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,aluigi.altervista.org/adv/excel_1-adv.txt; classtype:attempted-user; sid:20885; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel use after free attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|AB 03 00 00 AC 03 00 00 40 03 00 00 AE 03 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,aluigi.altervista.org/adv/excel_1-adv.txt; classtype:attempted-user; sid:20887; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel use after free attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|A8 03 00 00 A9 03 00 00 01 03 00 00 AB 03 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,aluigi.altervista.org/adv/excel_1-adv.txt; classtype:attempted-user; sid:20886; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel window2 record use after free attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|36 DC B6 EC D4 92 4A 43 9F 65 67 65 38 2F 2E 59 0E B4 FB A5 DF 68 F9 E8|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,aluigi.altervista.org/adv/excel_2-adv.txt; classtype:attempted-user; sid:21083; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel window2 record use after free attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 3E 02 12 00 B6 06 00 00 00 7F 40 00 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,aluigi.altervista.org/adv/excel_2-adv.txt; classtype:attempted-user; sid:21082; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel macro validation arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|09 08 10 00 00 06 05 00 57 14 CD 07 C9 C0 00 00 06 03 00 00 87 00 00 00 E1 00 02 00 B0 04 FF FF|"; content:"|00 02 00 00 00 AF 01 02 00 00 00 BC 01 02 00 00 00 3D 00 12 00 79 0E 20 0D F3 39 61 26 3C 00 00|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0081; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:attempted-user; sid:21157; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel macro validation arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|09 08 10 00 00 06 10 00 B8 1F CD 07 C1 C0 00 00 06 03 00 00 0B 02 10|"; content:"|00 00 00 05 C1 16 00 00 00 31 00 34 00 39 00 38 00 37 00 62 00 79 00 74 00 65 00 73 00 00 00 00|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0081; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:attempted-user; sid:21156; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel macro validation arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|09 08 10 00 00 06 05 00 C2 28 CD 07 C9 80 00 00 06 02 00 00 DF 00 02 00 B0 04 C1 00 02 00 00 00|"; content:"|13 00 02 00 00 00 AF 01 02 00 00 00 BC 01 02 00 00 00 3D 00 12 00 78 00 3C 00 4C 2C 81 24 38 00|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0081; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:attempted-user; sid:21158; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio invalid row option attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|C4 01 00 00 00 00 00 00 00 03 18 00 00 00 00 00 FF FF FF 00 FF 00 00 00 00 FF 00 00 00 00 FF 00 FF FF 00 00 FF 00 FF 00 00 FF FF 00 80 00 00 00 00|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0138; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-015; classtype:attempted-user; sid:21291; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio corrupted compressed data memory corruption attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|FF 00 00 6C 0B 00 00 C9 00 FF 44 00 24 F7 1D 01 4D 19 F7 00 00 06 EB F0 3F 00 56 00 5F 54 FB 1D|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0137; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-015; classtype:attempted-user; sid:21293; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel MergeCells record parsing code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|E5 00 32 00 06 00 04 00 04 00 00 00 04 00 00 00 04 00 05 00 00 02 00 00 00 00 02 00 04 00 02 00 02 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43652; reference:cve,2010-3237; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:21414; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel SXDB memory corruption"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 00 FF FF B2 00 08 00 AA AA AA AA 03 00 FF FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36943; reference:cve,2009-3127; classtype:attempted-user; sid:21503; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint malformed record call to freed object attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|1F 00 44 F1|"; content:"|27 F1|"; within:8; content:"|0F 00 2E F1|"; within:750; content:"|0F 00 2E F1|"; within:750; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0655; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-022; classtype:attempted-admin; sid:21647; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel DbOrParamQry.fodbcConn parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|B0 F3 E0 71 2D B6 2D 9E 9F AC CF BB 47 FC F3 F8 FF 79 F1 CA EA DB 59 A7 2C 9B 7F 7C E5 CD B9 61 5B 6C BD 2E 77 3A BF FC|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-0264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:21930; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; flowbits:isnotset,cve.2008-4265; file_data; content:"|5D 00|"; depth:5000; content:"|00 00 00 00|"; within:4; distance:12; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:4; content:"|B6 01|"; within:300; distance:-300; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32618; reference:cve,2008-4265; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-074; classtype:attempted-user; sid:21932; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel DbOrParamQry.fodbcConn parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|E2 72 E9 8C B1 C7 D2 C3 DC B8 BB B9 3A E6 EF 8C 59 DC 28 FE 65 BF 1F 53 D2 6F C2 CE 03 2E 9F EB 7C 73 9C 70 8E E3 14 AC|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-0264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:21929; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|EB 00|"; content:"|0F 00 00 F0|"; within:4; distance:2; flowbits:set,cve.2008-4265; flowbits:noalert; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32618; reference:cve,2008-4265; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-074; classtype:misc-activity; sid:21931; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|68 10 0A 00|"; byte_test:2,>,32767,8,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23826; reference:cve,2007-1203; reference:cve,2007-1747; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-023; classtype:attempted-user; sid:21928; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel MalformedPalette Record Memory Corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|80 07 FF 93 02 04 00 00 80 00 FF 93 02 04 00 14 80 05 FF 92 00 B2 00 A0 00 41 41 41 41 41 41 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,21922; reference:cve,2007-0031; classtype:attempted-user; sid:21933; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows embedded packager object with .application extension bypass attempt"; flow:to_client,established; flowbits:isset,ms.packager; flowbits:isset,file.ole; file_data; content:".application"; content:!"."; within:1; pcre:"/\x00\w+?\.application[^\x2E]/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-005; classtype:attempted-user; sid:20883; rev:13;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows embedded packager object identifier"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|0F 00 09 04|"; fast_pattern:only; flowbits:set,ms.packager; flowbits:noalert; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-005; classtype:attempted-user; sid:20882; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows OLE versioned stream missing data stream"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|00 49 FF 00 43 00 5F 00 4D 00 2E FF 00 56 00 53 00 53 00 00 01 00 FF 82 00 00 00 28 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,50977; reference:cve,2011-3400; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-093; classtype:attempted-user; sid:20717; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 00 00 00 51 10 1D 00 01 02 00 00 00 00 15 00 3B FF FF 00 00 00 00 00 00 01 00 13 00 13 00 01 00 01 00 00 02 51 10 1D 00 02 02 00 00 00 00 15|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:21942; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|10 08 00 00 01 00 00 00 00 00 00 51 10 13 00 01 02 00 00 00 00 0B 00 3B 01 00 02 00 02 00 00 00 02 00 51 10 13 00 02 02 00 00 00 00 0B 00 3B 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:21943; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office GDI+ incorrect index validation of malformed EMF image attempt"; flow:to_client,established; file_data; flowbits:isset,file.pptx; content:"|CB D5 85 A5 57 CA A4 2E 05 AA 0D DE 58 03 BA 68 2C 59 C4 E5 4E 73 8D 07 15 B6 8A 84 73 4A 66 02|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0165; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-034; classtype:attempted-user; sid:22086; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel rtMergeCells heap overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|E5 00|"; content:!"|00 00|"; within:2; content:"|1D 00 0F 00|"; within:4; distance:-21; byte_test:2,<,1027,19,little,relative; byte_test:2,>,0x3fff,27,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0185; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-030; classtype:attempted-user; sid:22081; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office GDI+ incorrect index validation of malformed EMF image attempt"; flow:to_client,established; file_data; flowbits:isset,file.ole; content:"|A2 22 EA 5E C1 8D 5B D7 2E 5C B8 70 E1 C2 8D 9B 22 88 20 58 9B 76 A3 C2 F8 FD DC 77 EF CC 4D 18|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0165; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-034; classtype:attempted-user; sid:22085; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel FNGROUPNAME record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|98 08 09 00 FF FF 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,38553; reference:cve,2010-0262; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-017; classtype:attempted-user; sid:23010; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE EMF corruption attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|4D 00 00 00|"; byte_test:4,>,2147483647,92,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28819; reference:bugtraq,29142; reference:cve,2007-5746; reference:url,www.openoffice.org/security/cves/CVE-2007-5746.html; classtype:attempted-user; sid:23093; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE EMF corruption attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|4C 00 00 00|"; byte_test:4,>,2147483647,84,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28819; reference:bugtraq,29142; reference:cve,2007-5746; reference:url,www.openoffice.org/security/cves/CVE-2007-5746.html; classtype:attempted-user; sid:23091; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE EMF corruption attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; byte_test:4,>,2147483647,48,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28819; reference:bugtraq,29142; reference:cve,2007-5746; reference:cve,2017-3052; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,www.openoffice.org/security/cves/CVE-2007-5746.html; classtype:attempted-user; sid:23094; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE EMF corruption attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; byte_test:4,>,2147483647,56,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28819; reference:bugtraq,29142; reference:cve,2007-5746; reference:cve,2017-3052; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,www.openoffice.org/security/cves/CVE-2007-5746.html; classtype:attempted-user; sid:23095; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE EMF corruption attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|4C 00 00 00|"; byte_test:4,>,2147483647,92,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28819; reference:bugtraq,29142; reference:cve,2007-5746; reference:cve,2017-3052; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,www.openoffice.org/security/cves/CVE-2007-5746.html; classtype:attempted-user; sid:23092; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE EMF corruption attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|4D 00 00 00|"; byte_test:4,>,2147483647,88,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28819; reference:bugtraq,29142; reference:cve,2007-5746; reference:url,www.openoffice.org/security/cves/CVE-2007-5746.html; classtype:attempted-user; sid:23105; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel malformed graphic record code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|51 10 0F 00 01 02 00 00|"; depth:256; offset:3300; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15926; reference:cve,2006-0030; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-012; classtype:attempted-user; sid:23150; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Outlook arbitrary command line attempt"; flow:to_client,established; file_data; content:"mailto|3A|"; nocase; content:"|2F|altvba"; distance:0; nocase; pcre:"/\x3c[^\x3e]+[\x22\x27]mailto\x3a[^\x3e]+\x3f[^\x3e]*\x2faltvba/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-015; classtype:misc-attack; sid:23211; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Malformed MSODrawing Record attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|02 F0|"; byte_test:4,>,0,0,relative; content:"|08 F0|"; within:2; distance:6; content:"|04 F0|"; within:2; distance:22; byte_test:4,>,0,0,relative; content:"|09 F0|"; within:2; distance:6; byte_test:4,>,0,0,relative; byte_test:4,=,0,-16,relative; content:!"|03 F0|"; within:2; distance:-18; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0243; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-003; classtype:attempted-user; sid:23270; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word crafted sprm structure memory corruption attempt"; flow:to_server,established; flowbits:isset,file.doc|file.ole; file_data; content:"|16 24|"; content:"|17 24|"; within:64; content:"|06 D6|"; within:64; byte_test:2,>,0xfffc,0,relative,little; byte_test:2,<,0xffff,0,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,32584; reference:cve,2008-4837; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-072; classtype:attempted-user; sid:23268; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word crafted sprm structure memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc|file.ole; file_data; content:"|16 24|"; content:"|17 24|"; within:64; content:"|06 D6|"; within:64; byte_test:2,>,0xfffc,0,relative,little; byte_test:2,<,0xffff,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32584; reference:cve,2008-4837; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-072; classtype:attempted-user; sid:23266; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word crafted sprm structure memory corruption attempt"; flow:to_server,established; flowbits:isset,file.doc|file.ole; file_data; content:"|16 24|"; content:"|17 24|"; within:64; content:"|08 D6|"; within:64; byte_test:2,>,0xfffc,0,relative,little; byte_test:2,<,0xffff,0,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,32584; reference:cve,2008-4837; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-072; classtype:attempted-user; sid:23267; rev:5;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OFFICE Microsoft Office Word request for imeshare.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"i|00|m|00|e|00|s|00|h|00|a|00|r|00|e|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2012-1854; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-046; classtype:attempted-user; sid:23315; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office Word imeshare.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|imeshare.dll"; nocase; http_uri; metadata:service http; reference:cve,2012-1854; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-046; classtype:attempted-user; sid:23316; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office WordPad and Office text converters integer underflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|D0 CF 11 E0|"; depth:4; content:"|FF FE|"; depth:2; offset:28; content:"|A5 DC|"; byte_test:2,<,4,140,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-010; classtype:attempted-user; sid:23356; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office BMP header biClrUsed integer overflow attempt"; flow:to_server,established; flowbits:isset,file.bmp; file_data; content:"BM"; fast_pattern; content:"|00 00 00 00|"; within:4; distance:4; byte_test:4,>,536870911,36,relative,little; metadata:service smtp; reference:bugtraq,36651; reference:cve,2009-2518; classtype:attempted-admin; sid:23525; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint CurrentUserAtom remote code execution attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|00 00 F6 0F|"; content:"|14 00 00 00|"; within:4; distance:4; byte_test:2,>,255,8,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-1131; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:23536; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel WOpt record memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|0B 08 3F 00 2C 00 3A 00 00 5F 28 22 24 22 2A 20 23 2C 23 23 1F 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0824; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:23554; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PICT graphics converter memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pct; file_data; content:"|00 A1|"; content:"|49 43|"; within:2; distance:10; byte_test:2,>,4094,0,relative,big; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-3946; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:23528; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint Legacy file format picture object code execution attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|FF 03 00 00 00 60 16 8F 10 00 00 00 00 5F 07 90 08 28 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,34834; reference:cve,2009-0223; classtype:attempted-user; sid:23539; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with linkFmla"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|"; within:6; distance:2; content:"|0C 00 14 00|"; within:4; distance:16; content:"|0E 00|"; within:2; distance:20; byte_jump:2,0,relative,little; content:"|13 00|"; within:2; byte_test:2,>,0,0,relative,little; byte_jump:2,2,relative,little; byte_test:2,>,1024,14,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0822; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:23546; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel integer field in row record improper validation remote code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|08 00|P|00 00 FF 00 00 0A AA|A|8D 86 84|7|0E FF FF 00 00 00 00 00 FE 0D|"; fast_pattern:only; metadata:service smtp; reference:cve,2009-3130; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:23542; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel invalid Lbl record"; flow:to_server,established; file_data; flowbits:isset,file.xls; file_data; content:"|29 18 00 28 00 00 40 6D 0A 00 73 63 65 6E 5F 6E|"; fast_pattern:only; metadata:service smtp; reference:cve,2011-1988; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-072; classtype:attempted-user; sid:23532; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel pivot item index boundary corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|D5 00 02 00|"; byte_extract:2,0,streamID,relative,little; content:"|B0 00|"; distance:0; content:"|00 00|"; within:2; distance:18; byte_extract:2,4,iCache,relative,little; content:"|C6 00|"; byte_test:2,=,streamID,6,relative,little; byte_test:2,!=,iCache,14,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,42199; reference:cve,2010-2562; classtype:attempted-user; sid:23558; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|B0 00 3D 00 02 00 06 00 00 00 03 00 03 00 04 00 01 00 41 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,40523; reference:cve,2010-1245; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:23551; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|"; within:6; distance:2; content:"|0C 00 14 00|"; within:4; distance:16; content:"|13 00|"; within:2; distance:20; byte_test:2,>,1024,18,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,40520; reference:cve,2010-0822; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:23544; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt"; flow:to_server,established; file_data; content:"|41 3F 80 14 00 00 00 1F 00 1F 00 00 00 1F 00 1F 00 20 00 20 00 00 00 00 05 B8 80 80 FF FF FF 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-3945; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:23527; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint Download of version 4.0 file"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"R|00|o|00|o|00|t|00| |00|E|00|n|00|t|00|r|00|y|00|"; content:"P|00|P|00|4|00|0|00|"; within:8; distance:108; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-0220; reference:cve,2009-0223; reference:cve,2009-0226; reference:cve,2009-0227; reference:cve,2009-1137; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:23535; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint PP7 Component buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|CC 0F 00 00 FF FF 00 00|"; byte_test:4,>,0x100,0,relative,little; byte_extract:4,0,length,relative,little; content:"|00 00 00 00|"; within:4; content:"|BA 0F 00 00|"; within:length; byte_test:4,>,0x100,4,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-1129; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:23538; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|B0 00 3D 00 02 00 08 00 00 00 01 00 04 00 04 00 01 00 FF 7F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-1245; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:23552; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with macro and linkFmla"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|"; within:6; distance:2; content:"|0C 00 14 00|"; within:4; distance:16; content:"|04 00|"; within:2; distance:20; byte_jump:2,0,relative,little; content:"|0E 00|"; within:2; byte_jump:2,0,relative,little; content:"|13 00|"; within:2; byte_test:2,>,0,0,relative,little; byte_jump:2,2,relative,little; byte_test:2,>,1024,14,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0822; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:23547; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft HtmlDlgHelper ActiveX clsid access"; flow:to_server,established; file_data; content:"3050f4e1-98b5-11cf-bb82-00aa00bdce0b"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-3329; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:23555; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel invalid Lbl record"; flow:to_server,established; file_data; flowbits:isset,file.xls; file_data; content:"|0A 00 73 63 65 6E 5F 75 73 65 72 32 17 01 66 03|"; fast_pattern:only; metadata:service smtp; reference:cve,2011-1988; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-072; classtype:attempted-user; sid:23531; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel pivot item index boundary corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"PivotTable"; content:"|B0 00|"; within:200; distance:-200; content:"|00 00|"; within:2; distance:18; byte_extract:2,4,cdim,relative,little; content:"|B2 00|"; within:76; byte_test:2,>,cdim,6,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,42199; reference:cve,2010-2562; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-057; classtype:attempted-user; sid:23559; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word GDI+ Office Art Property Table remote code execution attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"c|00 0B F0 24 00 00 00 7F 00 04 00 04 00|X|01 00 00 00 00|V|00|AAAA"; fast_pattern:only; metadata:service smtp; reference:cve,2009-2528; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:23540; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel file SxView record exploit attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|B0 00|"; byte_test:2,>,44,0,relative,little; byte_test:2,<,8225,0,relative,little; byte_test:2,<,11,4,relative,little; byte_test:2,>,10,34,relative,little; byte_jump:2,0,relative,little; pcre:"/^[\xB1\xB4-\xB6\xC5\xF1]\x00/R"; metadata:service smtp; reference:cve,2009-3128; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:23543; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint paragraph format array inner header overflow attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|1C 00 00 00 00 80 41 41 41 41 41 41 95 00 FF FF 64|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,34833; reference:cve,2009-0220; classtype:attempted-user; sid:23534; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt"; flow:to_server,established; file_data; content:"|FE 00 00 02 D6 FD FF 00 02 D5 FB FE 00 02 D4 FA FE 00 06 D6|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-3945; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:23526; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with macro"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|"; within:6; distance:2; content:"|0C 00 14 00|"; within:4; distance:16; content:"|04 00|"; within:2; distance:20; byte_jump:2,0,relative,little; content:"|13 00|"; within:2; byte_test:2,>,0,0,relative,little; byte_jump:2,2,relative,little; byte_test:2,>,1024,14,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0822; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:23545; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office WordPad and Office text converters integer underflow attempt"; flow:to_server,established; file_data; content:"|D0 CF 11 E0|"; depth:4; content:"|FE FF|"; depth:2; offset:28; content:"|DC A5|"; byte_test:2,<,4,138,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-010; classtype:attempted-user; sid:23556; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|5A 03 00 00 00 15|excelrtd.rtdfunctions"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,40524; reference:cve,2010-1246; classtype:attempted-user; sid:23548; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|49 49 2A 00|"; depth:4; byte_jump:4,0,relative,little,from_beginning; byte_extract:2,0,numentries,multiplier 12,little,relative; content:"|15 01 03 00|"; within:numentries; byte_test:4,<=,1,0,little,relative; byte_test:2,>,10,4,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,45274; reference:cve,2010-3947; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:23530; rev:8;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel WOpt record memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|0B 08 3F 00 0B 08 3A 00 00 5F 28 22 24 22 2A 20 23 2C 23 23 20 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,40522; reference:cve,2010-0824; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:23553; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel GDI+ Office Art Property Table remote code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"3|01 0B F0 8C 02 00 00 7F 00 08 00 08 00|E|C1 A8 01 00 00|F|C1 1C 00 00 00|Q|C1|&|00 00 00|U|C1 00 00 00 00|V|C1 00 00 00 00|W|C1 16 00 00 00|V|00|AAAA"; fast_pattern:only; metadata:service smtp; reference:cve,2009-2528; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:23541; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office WordPad and Office text converters integer underflow attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|D0 CF 11 E0|"; depth:4; content:"|FF FE|"; depth:2; offset:28; content:"|A5 DC|"; byte_test:2,<,4,140,relative; metadata:service smtp; reference:cve,2009-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-010; classtype:attempted-user; sid:23557; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint HashCode10Atom memory corruption attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 F0 03|"; content:"|00 00|+"; within:3; distance:5; isdataat:4,relative; content:!"|04 00 00 00|"; within:4; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-1130; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:23537; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|13 08 E9 0B 0F 00 00 F0 E1 0B 00 00 00 00 06 F0 00 00 00 00 02 04 00 00 02 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-1246; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:23550; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|EB 06 90 90 AD 57 00 30 81 C4 24 16 00 00 C3 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,40524; reference:cve,2010-1246; classtype:attempted-user; sid:23549; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel invalid Lbl record"; flow:to_server,established; file_data; flowbits:isset,file.xls; file_data; content:"|40 6D 0B 00 73 63 65 6E 5F 63 68 61 6E 67 65 2C|"; fast_pattern:only; metadata:service smtp; reference:cve,2011-1988; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-072; classtype:attempted-user; sid:23533; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Visio DXF file text overflow attempt"; flow:to_server,established; flowbits:isset,file.dxf; file_data; content:"ENTITIES"; content:"MTEXT"; distance:0; content:"|5C|L"; distance:0; isdataat:250,relative; content:!"|3B|"; within:250; content:!"|5C 5C|"; within:250; distance:-250; content:!"|5C|0"; within:250; distance:-250; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1888; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-059; classtype:attempted-user; sid:23843; rev:10;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Visio DXF file text overflow attempt"; flow:to_server,established; flowbits:isset,file.dxf; file_data; content:"ENTITIES"; content:"MTEXT"; distance:0; content:"|5C|O"; distance:0; isdataat:250,relative; content:!"|3B|"; within:250; content:!"|5C 5C|"; within:250; distance:-250; content:!"|5C|0"; within:250; distance:-250; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1888; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-059; classtype:attempted-user; sid:23956; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office EMF image EMFPlusPointF record memory corruption attempt"; flow:to_server,established; file_data; content:"|02 04 ED 9F F3 EE 77 BA A1 09 E7 97 42 49 07 A4 39 2E FF 00 D8 05 00 00 01 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0167; classtype:attempted-user; sid:23992; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Works 4.x converter font name buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.works; file_data; content:"Times|20|New|20|Roman|20|Cyr|03 10 FF 41 41 41 41 41 41 41 41 41 41 41 41|"; content:"|41 41 41 41 28 AE 12 00 41 41 41 41 58 17 DD 77|"; within:16; distance:112; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-1533; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-024; classtype:attempted-user; sid:18616; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft DirectShow Line 21 decoder exploit attempt"; flow:to_client,established; file_data; content:"|52 49 46 46 F8 C1 4E 0E 41 56 49 20 4C 49 53 54 90 7C 01 00 68 64 72 6C 61 76 69 68 38 00 00 00 56 82 00 00 5D FA 4C 01 00 02 00 00 10 08 00 00|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0004; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-004; classtype:attempted-user; sid:20880; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel catLabel pointer manipulation attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|20 10 08 00|"; byte_test:2,>,31999,2,relative,little; byte_test:1,!&,248,6,relative,little; content:"|00 62 10 12 00|"; within:5; distance:7; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,46225; reference:cve,2011-0978; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-021; classtype:attempted-user; sid:24129; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel catLabel pointer manipulation attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|20 10 08 00|"; byte_test:2,>,31999,2,relative,little; byte_test:1,!&,248,6,relative,little; content:"|00|"; within:1; distance:7; metadata:service smtp; reference:bugtraq,46225; reference:cve,2011-0978; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-021; classtype:attempted-user; sid:24130; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Visio DXF variable name overflow attempt"; flow:to_server,established; flowbits:isset,file.dxf; file_data; content:"HEADER"; content:"9"; distance:0; content:"|0A 24|"; distance:0; isdataat:92,relative; content:!"|0A|"; within:92; pcre:"/HEADER[\x20\r]*\n[\x20]*9[\x20\r]*\n\x24[^\n]{92}/"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,39836; reference:cve,2010-1681; classtype:attempted-user; sid:24186; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel drawing layer use after free attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|0F 00 03 F0|"; fast_pattern; content:"|0F 00 04 F0|"; within:4; distance:4; byte_extract:4,0,container_size,relative,little; content:"|01 00 09 F0 10 00 00 00|"; within:8; content:!"|0A F0 08 00 00 00|"; within:6; distance:18; content:"|00 00 11 F0 00 00 00 00|"; within:container_size; distance:-8; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46227; reference:cve,2011-0977; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-023; classtype:attempted-user; sid:24241; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel drawing layer use after free attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|0F 00 04 F0|"; fast_pattern; content:!"|0F 00 03 F0|"; within:4; distance:-12; byte_extract:4,0,container_size,relative,little; content:!"|0A F0 08 00 00 00|"; within:6; distance:2; content:"|0B F0|"; within:2; distance:18; content:"|00 00 11 F0 00 00 00 00|"; within:container_size; distance:-20; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,46227; reference:cve,2011-0977; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-023; classtype:attempted-user; sid:24240; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel drawing layer use after free attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|0F 00 03 F0|"; fast_pattern; content:"|0F 00 04 F0|"; within:4; distance:4; byte_extract:4,0,container_size,relative,little; content:"|01 00 09 F0 10 00 00 00|"; within:8; content:!"|0A F0 08 00 00 00|"; within:6; distance:18; content:"|00 00 11 F0 00 00 00 00|"; within:container_size; distance:-8; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,46227; reference:cve,2011-0977; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-023; classtype:attempted-user; sid:24242; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office rtf document generic exploit indicator"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"%USERPROFILE%|5C|"; pcre:"/\x25USERPROFILE\x25\x5C[^\x2e]{1,255}\x2eexe/"; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:21907; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF malformed second pfragments field"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"pFragments"; nocase; content:"{|5C|sv"; within:15; nocase; pcre:"/^[^\x3B\x7D]{0,10}\x3B[^\x3B\x7D]{64}/smiR"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18704; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF file with embedded OLE object"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objdata"; content:"d0cf11e0a1b11ae1"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:18685; rev:13;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows RTF file with embedded object package download attempt"; flow:to_client,established; file_data; content:"{|5C|rt"; nocase; content:"{|5C|object|5C|objemb{|5C|*|5C|objclass Package}"; distance:0; nocase; flowbits:set,file.rtf.embed; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2006-4692; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-065; classtype:misc-activity; sid:8445; rev:16;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF malformed pfragments field"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|shp"; nocase; content:"|5C|sp"; within:50; nocase; pcre:"/\x7b[^\x7d]*?\x5csv[^\x7d]*?(\d+)?\x3b(\d+)?\x3b[^\x7d\x3b]{12}/Ri"; byte_test:4,>,4,-4,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:22102; rev:8;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF malformed second pfragments field"; flow:to_server,established; flowbits:isset,file.rtf; content:"pFragments"; nocase; content:"{|5C|sv"; within:15; nocase; pcre:"/^[^\x3B\x7D]{0,10}\x3B[^\x3B\x7D]{64}/smiR"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18705; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows object packager dialogue code execution attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"73797374656d3332"; fast_pattern; nocase; content:"78707370327265732e646c6c"; within:30; nocase; content:"636d642e657865"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,20318; reference:cve,2006-4692; classtype:attempted-admin; sid:21524; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF malformed pfragments field"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"pFragments"; nocase; content:"{|5C|sv"; within:15; nocase; pcre:"/[^\x3b\x7d]*\x3b[^\x3b\x7d]*\x3b.{8}/smiR"; byte_test:4,>,4,0,relative,string,hex; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18702; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF malformed pfragments field"; flow:to_client,established,only_stream; flowbits:isset,file.rtf; file_data; content:"|5C|shp"; nocase; content:"|5C|sp"; within:50; nocase; pcre:"/\x7b[^\x7d]*?\x5csv[^\x7d]*?(\d+)?\x3b(\d+)?\x3b[^\x7d\x3b]{12}/Ri"; byte_test:4,>,4,-4,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:22101; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF malformed second pfragments field"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"pFragments"; nocase; content:"{|5C|sv"; within:15; nocase; pcre:"/^[^\x3B\x7D]{0,10}\x3B[^\x3B\x7D]{64}/smiR"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18706; rev:15;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF malformed pfragments field"; flow:to_server,established; flowbits:isset,file.rtf; content:"pFragments"; nocase; content:"{|5C|sv"; within:15; nocase; pcre:"/[^\x3b\x7d]*\x3b[^\x3b\x7d]*\x3b.{8}/smiR"; byte_test:4,>,4,0,relative,string,hex; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18703; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|4D 4D 00 2A|"; depth:4; byte_jump:4,0,relative,big,from_beginning; byte_extract:2,0,numentries,multiplier 12,big,relative; content:"|01 15 00 03|"; within:numentries; byte_test:4,<=,1,0,big,relative; byte_test:2,>,10,4,big,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,45274; reference:cve,2010-3947; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:24556; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|49 49 2A 00|"; depth:4; byte_jump:4,0,relative,little,from_beginning; byte_extract:2,0,numentries,multiplier 12,little,relative; content:"|15 01 03 00|"; within:numentries; byte_test:4,<=,1,0,little,relative; byte_test:2,>,10,4,little,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,45274; reference:cve,2010-3947; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:24557; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|4D 4D 00 2A|"; depth:4; byte_jump:4,0,relative,big,from_beginning; byte_extract:2,0,numentries,multiplier 12,big,relative; content:"|01 15 00 03|"; within:numentries; byte_test:4,<=,1,0,big,relative; byte_test:2,>,10,4,big,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,45274; reference:cve,2010-3947; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:24558; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel Publisher record heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|88 00 08 00|"; content:"|01 00|"; within:2; distance:4; content:"|89 00|"; within:2; distance:2; byte_test:2,<,46,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2010-1250; reference:cve,2012-1886; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-076; classtype:attempted-user; sid:24657; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel SST record invalid length memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|8C 00|"; byte_jump:2,0,relative,little; content:"|C1 01|"; within:2; byte_jump:2,0,relative,little; content:"|FC 00|"; within:2; byte_test:2,<,8,0,relative,little; byte_test:4,>,0,2,relative,little; metadata:policy security-ips drop, service smtp; reference:bugtraq,56430; reference:cve,2012-1887; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-076; classtype:attempted-user; sid:24674; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel SERIES record code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|5B 10 0E 00|"; content:"|04|"; within:1; distance:1; byte_test:2,&,0x8000,10,relative,little; metadata:policy security-ips drop, service smtp; reference:cve,2012-1885; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-076; classtype:attempted-user; sid:24659; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel SST record invalid length memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|8C 00|"; byte_jump:2,0,relative,little; content:"|C1 01|"; within:2; byte_jump:2,0,relative,little; content:"|FC 00|"; within:2; byte_test:2,<,8,0,relative,little; byte_test:4,>,0,2,relative,little; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56430; reference:cve,2012-1887; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-076; classtype:attempted-user; sid:24673; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel SERIES record code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|5B 10 0E 00|"; content:"|04|"; within:1; distance:1; byte_test:2,&,0x8000,10,relative,little; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1885; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-076; classtype:attempted-user; sid:24658; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt"; flow:to_server,established; flowbits:isset,file.cgm; file_data; content:"|20 42 00 01 00 80 41 3F 8F F8 00 00 00 95 00 C7 00 00 00 C7 00 95 00 AA 00 96 00 08 00 00 00 0C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2010-3945; reference:cve,2012-2524; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-057; classtype:attempted-user; sid:24823; rev:4;) # alert tcp any any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Visio VSD file icon memory corruption attempt"; flow:to_server,established; file_data; flowbits:isset,file.visio; content:"|A8 00 04 00 01 00 70 00 00 00 20 FF 20 00 00 00 DD 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-0095; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-005; classtype:attempted-user; sid:24815; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint bad text header txttype attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|00 00 00 00 9F 0F 04 00 00 00|"; byte_test:1,>,8,0,relative,little; metadata:service smtp; reference:cve,2006-0022; reference:cve,2011-1269; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-036; classtype:attempted-user; sid:24868; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|1C 1D 13 08 48 00 13 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 02 00 00 00 11 6D 79 63 6F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2011-0101; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:25295; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 04 00 00 A7 00 04 00 B0 0F 0C 00 3C 00 50 01 77 8D A4 06 30 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0101; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:25294; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|06 04 00 00 A7 00 04 00 B0 0F 0C 00 3C 00 50 01 77 8D A4 06 30 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2011-0101; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:25296; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|42 F1 00 00 00 00 03|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-2573; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-088; classtype:attempted-user; sid:25311; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF malformed pfragments field"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"pfragments|00 CC 7D 7B 7B 5C 2A 5C 2A 7D 5C 73 76 7B 7D 7B 5C 69 6E|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:25393; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint TextCharsAtom record buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|00 00 A0 0F|"; byte_test:1,>,127,3,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,38108; reference:cve,2010-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-004; classtype:attempted-user; sid:25527; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint malformed shapeid arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; content:"|0A F0 08 00 00 00|"; byte_test:2,&,1024,4,relative,little; byte_test:2,&,8,4,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,28146; reference:cve,2008-0118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-016; classtype:attempted-user; sid:25587; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word Document remote code execution attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|EC A5|"; byte_test:2,<,38,0,relative,little; byte_test:4,>,0,22,relative,little; byte_test:4,<,250,22,relative,little; metadata:service smtp; reference:cve,2009-3135; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-068; classtype:attempted-user; sid:25630; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word Document remote code execution attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|DC A5|"; byte_test:2,<,38,0,relative,little; byte_test:4,>,0,22,relative,little; byte_test:4,<,250,22,relative,little; metadata:service smtp; reference:cve,2009-3135; reference:cve,2016-3283; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-068; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-088; classtype:attempted-user; sid:25631; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word unchecked index value remote code execution attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|E0 10 11 84 00 00 15 C6 05 00 01 48 12 06 5E 84 E0 10 60 84 00 00 6F 28 00 87 68 00 00 00 00 88|"; fast_pattern:only; content:"|0F 84 1C 11 11 84 4C FF 15 C6 05 00 01 1C 11 06|"; metadata:service smtp; reference:cve,2010-3219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-079; classtype:attempted-user; sid:25768; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt"; flow:to_server,established; flowbits:isset,file.xls&file.ole; file_data; content:"|09 08|"; content:"|0A 00|"; distance:6; content:"|EB 00|"; byte_test:2,>,0,0,relative,little; byte_jump:2,0,relative,little; isdataat:2,relative; content:!"|EC 00|"; within:2; distance:2; content:"|5D 00 1A 00 15 00 12 00|"; within:8; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35243; reference:cve,2009-0559; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-021; classtype:attempted-user; sid:25969; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Visio version number anomaly"; flow:to_server,established; flowbits:isset,file.visio&file.ole; file_data; content:"Visio |28|TM|29| Drawing|0D 0A 00 00 00 00|"; fast_pattern:only; pcre:"/Visio \x28TM\x29 Drawing\r\n\x00{4}([^\x00]|\x00[^\x00]|\x00\x00[^\x0b]|\x00\x00\x0b[^\x00])/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,24349; reference:cve,2007-0934; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-030; classtype:misc-activity; sid:26089; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office OneNote 2010 buffer overread info disclosure attempt"; flow:to_server,established; file_data; content:"|E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3|"; depth:16; content:"|09 34 00 20 5B 34 00 1C|"; byte_test:2,>,499,0,relative; metadata:service smtp; reference:cve,2013-0086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-025; classtype:attempted-recon; sid:26171; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio TAG_xxxSheet code execution attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|6D 00 FF FF 00 00 03 00 20 00 00 00 03 00 FF FF FF FF FF FF FF FF 00 00 00 00 00 00 02 00 FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0079; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-023; classtype:attempted-user; sid:26163; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office OneNote 2010 buffer overread info disclosure attempt"; flow:to_client,established; file_data; content:"|E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3|"; depth:16; content:"|09 34 00 20 5B 34 00 1C|"; byte_test:2,>,499,0,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-0086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-025; classtype:attempted-recon; sid:26170; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Visio TAG_xxxSheet code execution attempt"; flow:to_server,established; flowbits:isset,file.visio; file_data; content:"|6D 00 FF FF 00 00 03 00 20 00 00 00 03 00 FF FF FF FF FF FF FF FF 00 00 00 00 00 00 02 00 FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0079; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-023; classtype:attempted-user; sid:26164; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"Sheet"; content:"|51 08|"; distance:0; byte_test:2,<,8,0,relative,little; content:"|51 08|"; within:2; distance:2; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-3471; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-057; classtype:attempted-user; sid:26175; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel FRTWrapper record buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|51 08 00 00|AAAAAAAAAAAAAAAA"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-3471; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-057; classtype:attempted-user; sid:26174; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel SXDB memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|06 04 00 00 67 08 61 01 67 08 00 00 00 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,36943; reference:cve,2009-3127; classtype:attempted-user; sid:26177; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel SXDB memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 04 00 00 67 08 61 01 67 08 00 00 00 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36943; reference:cve,2009-3127; classtype:attempted-user; sid:26176; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint TxMasterStyle10Atom atom numLevels buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 F8 03|"; byte_extract:4,4,master_record,relative,little; content:"|B2 0F|"; within:master_record; byte_test:2,>,5,4,relative,little; byte_test:1,<,0x90,-4,relative; byte_test:1,!&,0x01,-4,relative; byte_test:1,!&,0x02,-4,relative; byte_test:1,!&,0x04,-4,relative; byte_test:1,!&,0x08,-4,relative; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-1455; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-051; classtype:attempted-user; sid:26330; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel format record code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; content:"|09 08 10 00 00 06|"; distance:0; content:"|1E 04|"; distance:0; fast_pattern; byte_test:2,>,392,2,relative,little; byte_test:2,>,4,0,relative,little; byte_test:2,<,256,4,relative,little; content:"Sheet1"; distance:0; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-3005; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-043; classtype:attempted-user; sid:26329; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"FILE-OFFICE OpenOffice OLE File Stream Buffer Overflow attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"W|00|o|00|r|00|d|00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|"; nocase; byte_test:4,>,0x80000000,96,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,28819; reference:cve,2008-0320; classtype:attempted-user; sid:26453; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel file with embedded PDF object"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"startxref"; nocase; content:"%%EOF"; distance:0; nocase; isdataat:!3,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:18683; rev:16;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel sheet name memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|01 16 01 00 00 F0 00 00 00 2C 03 00 00 D4 00 00 00 00 02 00 00 FF FF FF FF 34 03 00 00 D8 03 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,24691; reference:cve,2007-3490; classtype:attempted-user; sid:26602; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office eps filters memory corruption attempt"; flow:to_server,established; flowbits:isset,file.eps; file_data; content:"%!PS-Adobe-EPSF-3.0"; fast_pattern:only; content:"|C5 D0 D3 C6|"; depth:4; byte_test:2,>,32767,24,relative,little; metadata:service smtp; reference:bugtraq,30595; reference:cve,2008-3019; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-044; classtype:attempted-user; sid:26597; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Visio SVG external entity local file disclosure attempt"; flow:to_server,established; flowbits:isset,file.svg; file_data; content:"[^\s]+?)\s+?SYSTEM\s+?[\x22\x27]\s*?http:\x2f\x2f[^\x5d]+?\x25(?P=remote)\x3b/i"; metadata:service smtp; reference:cve,2013-1301; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-044; classtype:attempted-recon; sid:26628; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio SVG external entity local file disclosure attempt"; flow:to_client,established; flowbits:isset,file.svg; file_data; content:"[^\s]+?)\s+?SYSTEM\s+?[\x22\x27]\s*?http:\x2f\x2f[^\x5d]+?\x25(?P=remote)\x3b/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1301; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-044; classtype:attempted-recon; sid:26627; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OFFICE XML parameter entity reference local file disclosure attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"[^\s]+?)\s+?SYSTEM\s+?[\x22\x27]\s*?file:\x2f\x2f\x2f.*?[\x22\x27]\s*?<\x21ENTITY\s+?(\x25|%\x3b)[^>]+?SYSTEM\s+?[\x22\x27]\s*?https?:\x2f\x2f[^>]+?\x25(?P=local)\x3b/si"; metadata:service http; reference:bugtraq,59765; reference:cve,2013-1301; reference:cve,2013-3137; reference:cve,2018-0878; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0878; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-044; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-078; classtype:attempted-recon; sid:26626; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|43 00 0B F0 2E 00 00 00 7F 00 80 00 80 00 04 41 64 00 00 00 05 C1 16 00 00 00 06 01 01 00 00 00 31|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:26710; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|43 00 0B F0 2E 00 00 00 7F 00 80 00 80 00 04 41 0A 00 00 00 05 C1 16 00 00 00 06 01 01 00 00 00 31|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:26709; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|43 00 0B F0 2E 00 00 00 7F 00 80 00 80 00 04 41 0A 00 00 00 05 C1 16 00 00 00 06 01 01 00 00 00 31|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:26708; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|43 00 0B F0 2E 00 00 00 7F 00 80 00 80 00 04 41 64 00 00 00 05 C1 16 00 00 00 06 01 01 00 00 00 31|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:26707; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|43 00 0B F0 26 00 00 00 7F 00 80 00 80 00 04 41 64 00 00 00 05 C1 0E 00 00 00 06 01 01 00 00 00 53|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:26706; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Windows WordPad sprmTSetBrc SPRM overflow attempt"; flow:to_server,established; flowbits:isset,file.doc|file.xls; file_data; content:"|08 D6|"; byte_extract:1,2,NumberOfColumns,relative,little; content:"|20 D6 0B|"; distance:0; byte_extract:1,0,itcFirst,relative,little; byte_test:1,>,itcFirst,0,relative,little; byte_test:1,>,NumberOfColumns,0,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,43122; reference:cve,2009-3302; reference:cve,2010-2563; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-067; classtype:attempted-user; sid:26676; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word TextBox sub-document memory corruption attempt"; flow:to_server,established; flowbits:isset,file.doc&file.ole; file_data; content:"|42 75 66 66 65 72 20 6F 76 65 72 66 6C 6F 77|"; content:"|09 04 16 00 35 0E 00 00 CE 90 01 00 CE 90 01 00 10 00 00 00|"; fast_pattern:only; content:"|00 00 00 00 00 00 00 00 FF FF 0F 00|"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,23380; reference:cve,2007-1910; classtype:attempted-user; sid:26674; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word TextBox sub-document memory corruption attempt"; flow:to_server,established; flowbits:isset,file.doc&file.ole; file_data; content:"|FF FF FF FF FF FF EC A5 C1 00 4D 20 09 04 00 00 F0 12 BF 00|"; fast_pattern:only; content:"|09 04 16 00 22 0C 00 00 80 57 00 00 80 57 00 00 02|"; content:"|00 00 00 00 00 00 00 00 FF FF 0F 00|"; within:12; distance:23; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,23380; reference:cve,2007-1910; classtype:attempted-user; sid:26673; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word TextBox sub-document memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc&file.ole; file_data; content:"|42 75 66 66 65 72 20 6F 76 65 72 66 6C 6F 77|"; content:"|09 04 16 00 35 0E 00 00 CE 90 01 00 CE 90 01 00 10 00 00 00|"; fast_pattern:only; content:"|00 00 00 00 00 00 00 00 FF FF 0F 00|"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23380; reference:cve,2007-1910; classtype:attempted-user; sid:26672; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint malformed shapeid arbitrary code execution attempt"; flow:to_server,established; file_data; content:"|0A F0 08 00 00 00 01 20 01 00 56 61 9A 92 B3 65 82 F0 30 00 00 00 81 01 00 00 B4 B0|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,28146; reference:cve,2008-0118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-016; classtype:attempted-user; sid:26663; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel malformed ftCMO record remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|09 08 10 00 00 06 10 00|"; content:"|15 00 12 00 08 00|"; distance:0; fast_pattern; content:"|5D 00|"; within:2; distance:-10; byte_test:2,>,0,0,little,relative; content:!"|EC 00|"; within:2049; distance:-2049; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0100; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-009; classtype:attempted-user; sid:26711; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel style handling overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|FF 93 02|"; byte_test:2,>,40,0,relative,little; byte_test:2,>,733,4,relative,little; byte_test:1,!&,0x80,3,relative,little; content:"|80|"; within:1; distance:6; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18872; reference:cve,2006-3431; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-059; classtype:attempted-user; sid:26801; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel style handling overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|FF 93 02|"; byte_test:2,>,40,0,relative,little; byte_test:2,>,733,4,relative,little; byte_test:1,!&,0x80,3,relative,little; content:"|00|"; within:1; distance:6; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18872; reference:cve,2006-3431; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-059; classtype:attempted-user; sid:26800; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel style handling overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|FF 93 02|"; byte_test:2,>,40,0,relative,little; byte_test:2,>,733,4,relative,little; byte_test:1,!&,0x80,3,relative,little; content:"|80|"; within:1; distance:6; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18872; reference:cve,2006-3431; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-059; classtype:attempted-user; sid:26799; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control exploit attempt"; flow:to_server,established; flowbits:isset,file.rtf|file.ole; flowbits:isset,mscomctl.toolbar; file_data; content:"CKBJCKBJCKBJCKBJCKBJCKBJCKBJCKBJ"; metadata:service smtp; reference:url,blog.malwaretracker.com/2013/06/tomato-garden-campaign-possible.html; classtype:attempted-user; sid:26833; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control exploit attempt"; flow:to_client,established; flowbits:isset,file.rtf|file.ole; flowbits:isset,mscomctl.toolbar; file_data; content:"CKBJCKBJCKBJCKBJCKBJCKBJCKBJCKBJ"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1856; reference:url,blog.malwaretracker.com/2013/06/tomato-garden-campaign-possible.html; classtype:attempted-user; sid:26832; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control access"; flow:to_server,established; file_data; content:"MSComctlLib.Toolbar.2"; fast_pattern:only; flowbits:set,mscomctl.toolbar; flowbits:noalert; metadata:policy max-detect-ips alert, service smtp; classtype:misc-activity; sid:26831; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control access"; flow:to_client,established; file_data; content:"MSComctlLib.Toolbar.2"; fast_pattern:only; flowbits:set,mscomctl.toolbar; flowbits:noalert; metadata:policy max-detect-ips alert, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:26830; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office eps filters memory corruption attempt"; flow:to_server,established; flowbits:isset,file.eps; file_data; content:"%!PS-Adobe-EPSF-3.0"; fast_pattern:only; content:"|C5 D0 D3 C6|"; depth:4; byte_test:4,>,65535,24,relative,little; metadata:service smtp; reference:bugtraq,30595; reference:cve,2008-3019; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-044; classtype:attempted-user; sid:27090; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office eps filters memory corruption attempt"; flow:to_client,established; flowbits:isset,file.eps; file_data; content:"%!PS-Adobe-3.1 EPSF-3.0"; fast_pattern:only; content:"|C5 D0 D3 C6|"; depth:4; byte_test:4,>,65535,24,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,30595; reference:cve,2008-3019; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-044; classtype:attempted-user; sid:27089; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint printer record buffer overflow"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|4E 6F 6E 65 00 44 72 69 76 65 72 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0227; classtype:attempted-user; sid:27216; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint schemes record buffer overflow"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|B2 B2 B2 B2 B2 B2 01 80 2C 01 5F 16 05 00 FF 7F 00 00 FF 00 00 00 00 00 41 41 41 41 41 41 41 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0226; classtype:attempted-user; sid:27215; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel style handling overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|C0 20 93 02|"; byte_test:2,>,40,0,relative,little; byte_test:2,>,733,4,relative,little; byte_test:1,!&,0x80,3,relative,little; content:"|00|"; within:1; distance:6; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18872; reference:cve,2006-3431; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-059; classtype:attempted-user; sid:27214; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel style handling overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|C0 20 93 02|"; byte_test:2,>,40,0,relative,little; byte_test:2,>,733,4,relative,little; byte_test:1,!&,0x80,3,relative,little; content:"|80|"; within:1; distance:6; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18872; reference:cve,2006-3431; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-059; classtype:attempted-user; sid:27213; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel style handling overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|C0 20 93 02|"; byte_test:2,>,40,0,relative,little; byte_test:2,>,733,4,relative,little; byte_test:1,!&,0x80,3,relative,little; content:"|80|"; within:1; distance:6; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18872; reference:cve,2006-3431; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-059; classtype:attempted-user; sid:27212; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|3E 02 0A 00|"; byte_test:1,!&,240,1,relative,little; byte_test:2,>=,0xff00,1,relative,little; content:"|00 00|"; within:2; distance:8; metadata:policy security-ips alert, service smtp; reference:cve,2012-0141; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-030; classtype:attempted-user; sid:27249; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel Malformed Record Code Execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|01 00 02 00|"; content:"|9C 00 02 00|"; within:4; distance:2; byte_test:2,>,0x20,0,relative,little; content:"|19 00 02 00|"; within:4; distance:2; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,17101; reference:cve,2006-0031; classtype:attempted-user; sid:27635; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel FngGroupCount record overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|9C 00 02 00|"; byte_test:2,>,14,0,relative,little; byte_test:2,!=,16,0,relative,little; content:"|19 00 02 00|"; within:4; distance:2; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18890; reference:cve,2006-1308; reference:cve,2008-0320; classtype:attempted-user; sid:27634; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word malformed OCXINFO element EoP attempt"; flow:to_server,established; file_data; content:"|06 00 00 88 29 00 00 0B 00 00 00 FF FF 06 00 00 00 06 00 AF 50 33 00 08 00 02 00 AC 3C 22 00 06 00 B0 50 33 00 08 00 02 00 DC A2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3850; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-072; classtype:attempted-user; sid:27859; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word malformed OCXINFO element EoP attempt"; flow:to_client,established; file_data; content:"|06 00 00 88 29 00 00 0B 00 00 00 FF FF 06 00 00 00 06 00 AF 50 33 00 08 00 02 00 AC 3C 22 00 06 00 B0 50 33 00 08 00 02 00 DC A2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3850; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-072; classtype:attempted-user; sid:27858; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word document invalid cell count memory corruption attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|3F 60 04 00 0E C6 AA FD 24 36 DF AC 39 D6 B8 7B AB 2E 6B 7F CE F4 E7 FE 8A 0F 49 C4 CC C8 B3 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3854; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-072; classtype:attempted-user; sid:27857; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word document invalid cell count memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|3F 60 04 00 0E C6 AA FD 24 36 DF AC 39 D6 B8 7B AB 2E 6B 7F CE F4 E7 FE 8A 0F 49 C4 CC C8 B3 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3854; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-072; classtype:attempted-user; sid:27856; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word document invalid cell count memory corruption attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|D0 F0 C4 B5 A6 B5 A6 98 A6 98 89 C4 7C 70 7C 70 7C 70 62 55 49 55 49 55 62|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3856; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-072; classtype:attempted-user; sid:27855; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word document invalid cell count memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|D0 F0 C4 B5 A6 B5 A6 98 A6 98 89 C4 7C 70 7C 70 7C 70 62 55 49 55 49 55 62|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3856; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-072; classtype:attempted-user; sid:27854; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word invalid number of cells memory corruption attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|70 00 6B 00 2D 00 6B 00 67 00 72 00 65 00 73 00 2E 00 72 00 75 00 2F 00 00 00 E0 C9 EA 79 F9 BA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3852; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-072; classtype:attempted-user; sid:27853; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word invalid number of cells memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|70 00 6B 00 2D 00 6B 00 67 00 72 00 65 00 73 00 2E 00 72 00 75 00 2F 00 00 00 E0 C9 EA 79 F9 BA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3852; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-072; classtype:attempted-user; sid:27852; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office SDTI signed integer underflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.doc; content:"|00 00 0C 00|"; fast_pattern; content:"|FF FF|"; within:2; distance:-10; content:!"|00 00 00 00|"; within:4; distance:8; byte_test:1,!&,0x80,3,relative; byte_test:1,&,0x80,15,relative; byte_test:4,>,0,20,relative,little; byte_test:4,<=,4,20,relative,little; metadata:policy balanced-ips alert, policy security-ips alert, service smtp; reference:cve,2013-3848; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-072; classtype:attempted-user; sid:27851; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office SDTI signed integer underflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.doc; content:"|00 00 0C 00|"; fast_pattern; content:"|FF FF|"; within:2; distance:-10; content:!"|00 00 00 00|"; within:4; distance:8; byte_test:1,!&,0x80,3,relative; byte_test:1,&,0x80,15,relative; byte_test:4,>,0,20,relative,little; byte_test:4,<=,4,20,relative,little; metadata:policy balanced-ips alert, policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3848; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-072; classtype:attempted-user; sid:27850; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel invalid external defined names read AV attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|49 6E 64 65 70 65 6E 64 65 6E 63 65 20 44 61 79 5A 00 0D 00 05 05 23 00 01 00 00 00 00 60 B5 E3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-073; classtype:attempted-user; sid:27825; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel invalid external defined names read AV attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|49 6E 64 65 70 65 6E 64 65 6E 63 65 20 44 61 79 5A 00 0D 00 05 05 23 00 01 00 00 00 00 60 B5 E3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-073; classtype:attempted-user; sid:27824; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel PtgMemFunc zero-value cce-field read access violation attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|41 4D 34 36 34 39 42 33 36 32 07 00 2D 00 00 FF 3F 00 00 23|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1315; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-073; classtype:attempted-user; sid:27821; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel PtgMemFunc zero-value cce-field read access violation attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|41 4D 34 36 34 39 42 33 36 32 07 00 2D 00 00 FF 3F 00 00 23|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1315; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-073; classtype:attempted-user; sid:27820; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel ObjectLink invalid wLinkVar2 value attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|27 10|"; content:"|04 00|"; within:2; distance:2; byte_test:2,<,0xff,0,relative,little; byte_test:2,>,0x7cff,2,relative,little; byte_test:2,<,0xffff,2,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53373; reference:cve,2012-0142; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-030; classtype:attempted-user; sid:27945; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel rtMergeCells heap overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|E5 00|"; byte_test:2,>,0,0,little,relative; byte_test:2,<,1027,2,little,relative; byte_extract:2,4,rwFirst,relative,multiplier 1,little; byte_test:2,=,rwFirst,0,little,relative; byte_test:2,>,0x3fff,4,little,relative; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-0185; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-030; classtype:attempted-user; sid:27948; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel rtMergeCells heap overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|E5 00|"; content:!"|00 00|"; within:2; content:"|1D 00 0F 00|"; within:4; distance:-21; byte_test:2,<,1027,19,little,relative; byte_test:2,>,0x3fff,27,little,relative; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-0185; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-030; classtype:attempted-user; sid:27947; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel Workspace file FontCount record memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|09 04 06 00 00 04 00 01|"; content:"|30 00|"; distance:0; byte_test:2,>,2,0,relative,little; content:"|00 00|"; within:2; distance:2; metadata:service smtp; reference:cve,2011-0103; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:28103; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel FngGroupCount record overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|0B 02|"; content:"|00 00 00 00|"; within:4; distance:2; content:"|9C 00 02 00|"; within:50; fast_pattern; byte_test:2,>,0x50,0,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18890; reference:cve,2006-1308; classtype:attempted-user; sid:28113; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel ShrFmla record use after free attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|7E 02 0A 00|"; content:"|06 00|"; within:50; distance:10; byte_jump:2,22,relative,little; content:"|BC 04|"; within:2; content:"|00|"; within:1; distance:8; byte_test:2,>,0x820,-9,relative,little; metadata:service smtp; reference:bugtraq,49476; reference:cve,2011-1986; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-072; classtype:attempted-user; sid:28137; rev:5;) # alert tcp any any -> $HOME_NET 25 (msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|F6 03 00 00 FF 7F 12 D6 FC 12 D6 FC|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-0563; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:28133; rev:3;) # alert tcp any any -> $HOME_NET 25 (msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|07 07 07 52 07 45 07 50 07 52 07 4F 07 07 07|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-0563; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:28132; rev:3;) # alert tcp any any -> $HOME_NET 25 (msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|EA FF FF F3 F3 F5 E1 E1 FC FD DB E0 EC DE E7 DC DC E5 E1 DE DE EE E6 FA|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-0563; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:28131; rev:3;) # alert tcp any any -> $HOME_NET 25 (msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|35 08 81 42 2A 01 43 4A 14 00 61 4A 14 00 70 68 00 00 00 00 00 20 15|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-0563; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:28130; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|EA FF FF F3 F3 F5 E1 E1 FC FD DB E0 EC DE E7 DC DC E5 E1 DE DE EE E6 FA|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0563; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:28129; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|35 08 81 42 2A 01 43 4A 14 00 61 4A 14 00 70 68 00 00 00 00 00 20 15|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0563; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:28128; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word 2003 macro byte opcode large data structure arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|82 39 26 41 B0 5D 5A D1|"; content:"|7F DE 64 36 C7 06 83|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3891; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-086; classtype:attempted-user; sid:28206; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word 2003 macro byte opcode large data structure arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|82 39 26 41 B0 5D 5A D1|"; content:"|7F DE 64 36 C7 06 83|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3891; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-086; classtype:attempted-user; sid:28205; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|D9 9F FF D9 00 1A 00 FE 00 04 00 00 00 0B FF FF FF FF 01 00 00 04 00 00 00 01 00 00 00 A0 01 01|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,17732; reference:cve,2006-2025; reference:url,secunia.com/advisories/19838; classtype:attempted-user; sid:28391; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|11 00 FE 00 04 00 01 00 00 00 00 00 00 00 00 01 03 00 01 00 00 00 05 00 00 00 01 01 03 00 01 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,17732; reference:cve,2006-2025; reference:url,secunia.com/advisories/19838; classtype:attempted-user; sid:28390; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Visio DXF file invalid memory allocation exploit attempt"; flow:to_server,established; flowbits:isset,file.dxf; file_data; content:"|0D 0A|HATCH|0D 0A|"; nocase; pcre:!"/^\s*[1-9][0-9]*\x0d\x0a/R"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-1090; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-019; classtype:attempted-user; sid:28440; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|09 08 10 00 00 06|"; content:"|A7 00|"; fast_pattern; byte_test:2,>,2056,3,relative,little; byte_extract:2,0,size_of_record,relative,little; content:"|3C 00|"; within:2; distance:size_of_record; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0097; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:28550; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|09 08 08 00 00 05|"; fast_pattern:only; content:"|A7 00|"; byte_test:2,>,520,3,relative,little; byte_extract:2,0,size_of_record,relative,little; content:"|3C 00|"; within:2; distance:size_of_record; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0097; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:28549; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt"; flow:to_server,established; content:"|D0 CF 11 E0|"; depth:4; file_data; content:"|13 08|"; content:!"|00 00|"; within:2; byte_extract:2,0,size_of_record,relative,little; content:"|13 08 00 00 00 00 00 00 00 00|"; within:10; byte_test:4,>,size_of_record,6,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2011-0101; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:28546; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt"; flow:to_server,established; file_data; content:"|D0 CF 11 E0|"; depth:4; content:"|13 08|"; fast_pattern; content:!"|00 00|"; within:2; byte_extract:2,0,size_of_record,relative,little; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,size_of_record,0,relative,little; metadata:policy security-ips drop, service smtp; reference:cve,2011-0101; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:28545; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|13 08|"; content:!"|00 00|"; within:2; byte_extract:2,0,size_of_record,relative,little; content:"|13 08 00 00 00 00 00 00 00 00|"; within:10; byte_test:4,>,size_of_record,6,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0101; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:28544; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel SerAuxTrend biff record corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|4B 10|"; fast_pattern; content:"|00|"; within:1; distance:2; byte_test:1,>,0x06,0,relative; content:"|FF FF FF FF|"; within:4; distance:1; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,48159; reference:cve,2011-1274; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:28794; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint MasterPagePackedText structure CharacterFormatArrayOuterHeaderSize buffer overflow"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|6C 0C 10 52 00 00 00 10 00 04 00 00 00 21 00 00 00 01 00 20 00 00 00 01 00 00 00 00 00 0D 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-1137; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-017; classtype:attempted-user; sid:29033; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint MasterPagePackedText structure CharacterFormatArrayOuterHeaderSize buffer overflow"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|6C 0C 80 52 00 00 00 10 00 04 00 00 00 21 00 00 00 01 00 20 00 00 00 01 00 00 00 00 00 0D 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-1137; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-017; classtype:attempted-user; sid:29032; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel SERIES record sdtX memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|03 10 0C 00|"; content:"|03 00|"; within:2; pcre:"/\x03\x10\x0c\x00.{12}\x33\x10[^\x34]*?(\x33\x10.*?\x34\x10)*?[^\x34]*?\x5b\x10/Osmi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1847; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-030; classtype:attempted-user; sid:29264; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"FILE-OFFICE Microsoft Office Excel SERIES record sdtX memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|03 10 0C 00|"; content:"|03 00|"; within:2; pcre:"/\x03\x10\x0c\x00.{12}\x33\x10[^\x34]*?(\x33\x10.*?\x34\x10)*?[^\x34]*?\x5b\x10/Osmi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-1847; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-030; classtype:attempted-user; sid:29329; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel SERIES record SerAuxErrBar sdtX memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|03 10 0C 00|"; byte_test:2,<=,32767,4,relative,little; byte_test:2,<=,32767,6,relative,little; content:"|01 00|"; within:2; distance:8; byte_test:2,<=,32767,0,relative,little; byte_test:2,!=,1,-10,relative,little; content:"|4A 10 02 00 01 00 5B 10 0E 00|"; within:50; distance:222; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1847; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-030; classtype:attempted-user; sid:29328; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel SERIES record SerAuxTrend sdtX memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|03 10 0C 00|"; byte_test:2,<=,32767,4,relative,little; byte_test:2,<=,32767,6,relative,little; content:"|01 00|"; within:2; distance:8; byte_test:2,<=,32767,0,relative,little; byte_test:2,!=,1,-10,relative,little; content:"|4A 10 02 00 01 00 4B 10 1C 00|"; within:50; distance:222; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1847; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-030; classtype:attempted-user; sid:29327; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel SERIES record sdtY memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|03 10 0C 00|"; byte_test:2,<=,3,0,relative,little; content:"|03 00|"; within:2; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1847; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-030; classtype:attempted-user; sid:29326; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel country record arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|8C 00 04 00|"; byte_test:2,>,5,0,relative,little; content:"|18 00|"; within:2; distance:4; byte_test:1,&,0x20,2,relative,little; byte_test:2,>,14,16,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-3006; reference:cve,2008-4266; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-043; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-074; classtype:attempted-user; sid:29404; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record"; flow:established,to_client; flowbits:isset,file.doc; file_data; content:"|45 C6 80 01|"; fast_pattern:only; pcre:"/\x45\xC6\x80\x01.{7}[\x00-\x1F]{0,8}[\x20-\xff]/"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-001; classtype:attempted-admin; sid:29726; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record"; flow:established,to_server; flowbits:isset,file.doc; file_data; content:"|45 C6 80 00|"; fast_pattern:only; pcre:"/\x45\xC6\x80\x00.{7}[\x00-\x1F]{0,8}[\x20-\xff]/"; metadata:policy security-ips drop, service smtp; reference:cve,2014-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-001; classtype:attempted-admin; sid:29725; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record"; flow:established,to_client; flowbits:isset,file.doc; file_data; content:"|45 C6 80 00|"; fast_pattern:only; pcre:"/\x45\xC6\x80\x00.{7}[\x00-\x1F]{0,8}[\x20-\xff]/"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-001; classtype:attempted-admin; sid:29724; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record"; flow:established,to_server; flowbits:isset,file.doc; file_data; content:"|45 C6 80 01|"; fast_pattern:only; pcre:"/\x45\xC6\x80\x01.{7}[\x00-\x1F]{0,8}[\x20-\xff]/"; metadata:policy security-ips drop, service smtp; reference:cve,2014-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-001; classtype:attempted-admin; sid:29723; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Windows common controls stack buffer overflow via malicious toolbar and author attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"Tran Duy Linh"; nocase; content:"CONTROL MSComctlLib.Toolbar.2"; fast_pattern:only; content:"Toolbar1"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:30166; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls stack buffer overflow via malicious toolbar and author attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"Tran Duy Linh"; nocase; content:"CONTROL MSComctlLib.Toolbar.2"; fast_pattern:only; content:"Toolbar1"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:30165; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Windows common controls stack buffer overflow via malicious MSComctlLib xls object attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"MSComctlLib"; fast_pattern:only; content:"VBA"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:30164; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Windows common controls stack buffer overflow via malicious MSComctlLib object attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"CONTROL MSComctlLib"; fast_pattern:only; content:"|90 90 90 90 90 90|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:30163; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls stack buffer overflow via malicious MSComctlLib xls object attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"MSComctlLib"; fast_pattern:only; content:"VBA"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:30162; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls stack buffer overflow via malicious MSComctlLib object attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"CONTROL MSComctlLib"; fast_pattern:only; content:"|90 90 90 90 90 90|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:30161; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Windows common controls stack buffer overflow via MIME HTML document attempt"; flow:to_server,established; file_data; content:"MIME-Version"; depth:12; nocase; content:"9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E"; content:".mso"; distance:0; content:"Content-Transfer-Encoding: base64"; within:250; distance:-100; nocase; content:"Content-Type: application/x-mso"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:30160; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls stack buffer overflow via MIME HTML document attempt"; flow:to_client,established; file_data; content:"MIME-Version"; depth:12; nocase; content:"9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E"; content:".mso"; distance:0; content:"Content-Transfer-Encoding: base64"; within:250; distance:-100; nocase; content:"Content-Type: application/x-mso"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:30159; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Windows common controls stack buffer overflow via MIME HTML document attempt"; flow:to_server,established; file_data; content:"MIME-Version"; depth:12; nocase; content:"C74190B6-8589-11d1-B16A-00C0F0283628"; content:".mso"; distance:0; content:"Content-Transfer-Encoding: base64"; within:250; distance:-100; nocase; content:"Content-Type: application/x-mso"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:30158; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls stack buffer overflow via MIME HTML document attempt"; flow:to_client,established; file_data; content:"MIME-Version"; depth:12; nocase; content:"C74190B6-8589-11d1-B16A-00C0F0283628"; content:".mso"; distance:0; content:"Content-Transfer-Encoding: base64"; within:250; distance:-100; nocase; content:"Content-Type: application/x-mso"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:30157; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Windows common controls stack buffer overflow via MIME HTML document attempt"; flow:to_server,established; file_data; content:"MIME-Version"; depth:12; nocase; content:"996BF5E0-8044-4650-ADEB-0B013914E99C"; content:".mso"; distance:0; content:"Content-Transfer-Encoding: base64"; within:250; distance:-100; nocase; content:"Content-Type: application/x-mso"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:30156; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls stack buffer overflow via MIME HTML document attempt"; flow:to_client,established; file_data; content:"MIME-Version"; depth:12; nocase; content:"996BF5E0-8044-4650-ADEB-0B013914E99C"; content:".mso"; distance:0; content:"Content-Transfer-Encoding: base64"; within:250; distance:-100; nocase; content:"Content-Type: application/x-mso"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:30155; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Windows common controls stack buffer overflow via MIME HTML document attempt"; flow:to_server,established; file_data; content:"MIME-Version"; depth:12; nocase; content:"BDD1F04B-858B-11D1-B16A-00C0F0283628"; content:".mso"; distance:0; content:"Content-Transfer-Encoding: base64"; within:250; distance:-100; nocase; content:"Content-Type: application/x-mso"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:30154; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls stack buffer overflow via MIME HTML document attempt"; flow:to_client,established; file_data; content:"MIME-Version"; depth:12; nocase; content:"BDD1F04B-858B-11D1-B16A-00C0F0283628"; content:".mso"; distance:0; content:"Content-Transfer-Encoding: base64"; within:250; distance:-100; nocase; content:"Content-Type: application/x-mso"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:30153; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel DbOrParamQry.fodbcConn parsing remote code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|B0 F3 E0 71 2D B6 2D 9E 9F AC CF BB 47 FC F3 F8 FF 79 F1 CA EA DB 59 A7 2C 9B 7F 7C E5 CD B9 61 5B 6C BD 2E 77 3A BF FC|"; fast_pattern:only; metadata:service smtp; reference:cve,2010-0264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:30248; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel DbOrParamQry.fodbcConn parsing remote code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|E2 72 E9 8C B1 C7 D2 C3 DC B8 BB B9 3A E6 EF 8C 59 DC 28 FE 65 BF 1F 53 D2 6F C2 CE 03 2E 9F EB 7C 73 9C 70 8E E3 14 AC|"; fast_pattern:only; metadata:service smtp; reference:cve,2010-0264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:30247; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel DbOrParamQry.fWeb parsing remote code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|DC 00 0C 00|"; byte_test:1,!&,0x07,0,relative,little; byte_test:1,&,0x48,0,relative,little; content:"|CD 00|"; within:2; distance:12; metadata:service smtp; reference:cve,2010-0264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:30246; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel DbOrParamQry.fWeb parsing remote code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|DC 00 0C 00|"; byte_test:1,&,0x03,0,relative,little; byte_test:1,&,0x40,0,relative,little; content:"|CD 00|"; within:2; distance:12; metadata:service smtp; reference:cve,2010-0264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:30245; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel DbOrParamQry.fOdbcConn parsing remote code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|DC 00 0C 00|"; byte_test:1,&,0x06,0,relative,little; byte_test:1,&,0x08,0,relative,little; content:!"|00 00|"; within:2; distance:10; content:"|CD 00|"; within:2; distance:12; content:!"|00 00|"; within:2; metadata:service smtp; reference:cve,2010-0264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:30244; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|06 00|"; byte_test:2,<,0x200,0,relative,little; byte_extract:2,0,formulaSize,relative,little; content:"|00|"; within:1; distance:15; content:"|03 00 29|"; within:formulaSize; distance:4; content:"|00 00|"; within:2; metadata:service smtp; reference:cve,2013-1315; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-073; classtype:attempted-user; sid:30243; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 00|"; byte_test:2,<,0x200,0,relative,little; byte_extract:2,0,formulaSize,relative,little; content:"|00|"; within:1; distance:15; content:"|03 00 29|"; within:formulaSize; distance:4; content:"|00 00|"; within:2; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1315; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-073; classtype:attempted-user; sid:30242; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|C3 0B 08|"; fast_pattern; byte_test:1,<,0x03,0,relative,little; byte_test:1,>,0x18,7,relative,little; content:"|C3 0B|"; distance:0; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,38104; reference:cve,2010-0032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-004; classtype:attempted-user; sid:30941; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word WordPerfect converter buffer overflow attempt"; flow:to_server,established; file_data; content:"|FF|WPCF"; depth:5; content:"|08 11 02 00 00 00 C6 00 00 00|"; distance:0; byte_jump:4,0,relative,little,from_beginning,post_offset 32; byte_test:1,>,5,0,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,34469; reference:cve,2009-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-010; classtype:attempted-user; sid:31032; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word WordPerfect converter buffer overflow attempt"; flow:to_client,established; file_data; content:"|FF|WPCF"; depth:5; content:"|08 11 02 00 00 00 C6 00 00 00|"; distance:0; byte_jump:4,0,relative,little,from_beginning,post_offset 32; byte_test:1,>,5,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,34469; reference:cve,2009-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-010; classtype:attempted-user; sid:31031; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|A7 00|"; content:"|DF D6 D5 3B|"; within:4; distance:11; metadata:service smtp; reference:cve,2011-0097; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:31127; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|09 08 10 00 00 06|"; content:"|A7 00|"; fast_pattern; byte_test:2,>,2056,3,relative,little; byte_extract:2,0,size_of_record,relative,little; content:"|3C 00|"; within:2; distance:size_of_record; metadata:service smtp; reference:cve,2011-0097; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:31126; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|09 08 08 00 00 05|"; fast_pattern:only; content:"|A7 00|"; byte_test:2,>,520,3,relative,little; byte_extract:2,0,size_of_record,relative,little; content:"|3C 00|"; within:2; distance:size_of_record; metadata:service smtp; reference:cve,2011-0097; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:31125; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel Qsir and Qsif record remote code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|06 08|"; content:"|06 08|"; within:2; distance:2; byte_test:1,&,0x10,16,relative; byte_test:1,!&,0x40,16,relative; byte_test:4,>,0,18,relative,little; content:"|07 08|"; distance:0; content:"|07 08 00 00|"; within:4; distance:2; byte_test:1,&,8,0,relative; byte_test:1,<,0x10,2,relative; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-1134; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-021; classtype:attempted-user; sid:31374; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word Converter sprmTTextFflow overflow attempt"; flow:to_server,established; file_data; content:"|29 76 00 FF E0 01 13 D6 30 00 00 00 FF 04 01 00 00|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,47236; reference:cve,2011-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-033; classtype:attempted-user; sid:31379; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word Converter sprmTSplit overflow attempt"; flow:to_server,established; file_data; content:"|25 56 00 FF 05 D6 18 04 01 00 00 04 01|"; fast_pattern; content:"|08 D6 1A 00 01 94 FF 2C 22 00 06 98 22|"; within:50; metadata:service smtp; reference:bugtraq,47236; reference:cve,2011-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-033; classtype:attempted-user; sid:31378; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office thumbnail bitmap invalid biClrUsed attempt"; flow:to_server,established; file_data; content:"|C0 9C 83 4A FF F8 CE 11 A0 6B 00 AA 00 A7 11 91 30 00 00 00|"; content:"T|00|h|00|u|00|m|00|b|00|n|00|a|00|i|00|l|00 00 00 41 00 00 00|"; distance:0; content:"|28 00 00 00|"; within:4; distance:4; pcre:"/^(?=.{10}[\x01\x04\x08\x16\x24\x32]\x00)(.{3}[\x55-\xFF]|.{31}[\x80-\xFF])/sR"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-3970; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-006; classtype:attempted-user; sid:31421; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office thumbnail bitmap invalid biClrUsed attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|E0 85 9F F2 F9 4F 68 10 AB 91 08 00 2B 27 B3 D9 30 00 00 00|"; content:"|11 00 00 00|"; distance:0; content:"|47 00 00 00|"; distance:0; content:"|08 00 00 00 28 00 00 00|"; within:8; distance:8; pcre:"/^(?=.{10}[\x01\x04\x08\x16\x24\x32]\x00)(.{3}[\x55-\xFF]|.{31}[\x80-\xFF])/sR"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-3970; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-006; classtype:attempted-user; sid:31420; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel malformed chart arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.xls|file.ole; file_data; content:"|41 10 12 00|"; byte_test:2,>,1,0,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-3004; reference:cve,2011-1987; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-043; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-072; classtype:attempted-user; sid:31441; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt"; flow:to_server,established; content:"powerpoint"; fast_pattern:only; pcre:"/Content\x2DDisposition\x3A\s*attachment[^\x0D\x0A]+name\x3D[^\x0D\x0A\x5C\x2F\x3A\x2A\x3F\x3C\x3E\x7C\x3D\s]{200}/i"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-004; classtype:attempted-user; sid:31437; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel SXDB record memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|C6 00|"; byte_extract:2,14,cfdbTot,relative; byte_test:2,>,cfdbTot,-4,relative; content:"|B2 00|"; distance:0; byte_test:2,>,0,2,relative; byte_test:2,>,0,4,relative; metadata:service smtp; reference:cve,2009-3127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:31436; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel SXDB record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|C6 00|"; byte_extract:2,14,cfdbTot,relative; byte_test:2,>,cfdbTot,-4,relative; content:"|B2 00|"; distance:0; byte_test:2,>,0,2,relative; byte_test:2,>,0,4,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-3127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:31435; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word Section Table Array Buffer Overflow attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|24 00 61 24 03 00 00 00 00 00 00 00 D1 50 00 00 04 00 00 AC 00 00 00 00 FF FF FF FF 00 00 00 00 CE|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,22225; reference:cve,2007-0515; classtype:attempted-user; sid:31434; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|06 00 2F 00 00 00 02 00 0F 00 00 00 20 01 F2 00 FF FF 00 00 6C 00 9C FC 19 00 23 AB B6 00 C0 17|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,43650; reference:cve,2010-3235; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:31476; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 00 2F 00 00 00 02 00 0F 00 00 00 20 01 F2 00 FF FF 00 00 6C 00 9C FC 19 00 23 AB B6 00 C0 17|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43650; reference:cve,2010-3235; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:31475; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|1D 00 00 00 FF FF 21 00 34 02 C7 FC 1E 00 23 30 00 00 00 17|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,43650; reference:cve,2010-3235; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:31474; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|06 00 91 00 07 00 01 00 41 00 00 00 E0 29 BD 04 FF FF 00 00 05 00 01 FF 1E 00 23 02 30 00 00 17 0A 00 43 6F 6E 6E 65 63 74 69 6F 6E 60 02|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,43650; reference:cve,2010-3235; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:31473; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Malformed MSODrawing Record attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|02 F0|"; byte_test:4,>,0,0,relative; content:"|08 F0|"; within:2; distance:6; content:"|04 F0|"; within:2; distance:22; byte_test:4,>,0,0,relative; content:"|09 F0|"; within:2; distance:6; byte_test:4,>,0,0,relative; byte_test:4,=,0,-16,relative; content:!"|03 F0|"; within:2; distance:-18; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0243; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-003; classtype:attempted-user; sid:31462; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel Malformed MSODrawing Record attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|EC 00|"; byte_test:2,>,0,0,relative; content:"|02 F0|"; within:2; distance:4; byte_test:4,>,0,0,relative; content:"|08 F0|"; within:2; distance:6; content:"|04 F0|"; within:2; distance:22; byte_test:4,>,0,0,relative; content:"|09 F0|"; within:2; distance:6; byte_test:4,>,0,0,relative; byte_test:4,=,0,-16,relative; content:!"|03 F0|"; within:2; distance:-18; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0243; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-003; classtype:attempted-user; sid:31461; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Access memory corruption attempt"; flow:to_server,established; file_data; content:"|C5 02 3F 83 01 FE 8B 05 E0 2F B1 0D 01 97 0C 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3155; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-074; classtype:attempted-user; sid:31537; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Access memory corruption attempt"; flow:to_server,established; file_data; content:"|02 09 04 87 04 17 B9 02 3F 83 01 FE 8B 05 B8 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3155; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-074; classtype:attempted-user; sid:31536; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Access memory corruption attempt"; flow:to_client,established; file_data; content:"|C5 02 3F 83 01 FE 8B 05 E0 2F B1 0D 01 97 0C 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3155; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-074; classtype:attempted-user; sid:31535; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Access memory corruption attempt"; flow:to_client,established; file_data; content:"|02 09 04 87 04 17 B9 02 3F 83 01 FE 8B 05 B8 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3155; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-074; classtype:attempted-user; sid:31534; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel invalid Lbl record attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|09 00|"; depth:2; content:"scen_num|1E|"; distance:0; byte_test:1,<,0x7FFF,0,relative,little; metadata:service smtp; reference:bugtraq,49478; reference:cve,2011-1988; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-072; classtype:attempted-user; sid:31579; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word global array index heap overflow attempt"; flow:to_server,established; flowbits:isset,file.doc|file.ole; file_data; content:"|31 90|"; content:"|1F B0|"; within:64; content:"|33 50|"; within:64; fast_pattern; byte_test:4,>,5,0,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,32583; reference:cve,2008-4026; classtype:attempted-user; sid:31562; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; flowbits:isnotset,cve.2008-4265; file_data; content:"|5D 00|"; depth:5000; content:"|00 00 00 00|"; within:4; distance:12; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:4; content:"|B6 01|"; within:300; distance:-300; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,32618; reference:cve,2008-4265; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-074; classtype:attempted-user; sid:31592; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|EB 00|"; content:"|0F 00 00 F0|"; within:4; distance:2; flowbits:set,cve.2008-4265; flowbits:noalert; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,32618; reference:cve,2008-4265; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-074; classtype:misc-activity; sid:31591; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Outlook mailto injection attempt"; flow:to_server,established; file_data; content:"mailto:"; fast_pattern:only; pcre:"/\x3D[\x22\x27]mailto\x3A[^>]*?(\x26quot\x3B|\x26\x2334)[^>]*?(\x2f|\x2D)/i"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2004-0121; classtype:attempted-user; sid:31752; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Outlook mailto injection attempt"; flow:to_client,established; file_data; content:"mailto:"; fast_pattern:only; pcre:"/\x3D[\x22\x27]mailto\x3A[^>]*?(\x26quot\x3B|\x26\x2334)[^>]*?(\x2f|\x2D)/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2004-0121; classtype:attempted-user; sid:31751; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 3"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|datafield |5C|jpegblip"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-1901; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:31845; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 2"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|datafield |5C|pngblip"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-1901; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:31844; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 1"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|datafield |5C|emfblip"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-1901; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:31843; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel FtCbls remote code execution attempt"; flow:to_server,established; file_data; content:"|D0 CF 11 E0|"; depth:4; content:"|00 5D 00 36 00 15 00 12 00 0B 00 01 00 11 00 08 9E 4D 02 48 8E 4D 02 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-0557; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-021; classtype:attempted-admin; sid:31876; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel FtCbls remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 5D 00 36 00 15 00 12 00 0B 00 01 00 11 00 08 9E 4D 02 48 8E 4D 02 00 00 00 00 00 0C 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0557; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-021; classtype:attempted-admin; sid:31875; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_server,established; file_data; content:"|40 00 00 00 00 D2 49 6B 00 00 00 00 40 00 00 00 00 4C 10 5F 20 E3 C6 01 40 00 00 00 00 1E 5A CA 20 E3 C6 01|"; fast_pattern:only; content:"|FE FF 00 00|"; content:"|02 00 00 00 A8 03 00 00 1E|"; within:9; distance:180; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:31927; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; file_data; content:"|40 00 00 00 00 D2 49 6B 00 00 00 00 40 00 00 00 00 4C 10 5F 20 E3 C6 01 40 00 00 00 00 1E 5A CA 20 E3 C6 01|"; fast_pattern:only; content:"|FE FF 00 00|"; content:"|02 00 00 00 A8 03 00 00 1E|"; within:9; distance:180; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:31926; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt"; flow:to_client,established; file_data; content:"BegPic|3B|"; content:"BegPicBody|3B|"; distance:0; content:"CellArray|0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3945; reference:cve,2012-2524; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-057; classtype:attempted-user; sid:32064; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt"; flow:to_server,established; file_data; content:"|41 3F 80 14 00 00 00 1F 00 1F 00 00 00 1F 00 1F 00 20 00 20 00 00 00 00 05 B8 80 80 FF FF FF 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2010-3945; reference:cve,2012-2524; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-057; classtype:attempted-user; sid:32063; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt"; flow:to_server,established; file_data; content:"BegPic|3B|"; content:"BegPicBody|3B|"; distance:0; content:"CellArray|0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-3945; reference:cve,2012-2524; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-057; classtype:attempted-user; sid:32062; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel MalformedPalette Record Memory Corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|80 07 FF 93 02 04 00 00 80 00 FF 93 02 04 00 14 80 05 FF 92 00 B2 00 A0 00 41 41 41 41 41 41 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,21922; reference:cve,2007-0031; classtype:attempted-user; sid:32095; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel MalformedPalete Record Memory Corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|00 00 80 00 FF 93 02 04 00 14 80 05 FF 92 00 E2 00 80 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,21922; reference:cve,2007-0031; classtype:attempted-user; sid:32094; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel malformed file format parsing code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|02 00 09 00 00 00 02 00 40 00 00 03 00 05 00 09 00 FF FF FF FF 41 15 00 01 00 05 00 09 00 01 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-012; classtype:attempted-user; sid:32083; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel Malformed Filter Records Handling Code Execution attempt"; flow:to_server,established; flowbits:isset,file.xls; content:"|43 6F 6C 75 6D 6E 20 42 3F 9B 00 00 00 9D 00 02 00 02 00 9E 00 1D 00 33 00 04 2A 06 02 8C 23 01 01 04 01 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,23780; reference:cve,2007-1214; classtype:attempted-user; sid:32082; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|68 10 0A 00|"; byte_test:2,>,32767,8,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,23826; reference:cve,2007-1203; reference:cve,2007-1747; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-023; classtype:attempted-user; sid:32132; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|60 10 0A 00|"; byte_test:2,>,32767,8,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,23826; reference:cve,2007-1203; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-023; classtype:attempted-user; sid:32131; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel rtWnDesk record memory corruption exploit attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"8|00 04 00|"; byte_test:2,>,32767,0,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-3890; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-044; classtype:attempted-user; sid:32122; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt"; flow:to_server,established; flowbits:isset,file.docx; file_data; content:"|E2 EC 9C B5 F6 1B C6 B2 CD 34 06 86 4B 3A E9 5F 3F 12 60 0C 08 09 24 EE 46 C9 43 62 5B 94 E1 2B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4117; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-061; classtype:attempted-user; sid:32148; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt"; flow:to_client,established; flowbits:isset,file.docx; file_data; content:"|E2 EC 9C B5 F6 1B C6 B2 CD 34 06 86 4B 3A E9 5F 3F 12 60 0C 08 09 24 EE 46 C9 43 62 5B 94 E1 2B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4117; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-061; classtype:attempted-user; sid:32147; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel style record overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|E0 00 14 00|"; byte_test:1,&,0x04,4,relative,little; byte_test:1,!&,0x08,4,relative,little; byte_test:1,&,0x10,4,relative,little; byte_test:1,&,0x20,4,relative,little; byte_test:1,&,0x40,4,relative,little; byte_test:1,&,0x80,4,relative,little; byte_test:1,=,255,5,relative,little; content:"|93 02 04 00|"; distance:0; byte_test:1,>=,160,0,relative,little; byte_test:1,>=,8,1,relative,little; byte_test:1,!&,0x10,1,relative,little; byte_test:1,!&,0x20,1,relative,little; byte_test:1,!&,0x40,1,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-0114; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:attempted-user; sid:32206; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office invalid MS-OGRAPH DataFormat buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|06 10 08 00 FF FF|"; byte_test:2,>,255,2,little,relative; byte_extract:2,0,yi,little,relative; byte_test:2,>,yi,0,little,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,49517; reference:cve,2011-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-072; classtype:attempted-user; sid:32377; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel ObjBiff validation exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|09 08 08 00 00 05|"; content:"|CD 07|"; within:2; distance:4; content:"|85 00|"; distance:0; content:"|06|"; within:1; distance:7; content:"|5D 00|"; content:"|14 00|"; within:2; distance:6; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1273; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:32517; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel ObjBiff validation exploit attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|09 08 08 00 00 05|"; content:"|CD 07|"; within:2; distance:4; content:"|85 00|"; distance:0; content:"|02|"; within:1; distance:7; content:"|5D 00|"; content:"|14 00|"; within:2; distance:6; metadata:service smtp; reference:cve,2011-1273; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:32516; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel ObjBiff validation exploit attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|09 08 08 00 00 05|"; content:"|CD 07|"; within:2; distance:4; content:"|85 00|"; distance:0; content:"|06|"; within:1; distance:7; content:"|5D 00|"; content:"|14 00|"; within:2; distance:6; metadata:service smtp; reference:cve,2011-1273; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:32515; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel ObjBiff validation exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|09 08 08 00 00 05|"; content:"|CD 07|"; within:2; distance:4; content:"|85 00|"; distance:0; content:"|02|"; within:1; distance:7; content:"|5D 00|"; content:"|14 00|"; within:2; distance:6; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1273; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:32514; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word bOffset value overflow attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|0A 26 00 0B 46 02 00 0D C6 08 00 02 30 FD 02 0D 00 00 16 24 01 2A 24 01 49 66 02 00 00 00 67 64|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6335; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:attempted-user; sid:32477; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word bOffset value overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|0A 26 00 0B 46 02 00 0D C6 08 00 02 30 FD 02 0D 00 00 16 24 01 2A 24 01 49 66 02 00 00 00 67 64|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-6335; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:attempted-user; sid:32476; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word fcPlfguidUim out-of-bounds attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|FF FF FF FF FF FF FF FF EC A5 C1 00|"; content:"|00 00 00 00|"; within:4; distance:10; content:"|0E 00|"; within:2; distance:14; content:"|16 00|"; within:2; distance:28; byte_test:2,>=,0x0088,88,relative,little; byte_test:4,>,0x00ffffff,978,relative,little; metadata:policy security-ips drop, service smtp; reference:cve,2014-6334; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-069; classtype:attempted-user; sid:32435; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word lcbPlcffndTxt out-of-bounds attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|FF FF FF FF FF FF FF FF EC A5 C1 00|"; content:"|00 00 00 00|"; within:4; distance:10; content:"|0E 00|"; within:2; distance:14; content:"|16 00|"; within:2; distance:28; byte_test:2,>=,0x005D,88,relative,little; byte_test:4,>,0x00ffffff,118,relative,little; metadata:policy security-ips drop, service smtp; reference:cve,2014-6334; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-069; classtype:attempted-user; sid:32434; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word fcPlfguidUim out-of-bounds attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|FF FF FF FF FF FF FF FF EC A5 C1 00|"; content:"|00 00 00 00|"; within:4; distance:10; content:"|0E 00|"; within:2; distance:14; content:"|16 00|"; within:2; distance:28; byte_test:2,>=,0x0088,88,relative,little; byte_test:4,>,0x00ffffff,978,relative,little; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6334; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-069; classtype:attempted-user; sid:32433; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word lcbPlcffndTxt out-of-bounds attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|FF FF FF FF FF FF FF FF EC A5 C1 00|"; content:"|00 00 00 00|"; within:4; distance:10; content:"|0E 00|"; within:2; distance:14; content:"|16 00|"; within:2; distance:28; byte_test:2,>=,0x005D,88,relative,little; byte_test:4,>,0x00ffffff,118,relative,little; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6334; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-069; classtype:attempted-user; sid:32432; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word document malicious lcbSttbfBkmkArto value attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|FF FF FF FF FF FF FF FF EC A5 C1 00|"; content:"|16 00|"; within:2; distance:58; content:"|B7 00|"; within:2; distance:88; isdataat:1400,relative; content:!"|00 00 00 00|"; within:4; distance:1396; metadata:service smtp; reference:cve,2014-6333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-069; classtype:attempted-user; sid:32429; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word document malicious lcbSttbfBkmkArto value attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|FF FF FF FF FF FF FF FF EC A5 C1 00|"; content:"|16 00|"; within:2; distance:58; content:"|B7 00|"; within:2; distance:88; isdataat:1400,relative; content:!"|00 00 00 00|"; within:4; distance:1396; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-6333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-069; classtype:attempted-user; sid:32428; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel Selection exploit attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|1D 00 0F 00 03|"; byte_test:2,>,0x1f00,6,relative,little; metadata:service smtp; reference:cve,2011-1277; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:32589; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Selection exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|1D 00 0F 00 03|"; byte_test:2,>,0x1f00,6,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1277; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:32588; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel Series record exploit attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|03 10 0C 00|"; content:"|00 01 00|"; within:3; distance:1; byte_test:1,&,0x80,1,relative,little; content:"|33 10 00 00|"; within:4; distance:8; metadata:service smtp; reference:cve,2011-1278; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:32587; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|B2 01 12 00|"; content:"|BE 01|"; within:2; distance:18; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-0105; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:32625; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt"; flow:to_server,established; file_data; content:"CHNKWKS "; content:"|F8 01|"; within:2; distance:16; content:"|18 00|"; within:2; distance:6; byte_test:1,>,0x18,22,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0177; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-028; classtype:attempted-user; sid:32644; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt"; flow:to_server,established; file_data; content:"CHNKWKS"; byte_test:2,>,0x18,48,relative,little; content:!"|18 00|"; within:2; distance:48; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0177; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-028; classtype:attempted-user; sid:32643; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel remote code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|08 02 18 00 07 00 00 00 0A 00 2C 01 00 00 00 00 40 01 0F 00 08 02 10 00 08 00 00 00 0A 00 2C 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6361; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-083; classtype:attempted-user; sid:32719; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|08 02 18 00 07 00 00 00 0A 00 2C 01 00 00 00 00 40 01 0F 00 08 02 10 00 08 00 00 00 0A 00 2C 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6361; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-083; classtype:attempted-user; sid:32718; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word array index out-of-bounds attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|0F 84 80 16 11 84 98 14 A4 90 01 00 05 1C 00 13 A4 A0 00 14 A4 A0 00 00 4E 4A 07 00 51 4A 07 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6356; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-081; classtype:attempted-user; sid:32712; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word array index out-of-bounds attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|0F 84 80 16 11 84 98 14 A4 90 01 00 05 1C 00 13 A4 A0 00 14 A4 A0 00 00 4E 4A 07 00 51 4A 07 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6356; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-081; classtype:attempted-user; sid:32711; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF object use after free attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"{{{{}{}}{{}{}}{{}{}}"; fast_pattern:only; content:"{|5C|shp{{|7C|sps}"; metadata:policy security-ips drop, service smtp; reference:cve,2014-6357; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-081; classtype:attempted-user; sid:32708; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF object use after free attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"{{{{}{}}{{}{}}{{}{}}"; fast_pattern:only; content:"{|5C|shp{{|7C|sps}"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6357; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-081; classtype:attempted-user; sid:32707; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office use after free"; flow:to_server,established; file_data; content:"|FF FF FF 00 00 00 00 00 01 00 00 00 C0 80 C0 00|"; fast_pattern:only; content:"|00 02 00 00 56 65 72 64 61 6E 61 00 00 00 00 40|"; metadata:policy security-ips drop, service smtp; reference:cve,2014-6364; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-082; classtype:attempted-user; sid:32688; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office use after free"; flow:to_client,established; file_data; content:"|FF FF FF 00 00 00 00 00 01 00 00 00 C0 80 C0 00|"; fast_pattern:only; content:"|00 02 00 00 56 65 72 64 61 6E 61 00 00 00 00 40|"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6364; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-082; classtype:attempted-user; sid:32687; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel blip image use after free attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|02 00 00 00 3B 00 00 00 03 00 00 00 85 00 00 00 3F 00 01 F0 19 3C 00 00 02 00 07 E0 24 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6360; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-083; classtype:attempted-user; sid:32684; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel blip image use after free attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|02 00 00 00 3B 00 00 00 03 00 00 00 85 00 00 00 3F 00 01 F0 19 3C 00 00 02 00 07 E0 24 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6360; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-083; classtype:attempted-user; sid:32683; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel ObjBiff exploit attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|00 14|"; within:8; content:"|00 01 06 00 00|"; within:55; byte_test:1,!=,0x02,0,relative,little; metadata:service smtp; reference:cve,2011-1272; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:32872; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"4E087DEB"; distance:0; nocase; content:"F626A"; distance:0; nocase; byte_test:8,>,0x08000000,8,relative,string,hex; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:32863; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|B1 3C C1 6A|"; distance:0; content:"|43 6F 62 6A|"; distance:0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:32862; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|A3 E8 13 07|"; distance:0; content:"|43 6F 62 6A|"; distance:0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:32861; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|8B 8D DA 58|"; distance:0; content:"|43 6F 62 6A|"; distance:0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:32860; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|4E 08 7D EB|"; distance:0; content:"|43 6F 62 6A|"; distance:0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:32859; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|00 36 D8 F4|"; distance:0; content:"|43 6F 62 6A|"; distance:0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:32858; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|8E 7E E1 E6|"; distance:0; content:"|43 6F 62 6A|"; distance:0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:32857; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pub; file_data; content:"|00 0B 00 0B 00 00 00 00 00 00 00 AA 00 00 00 03 A0 41 41 41 FF|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,50949; reference:cve,2011-3411; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-091; classtype:attempted-user; sid:32961; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pub; file_data; content:"|03 80 79 6A D5 FF 04 20 F5 01 2A 00 3A 01 11 F0 0A 00 00 00 0A 00 00 00 01 68 42 01|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,50949; reference:cve,2011-3411; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-091; classtype:attempted-user; sid:32960; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel SLK file excessive Picture records exploit attempt"; flow:to_server,established; flowbits:isset,file.slk; file_data; content:"|0A|P|3B|PAAAA"; content:"|0A|P|3B|PAAAA"; distance:0; content:"|0A|P|3B|PAAAA"; distance:0; content:"|0A|P|3B|PAAAA"; distance:0; content:"|0A|P|3B|PAAAA"; distance:0; content:"|0A|P|3B|PAAAA"; distance:0; metadata:service smtp; reference:cve,2011-1276; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:32942; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel SLK file excessive Picture records exploit attempt"; flow:to_server,established; flowbits:isset,file.slk; file_data; content:"|0D 0A|P|3B|FABC"; content:"|0D 0A|P|3B|FABC"; distance:0; content:"|0D 0A|P|3B|FABC"; distance:0; content:"|0D 0A|P|3B|FABC"; distance:0; content:"|0D 0A|P|3B|FABC"; distance:0; content:"|0D 0A|P|3B|FABC"; distance:0; pcre:"/(\x0d\x0aP\x3bFABC\d{3}){200}/i"; metadata:service smtp; reference:cve,2011-1276; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:32941; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel malformed Label record exploit attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|09 08 08 00 00 05 05 00|"; content:"|04 02|"; distance:0; byte_test:1,&,0x80,9,relative; byte_test:2,>,8,0,relative,little; byte_test:2,<,8225,0,relative,little; metadata:service smtp; reference:cve,2004-0846; reference:cve,2011-0098; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-033; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:32940; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel remote exploit attempt"; flow:to_client,established; file_data; content:"|C8 19 F5 05 27 D4 FD 77 3F 66 9A 71 A3 3B 09 B2 79 03 3E A0 A4 FA 9F AE E7 EC D3 51 3C 5F E5 FC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0063; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-012; classtype:attempted-user; sid:33362; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word wwlib use after free attempt"; flow:established,to_server; flowbits:isset,file.doc; content:"|00 00 30 22 00 00 00 00 00 00 DC 23 00 00 00 00 00 00 DC 23 00 00 00 00 00 00 55 31 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-012; classtype:attempted-user; sid:33351; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word wwlib use after free attempt"; flow:established,to_client; flowbits:isset,file.doc; content:"|00 00 30 22 00 00 00 00 00 00 DC 23 00 00 00 00 00 00 DC 23 00 00 00 00 00 00 55 31 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-012; classtype:attempted-user; sid:33350; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office OLESS stream object name corruption attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|44 00 72 00 61 00 77 00 69 00 6E 00 67 00 78 00 00 00 35 40 4C 00 00 00 B4 51 00 00 00 00 00 00 00 00 00 00 45 00 00 00 61 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,50977; reference:cve,2011-3400; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-093; reference:url,www.securityfocus.com/bid/50977; classtype:attempted-user; sid:33442; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office OLESS stream object name corruption attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|44 00 72 00 61 00 77 00 69 00 6E 00 67 00 78 00 00 00 35 40 4C 00 00 00 B4 51 00 00 00 00 00 00 00 00 00 00 45 00 00 00 61 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,50977; reference:cve,2011-3400; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-093; reference:url,www.securityfocus.com/bid/50977; classtype:attempted-user; sid:33441; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word document with embedded networking script"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"objXMLHTTP"; fast_pattern:only; content:"objADOStream"; metadata:service smtp; reference:url,www.virustotal.com/en/file/e031685f71240913721b278b1253d09101faab9953e713ff840b31e5fdc387da/analysis/; classtype:policy-violation; sid:33563; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word document with embedded networking script"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"objXMLHTTP"; fast_pattern:only; content:"objADOStream"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/e031685f71240913721b278b1253d09101faab9953e713ff840b31e5fdc387da/analysis/; classtype:policy-violation; sid:33562; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word border use-after-free attempt"; flow:to_server,established; flowbits:isset,file.docx; file_data; content:"|1D 3D B1 8C 1C 0A 73 ED D9 F4 8E 2C C8 46 55 8B AA 97 1D 55 18 77 24 45 E2 49 1C E1 2A 49 BF 25 5E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-099; classtype:attempted-user; sid:33568; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word border use-after-free attempt"; flow:to_client,established; flowbits:isset,file.docx; file_data; content:"|1D 3D B1 8C 1C 0A 73 ED D9 F4 8E 2C C8 46 55 8B AA 97 1D 55 18 77 24 45 E2 49 1C E1 2A 49 BF 25 5E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-099; classtype:attempted-user; sid:33567; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office ADODB.RecordSet code execution attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"CreateObject(|22|ADODB.Recordset|22|)"; fast_pattern:only; content:"document.location.href"; nocase; metadata:service smtp; reference:cve,2015-0097; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-022; classtype:attempted-user; sid:33735; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office ADODB.RecordSet code execution attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"CreateObject(|22|ADODB.Recordset|22|)"; fast_pattern:only; content:"document.location.href"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0097; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-022; classtype:attempted-user; sid:33734; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-OFFICE Microsoft Office Word incorrect schema property remote code execution attempt"; flow:established,to_server; flowbits:isset,file.docx; file_data; content:"|4D 60 52 3B 55 B9 2A 33 49 ED 5B 4A 48 32 68 C7 B6 1C 49 1E E0 DF A7 E5 0B 5F 80 0D D9 4D 1E 52|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0085; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-022; classtype:attempted-user; sid:33716; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word incorrect schema property remote code execution attempt"; flow:established,to_client; flowbits:isset,file.docx; file_data; content:"|4D 60 52 3B 55 B9 2A 33 49 ED 5B 4A 48 32 68 C7 B6 1C 49 1E E0 DF A7 E5 0B 5F 80 0D D9 4D 1E 52|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0085; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-022; classtype:attempted-user; sid:33715; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF out-of-bounds array access remote code execution attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"{|5C|sv }"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1649; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:34094; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF out-of-bounds array access remote code execution attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"{|5C|sv }"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1649; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:34093; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF double-free remote code execution attempt"; flow:to_server,established; file_data; content:"hp}|5C|xmlns1{|5C|protend{|5C|xmlclose}|5C|xmlns2{|5C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1651; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:34087; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF double-free remote code execution attempt"; flow:to_client,established; file_data; content:"hp}|5C|xmlns1{|5C|protend{|5C|xmlclose}|5C|xmlns2{|5C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1651; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:34086; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office XML nested num tag double-free attempt"; flow:to_server,established; file_data; content:"|00 12 00 00 00|word/numbering.xml"; fast_pattern; content:"|52 3A 31 5A 44 FE 0F 44 CF 3D E1 8D E4 10 B5 C7 29 21 EC 9E B9 8D 84 21 C2 6B 18 33 69 76 C5 9D|"; within:32; distance:279; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,74011; reference:cve,2015-1650; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:34067; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office XML nested num tag double-free attempt"; flow:to_client,established; file_data; content:"|00 12 00 00 00|word/numbering.xml"; fast_pattern; content:"|52 3A 31 5A 44 FE 0F 44 CF 3D E1 8D E4 10 B5 C7 29 21 EC 9E B9 8D 84 21 C2 6B 18 33 69 76 C5 9D|"; within:32; distance:279; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,74011; reference:cve,2015-1650; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:34066; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word document memory corruption attempt"; flow:to_server,established; flowbits:isset,file.docx; file_data; content:"|BC AF 87 AD CB 62 47 80 14 8E 41 66 48 81 DE 9E 6B E5 40 8B A0 47 F5 5B ED 9E 23 D5 01 3B D1 58|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:34063; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word document memory corruption attempt"; flow:to_client,established; flowbits:isset,file.docx; file_data; content:"|BC AF 87 AD CB 62 47 80 14 8E 41 66 48 81 DE 9E 6B E5 40 8B A0 47 F5 5B ED 9E 23 D5 01 3B D1 58|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:34062; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF file with embedded OLE object"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"d0cf11e"; fast_pattern:only; metadata:service smtp; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:34131; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-OFFICE Microsoft Office Word incorrect ptCount element denial of service attempt"; flow:established,to_server; flowbits:isset,file.docx; file_data; content:"|5C D3 6E 39 8C EE 34 F1 05 33 3C 1D 97 CA D1 FB D5 D5 D5 DB DB DB D1 BF 04 22 03 03 7B B3 A2 2C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1682; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-046; classtype:denial-of-service; sid:34429; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word incorrect ptCount element denial of service attempt"; flow:established,to_client; flowbits:isset,file.docx; file_data; content:"|5C D3 6E 39 8C EE 34 F1 05 33 3C 1D 97 CA D1 FB D5 D5 D5 DB DB DB D1 BF 04 22 03 03 7B B3 A2 2C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1682; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-046; classtype:denial-of-service; sid:34428; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word SmartTag record code execution attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|00 00 13 1F 14 FF 95 80 FF FF 01 00 00 00 00 00 28 2C 2D 00 00 00 01 00 D4 F5 22 00 00 00 00 00 44 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30124; reference:cve,2008-2244; classtype:attempted-user; sid:31312; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word SmartTag record code execution attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|00 FF FF 01 00 00 00 05 00 4C 4F 0C 00 00 00 01 00 00 00 00 00 00 00 00 00 16 00 00 00 00 00 00 00 01 00 0E 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30124; reference:cve,2008-2244; classtype:attempted-user; sid:31311; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word SmartTag record code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 00 13 1F 14 FF 95 80 FF FF 01 00 00 00 00 00 28 2C 2D 00 00 00 01 00 D4 F5 22 00 00 00 00 00 44 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30124; reference:cve,2008-2244; classtype:attempted-user; sid:31310; rev:6;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt"; flow:to_server,established; file_data; content:"|9D 58 67 58 53 57 18 4E 08 84 3D 02 04 08 7B 4A 08 60 D9 1B 94 15 F6 DE B3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,63530; reference:cve,2013-3906; reference:url,technet.microsoft.com/en-us/security/advisory/2896666; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-096; classtype:attempted-user; sid:28526; rev:8;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt"; flow:to_client,established; file_data; content:"|9D 58 67 58 53 57 18 4E 08 84 3D 02 04 08 7B 4A 08 60 D9 1B 94 15 F6 DE B3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,63530; reference:cve,2013-3906; reference:url,technet.microsoft.com/en-us/security/advisory/2896666; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-096; classtype:attempted-user; sid:28525; rev:8;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt"; flow:to_server,established; file_data; content:"|EC 5A 07 54 D3 D9 B3 BE F4 2E EA 4A 17 75 57 8A C2 02 8A 0A 04 50 B1 81 34|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,63530; reference:cve,2013-3906; reference:url,technet.microsoft.com/en-us/security/advisory/2896666; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-096; classtype:attempted-user; sid:28473; rev:8;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt"; flow:to_client,established; file_data; content:"|EC 5A 07 54 D3 D9 B3 BE F4 2E EA 4A 17 75 57 8A C2 02 8A 0A 04 50 B1 81 34|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,63530; reference:cve,2013-3906; reference:url,technet.microsoft.com/en-us/security/advisory/2896666; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-096; classtype:attempted-user; sid:28472; rev:8;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|17 01 04 00 01 00 00 00|"; byte_test:4,>,0xFFFFFF,0,relative,little; content:"|02 02 04 00 01 00 00 00|"; within:300; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,63530; reference:cve,2013-3906; reference:url,technet.microsoft.com/en-us/security/advisory/2896666; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-096; classtype:attempted-user; sid:28471; rev:9;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|17 01 04 00 01 00 00 00|"; byte_test:4,>,0xFFFFFF,0,relative,little; content:"|02 02 04 00 01 00 00 00|"; within:300; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,63530; reference:cve,2013-3906; reference:url,technet.microsoft.com/en-us/security/advisory/2896666; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-096; classtype:attempted-user; sid:28470; rev:9;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 17 00 04 00 00 00 01|"; byte_test:4,>,0xFFFFFF,0,relative; content:"|02 02 00 04 00 00 00 01|"; within:300; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,63530; reference:cve,2013-3906; reference:url,technet.microsoft.com/en-us/security/advisory/2896666; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-096; classtype:attempted-user; sid:28469; rev:9;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 17 00 04 00 00 00 01|"; byte_test:4,>,0xFFFFFF,0,relative; content:"|02 02 00 04 00 00 00 01|"; within:300; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,63530; reference:cve,2013-3906; reference:url,technet.microsoft.com/en-us/security/advisory/2896666; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-096; classtype:attempted-user; sid:28468; rev:9;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt"; flow:to_server,established; content:"|ED 5C 07 54 53 59 B7 3E A1 57 11 95 D0 44 9D 91 A2 32 80 22 02 41 B0 22 48|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,63530; reference:cve,2013-3906; reference:url,technet.microsoft.com/en-us/security/advisory/2896666; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-096; classtype:attempted-user; sid:28467; rev:9;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt"; flow:to_client,established; file_data; content:"|ED 5C 07 54 53 59 B7 3E A1 57 11 95 D0 44 9D 91 A2 32 80 22 02 41 B0 22 48|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,63530; reference:cve,2013-3906; reference:url,technet.microsoft.com/en-us/security/advisory/2896666; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-096; classtype:attempted-user; sid:28466; rev:9;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff|file.doc; file_data; content:"|98 B8 FF FF B2 00 00 00 B2 00 00 00 B3 00 00 00 B3 00 00 00 B2 00 00 00 B1 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,63530; reference:cve,2013-3906; reference:url,technet.microsoft.com/en-us/security/advisory/2896666; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-096; classtype:attempted-user; sid:28465; rev:9;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff|file.doc; file_data; content:"|98 B8 FF FF B2 00 00 00 B2 00 00 00 B3 00 00 00 B3 00 00 00 B2 00 00 00 B1 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,63530; reference:cve,2013-3906; reference:url,technet.microsoft.com/en-us/security/advisory/2896666; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-096; classtype:attempted-user; sid:28464; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|C6 1D 3F 74 BA 5A 9F 42 8B DF C5 4D 03 25 3D C2|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:28343; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|AD 55 79 66 3B 6B CA 43 B9 49 BC 69 B5 BA FF 7F|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:28342; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|A2 D9 C1 E4 F7 CB BD 48 9A 69 34 A5 5E 0D 89 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:28341; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|A0 7B FE EB 8D 62 D2 11 AE 0F 00 60 97 B0 14 11|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:28340; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|90 42 93 53 8D 62 D2 11 AE 0F 00 60 97 B0 14 11|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:28339; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|75 67 2B 3B B6 70 AF 45 8D EA A2 09 C6 95 59 F3|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:28338; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|60 5D 3B 74 8D 62 D2 11 AE 0F 00 60 97 B0 14 11|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:28337; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|50 36 4A 6D 8D 62 D2 11 AE 0F 00 60 97 B0 14 11|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:28336; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|4D 48 6F 28 5E 37 58 44 A2 72 B1 38 E2 F8 0A 6A|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:28335; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|2C AF 75 F9 51 9A F0 4A 91 EA 06 03 86 98 CE 38|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:28334; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|23 95 4A 93 CA A3 C5 4B AD A0 D6 D9 5D 97 94 21|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:28333; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|1B 5E 82 DA 30 68 D7 43 83 5D 0B 5A D8 29 56 A2|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:28332; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|0E 06 47 FC 53 61 34 4B B9 75 8E 41 21 EB 7F 3C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:28331; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel FtCbls remote code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|00 5D|"; byte_extract:2,0,recSize,relative,little; content:"|00 15 00 12|"; within:4; content:"|00 0A 00 0C|"; within:recSize; fast_pattern; content:!"|00 00 00 00|"; within:4; distance:2; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-0557; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-021; classtype:attempted-admin; sid:28136; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel FtCbls remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 5D|"; byte_extract:2,0,recSize,relative,little; content:"|00 15 00 12|"; within:4; content:"|00 0A 00 0C|"; within:recSize; fast_pattern; content:!"|00 00 00 00|"; within:4; distance:2; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0557; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-021; classtype:attempted-admin; sid:28135; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel style handling overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|C0 20 93 02|"; byte_test:2,>,40,0,relative,little; byte_test:2,>,733,4,relative,little; byte_test:1,!&,0x80,3,relative,little; content:"|00|"; within:1; distance:6; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18872; reference:cve,2006-3431; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-059; classtype:attempted-user; sid:27211; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio TAG_xxxSect code execution attempt"; flow:established,to_client; file_data; content:"|02 00 F1 00 32 00 01 00 01 54 00 00 14 00 00 00 00 00 00 00 06 00 48 00 00 00 00 00 83 00 04 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0019; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-015; classtype:attempted-user; sid:26973; rev:8;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|65 20 75 73 65 72 10 3E 02 12 00 B6 04 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 1D 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53374; reference:cve,2012-0143; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-030; classtype:attempted-user; sid:25367; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|65 20 75 73 65 72 10 3E 02 12 00 B6 04 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 1D 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53374; reference:cve,2012-0143; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-030; classtype:attempted-user; sid:25366; rev:11;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 04 F0|"; byte_extract:4,0,reclen,relative,little; content:"|00 00 1F F0 08 00 00 00|"; within:reclen; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,50964; reference:cve,2011-3413; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-094; classtype:attempted-user; sid:25355; rev:11;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 04 F0|"; byte_extract:4,0,reclen,relative,little; content:"|00 00 27 F0 08 00 00 00|"; within:reclen; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,50964; reference:cve,2011-3413; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-094; classtype:attempted-user; sid:25354; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 04 F0|"; byte_extract:4,0,reclen,relative,little; content:"|00 00 27 F0 08 00 00 00|"; within:reclen; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,50964; reference:cve,2011-3413; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-094; classtype:attempted-user; sid:25353; rev:11;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel conditional code execution attempt"; flow:to_server, established; flowbits:isset, file.xls; file_data; content:"|FF FF FF 7F 01 00 02 0A 00 0A 00 00 00 09 08 10 00 00 06 10|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-1989; classtype:attempted-user; sid:25331; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel conditional code execution attempt"; flow:to_client, established; flowbits:isset, file.xls; file_data; content:"|FF FF FF 7F 01 00 02 0A 00 0A 00 00 00 09 08 10 00 00 06 10|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1989; classtype:attempted-user; sid:25330; rev:9;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|1C 1D 13 08 48 00 13 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 02 00 00 00 11 6D 79 63 6F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0101; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:25293; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|listoverride"; content:"|5C|listoverridecount"; fast_pattern:only; pcre:"/listoverridecount([2345678]|[019][0-9])/i"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-2539; reference:cve,2014-1761; reference:url,technet.microsoft.com/en-us/security/advisory/2953095; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-079; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-018; classtype:attempted-user; sid:24975; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|listoverride"; content:"|5C|listoverridecount"; fast_pattern:only; pcre:"/listoverridecount([2345678]|[019][0-9])/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2539; reference:cve,2014-1761; reference:url,technet.microsoft.com/en-us/security/advisory/2953095; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-079; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-018; classtype:attempted-user; sid:24974; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|23 95 4A 93 CA A3 C5 4B A0 AD 21 94 97 5D D9 D6|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:24970; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|C6 1D 3F 74 BA 5A 9F 42 DF 8B C2 3D 25 03 4D C5|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:24969; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|60 5D 3B 74 8D 62 D2 11 0F AE 11 14 B0 97 60 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:24968; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|50 36 4A 6D 8D 62 D2 11 0F AE 11 14 B0 97 60 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:24967; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|AD 55 79 66 3B 6B CA 43 49 B9 7F FF BA B5 69 BC|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:24966; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|4D 48 6F 28 5E 37 58 44 72 A2 6A 0A F8 E2 38 B1|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:24965; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|75 67 2B 3B B6 70 AF 45 EA 8D F3 59 95 C6 09 A2|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:24964; rev:9;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Works Word document use after free attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|00 FF 00 00 00 13 3B 74 FF 13 3B 74 FF 95 C0 95 8C 13 3B 74 FF 95 80 13 3B 74 FF 95 80 0F 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-2550; classtype:attempted-user; sid:24588; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Works Word document use after free attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 FF 00 00 00 13 3B 74 FF 13 3B 74 FF 95 C0 95 8C 13 3B 74 FF 95 80 13 3B 74 FF 95 80 0F 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2550; classtype:attempted-user; sid:24587; rev:8;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word rgfc value overflow attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|47 16 00 00 4A 16 00 00 B2 0C 00 40 51 16 00 00 55 16 00 00 59 16 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0182; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-064; classtype:attempted-user; sid:24358; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word rgfc value overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|47 16 00 00 4A 16 00 00 B2 0C 00 40 51 16 00 00 55 16 00 00 59 16 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0182; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-064; classtype:attempted-user; sid:24357; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word RTF malformed listid attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|listid2147483647}"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-2528; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-064; classtype:attempted-user; sid:24354; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word RTF malformed listid attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|listtable{"; content:"|5C|listid2147483647}"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2528; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-064; classtype:attempted-user; sid:24353; rev:9;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Works 9 use-after-free attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:" = |22|BLAAAAAH|22| |22|, blah blah |13| IF |13| MERGEFIELD"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-2550; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-065; classtype:attempted-user; sid:24352; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Works 9 use-after-free attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:" = |22|BLAAAAAH|22| |22|, blah blah |13| IF |13| MERGEFIELD"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2550; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-065; classtype:attempted-user; sid:24351; rev:7;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Drawing object code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|EC 00|"; byte_extract:2,0,record,relative,little; content:"|0B F0|"; within:record; content:"|80 00|"; within:record; content:!"|00 00 00 00|"; within:4; flowbits:set,recordtype; flowbits:noalert; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23826; reference:cve,2007-1203; reference:cve,2007-1747; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-023; classtype:attempted-user; sid:24284; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel Malformed Range Code Execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|18 00 1F|"; fast_pattern; content:"|00 00 00 00|"; within:4; distance:8; byte_test:2,>,32767,-6,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15780; reference:cve,2005-4131; classtype:attempted-user; sid:24269; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel Malformed Range Code Execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|18 02 1F|"; content:"|00 00 00 00|"; within:4; distance:8; byte_test:2,>,32767,-6,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15780; reference:cve,2005-4131; classtype:attempted-user; sid:24268; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Malformed Range Code Execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|18 00 1F|"; fast_pattern; content:"|00 00 00 00|"; within:4; distance:8; byte_test:2,>,32767,-6,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15780; reference:cve,2005-4131; classtype:attempted-user; sid:24267; rev:8;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt"; flow:to_server,established; flowbits:isset,file.rtf; flowbits:isset,mscomctl; file_data; content:"9665fb1e7c85d111b16a00c0f0283628"; nocase; content:"21433412"; distance:0; nocase; content:"01efcdab"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1856; reference:cve,2013-1313; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-060; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-020; classtype:attempted-user; sid:24006; rev:13;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access"; flow:to_server,established; content:"4D53436F6D63746C4C69622E5461625374726970"; fast_pattern:only; flowbits:set,mscomctl; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24005; rev:13;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access"; flow:to_client,established; file_data; content:"MSComctlLib.TabStrip"; fast_pattern:only; flowbits:set,mscomctl; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24004; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office EMF image EMFPlusPointF record memory corruption attempt"; flow:to_client,established; file_data; content:"|02 04 ED 9F F3 EE 77 BA A1 09 E7 97 42 49 07 A4 39 2E FF 00 D8 05 00 00 01 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0167; classtype:attempted-user; sid:23989; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio DXF file text overflow attempt"; flow:to_client,established; flowbits:isset,file.dxf; file_data; content:"ENTITIES"; content:"MTEXT"; distance:0; content:"|5C|O"; distance:0; isdataat:250,relative; content:!"|3B|"; within:250; content:!"|5C 5C|"; within:250; distance:-250; content:!"|5C|0"; within:250; distance:-250; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1888; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-059; classtype:attempted-user; sid:23957; rev:9;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt"; flow:to_client,established; flowbits:isset,file.rtf; flowbits:isset,mscomctl; file_data; content:"9665fb1e7c85d111b16a00c0f0283628"; nocase; content:"21433412"; distance:0; nocase; content:"01efcdab"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1856; reference:cve,2013-1313; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-060; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-020; classtype:attempted-user; sid:23844; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio DXF file text overflow attempt"; flow:to_client,established; flowbits:isset,file.dxf; file_data; content:"ENTITIES"; content:"MTEXT"; distance:0; content:"|5C|L"; distance:0; isdataat:250,relative; content:!"|3B|"; within:250; content:!"|5C 5C|"; within:250; distance:-250; content:!"|5C|0"; within:250; distance:-250; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1888; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-059; classtype:attempted-user; sid:23842; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Drawing object code execution attempt"; flow:to_client,established; file_data; flowbits:isset,recordtype; content:"|EC 00|"; byte_extract:2,0,record,relative,little; content:"|0F 00 02 F0|"; within:4; content:"|0B F0|"; within:record; byte_extract:2,0,record2,relative,little; content:"|80 00|"; within:record2; content:!"|00 00 00 00|"; within:4; content:"|5D 00|"; content:"|15 00|"; within:2; distance:2; content:"|05 00|"; within:2; distance:2; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23826; reference:cve,2007-1747; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-023; classtype:attempted-user; sid:23370; rev:8;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"D0CF11E0"; content:"436F626A"; distance:0; nocase; byte_test:8,=,0x64000000,0,relative,string,hex; byte_test:8,>,0x08000000,8,relative,string,hex; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:23305; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel rtMergeCells heap overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|E5 00|"; byte_test:2,>,0,0,little,relative; byte_test:2,<,1027,2,little,relative; byte_extract:2,4,rwFirst,relative,multiplier 1,little; byte_test:2,=,rwFirst,0,little,relative; byte_test:2,>,0x3fff,4,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0185; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-030; classtype:attempted-user; sid:23227; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel zero-width worksheet code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"Sheet"; fast_pattern; byte_test:4,=,0,3,little,relative; content:"Worksheets"; within:100; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15926; classtype:attempted-user; sid:23151; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio TAG_xxxSect code execution attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|00 00 00 00 00 00 00 00 6D 00 FF FF 00 00 05 00 20 00 00 00 04 00 FF FF FF FF FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0019; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-015; classtype:attempted-user; sid:23059; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|B5 00 14 00 00 80 00 00 01 00 00 10 00 00 00 00 00 00 01 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0184; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-030; classtype:attempted-user; sid:23009; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Malformed SELECTION Record Code Execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 00 00 1D 00 0F 00 03|"; byte_test:2,>=,0,4,relative,little; byte_test:2,>,1369,6,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18853; reference:cve,2006-1301; classtype:attempted-user; sid:22954; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel SERIES record SerAuxErrBar sdtX memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|03 10 0C 00|"; byte_test:2,<=,32767,4,relative,little; byte_test:2,<=,32767,6,relative,little; content:"|01 00|"; within:2; distance:8; byte_test:2,<=,32767,0,relative,little; byte_test:2,!=,1,-10,relative,little; content:"|4A 10 02 00 01 00 5B 10 0E 00|"; within:50; distance:222; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1847; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-030; classtype:attempted-user; sid:22094; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel SERIES record SerAuxTrend sdtX memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|03 10 0C 00|"; byte_test:2,<=,32767,4,relative,little; byte_test:2,<=,32767,6,relative,little; content:"|01 00|"; within:2; distance:8; byte_test:2,<=,32767,0,relative,little; byte_test:2,!=,1,-10,relative,little; content:"|4A 10 02 00 01 00 4B 10 1C 00|"; within:50; distance:222; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1847; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-030; classtype:attempted-user; sid:22093; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel SERIES record sdtY memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|03 10 0C 00|"; byte_test:2,<=,3,0,relative,little; content:"|03 00|"; within:2; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1847; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-030; classtype:attempted-user; sid:22092; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|B5 00 1E 00 00 80 00 00 01 00 00 00 00 00 00 00 00 00 01 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0184; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-030; classtype:attempted-user; sid:22091; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt"; flow:to_client,established; flowbits:isset,file.xls&file.ole; file_data; content:"|FF FE|"; offset:28; content:"|3D 00 12 00|"; distance:0; content:"|3E 02 0A 00|"; within:10; distance:12; fast_pattern; byte_test:1,!&,2,1,relative,little; byte_test:1,!&,240,1,relative,little; content:"|00 00|"; within:2; distance:8; pcre:!"/(?=\x3e\x02\x0a\x00.[\x05-\xff].{6}\x00\x00)/si"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53374; reference:cve,2011-1275; reference:cve,2012-0143; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-030; classtype:attempted-user; sid:22078; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel ObjectLink invalid wLinkVar2 value attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|27 10|"; content:"|04 00|"; within:2; distance:2; byte_test:2,<,0xff,0,relative,little; byte_test:2,>,0x7cff,2,relative,little; byte_test:2,<,0xffff,2,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53373; reference:cve,2012-0142; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-030; classtype:attempted-user; sid:22077; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|3E 02 0A 00|"; byte_test:1,!&,240,1,relative,little; byte_test:2,>=,0xff00,1,relative,little; content:"|00 00|"; within:2; distance:8; metadata:policy max-detect-ips drop, policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0141; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-030; classtype:attempted-user; sid:22076; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio IndexDirectorySize greater than ChildrenSize memory access attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|80 00 00 80 80 00 C0 C0 C0 00 E6 E6 E6 00 CD CD CD 00 B3 B3 B3 00 9A 9A 9A 00 80 80 80 00 66 66 66 00 4D 4D 4D 00 33 33 33 00 1A 1A 1A 00 18 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0018; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-031; classtype:attempted-user; sid:22075; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word ScriptBridge OCX controller attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"ScriptBridge"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:attempted-user; sid:22066; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel style record overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|E0 00 14 00|"; byte_test:1,&,0x04,4,relative,little; byte_test:1,!&,0x08,4,relative,little; byte_test:1,&,0x10,4,relative,little; byte_test:1,&,0x20,4,relative,little; byte_test:1,&,0x40,4,relative,little; byte_test:1,&,0x80,4,relative,little; byte_test:1,=,255,5,relative,little; content:"|93 02 04 00|"; distance:0; byte_test:1,>=,160,0,relative,little; byte_test:1,>=,8,1,relative,little; byte_test:1,!&,0x10,1,relative,little; byte_test:1,!&,0x20,1,relative,little; byte_test:1,!&,0x40,1,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0114; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:attempted-user; sid:22052; rev:8;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"A3E81207"; distance:0; nocase; content:"436F626A"; distance:0; nocase; byte_test:8,>,0x08000000,8,relative,string,hex; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21937; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"CHNKWKS "; content:"|F8 01|"; within:2; distance:16; content:"|18 00|"; within:2; distance:6; byte_test:1,>,0x18,22,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0177; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-028; classtype:attempted-user; sid:21935; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel style handling overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|FF 93 02|"; byte_test:2,>,40,0,relative,little; byte_test:2,>,733,4,relative,little; byte_test:1,!&,0x80,3,relative,little; content:"|00|"; within:1; distance:6; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18872; reference:cve,2006-3431; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-059; classtype:attempted-user; sid:21927; rev:11;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"8E7EE1E6"; distance:0; nocase; content:"436F626A"; distance:0; nocase; byte_test:8,>,0x08000000,8,relative,string,hex; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21906; rev:12;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"B13CC16A"; distance:0; nocase; content:"436F626A"; distance:0; nocase; byte_test:8,>,0x08000000,8,relative,string,hex; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21905; rev:12;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"0036D8F4"; distance:0; nocase; content:"436F626A"; distance:0; nocase; byte_test:8,>,0x08000000,8,relative,string,hex; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21904; rev:12;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"8B8DDA58"; distance:0; nocase; content:"436F626A"; distance:0; nocase; byte_test:8,>,0x08000000,8,relative,string,hex; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21903; rev:12;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"4E087DEB"; distance:0; nocase; content:"F626A"; distance:0; nocase; byte_test:8,>,0x08000000,8,relative,string,hex; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21902; rev:13;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|A3 E8 13 07|"; distance:0; content:"|43 6F 62 6A|"; distance:0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21901; rev:7;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|8E 7E E1 E6|"; distance:0; content:"|43 6F 62 6A|"; distance:0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21900; rev:7;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|B1 3C C1 6A|"; distance:0; content:"|43 6F 62 6A|"; distance:0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21899; rev:7;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|00 36 D8 F4|"; distance:0; content:"|43 6F 62 6A|"; distance:0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21898; rev:7;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|8B 8D DA 58|"; distance:0; content:"|43 6F 62 6A|"; distance:0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21897; rev:7;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|4E 08 7D EB|"; distance:0; content:"|43 6F 62 6A|"; distance:0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21896; rev:7;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt"; flow:to_client,established; file_data; content:"5FDC81917DE08A41A6AC"; fast_pattern:only; pcre:"/5FDC81917DE08A41A6AC(E9B8ECA1EE.8|.98ECB1EEA8E)/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21801; rev:9;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt"; flow:to_client,established; file_data; content:"B69041C78985D1116AD1283628F0C000"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21800; rev:9;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt"; flow:to_client,established; file_data; content:"E0F86B9944805046EBAD9CE91439010B"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21799; rev:9;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt"; flow:to_client,established; file_data; content:"4BF0D1BD8B85D1116ab1283628f0c000"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21798; rev:9;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt"; flow:to_client,established; file_data; content:"4BF0D1BD8B85D111B16A00C0F0283628"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21797; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Publisher Opltc memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; isdataat:13279,relative; content:"|00 0A 20 E0 8E 00 00 0B 20 E0 8E 00 00 0C 20 E0|"; within:16; distance:13280; fast_pattern; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-3410; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-091; classtype:attempted-user; sid:21423; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Lel record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 88 A3 40 01 02 06 00 18 01 02 00 61 62 C0 00 C0 19 10 0D 00 06 00 24 00 05 00 02 00 0F 00 02|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-3403; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-096; classtype:attempted-user; sid:21422; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel MergeCells record parsing code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|E5 00 0A 00 01 00 00 00 04 00 00 02 05 00 EF 00 06 00 00 00 37 00 00 00 0A 00 00 00 09 08 10 00 00 06|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43652; reference:cve,2010-3237; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:21415; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio TAG_xxxSheet code execution attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|00 00 03 00 32 00 00 00 01 54 00 00 E8 00 00 00 00 00 00 00 46 E0 EF F7 FB FD 7E 0F 40 46 E0|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0136; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-015; classtype:attempted-user; sid:21307; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio TAG_OLEChunk code execution attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|68 00 00 00 02 54 00 00 DC 00 00 00 00 00 00 00 40 E3 EF F7 FB FD 7E DF 3F 40 C0 5C 2E 97 CB E5 D2 3F 40 E0 EF F7 FB FD 7E EF 3F 40 BA 5C 2E 97 CB|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0020; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-015; classtype:attempted-user; sid:21302; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio TAG_xxxSect code execution attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|73 00 FF FF 00 D6 03 00 20 00 00 00 03 00 FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0019; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-015; classtype:attempted-user; sid:21301; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|00 0B 00 0B 00 00 00 00 00 00 00 AA 00 00 00 03 A0 41 41 41 FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,50949; reference:cve,2011-3411; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-091; classtype:attempted-user; sid:21243; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office OLESS stream object name corruption attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|49 00 4F 00 00 00 44 00 72 00 61 00 77 00 69 00 6E 00 67 00 30 00 00 00 41 41 41 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,50977; reference:cve,2011-3400; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-093; reference:url,www.securityfocus.com/bid/50977; classtype:attempted-user; sid:21170; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word border use-after-free attempt"; flow:to_client,established; flowbits:isset,file.docx; file_data; content:"|10 39 6D 4A 7B EE D9 8C 8E 3C C9 46 BB 45 B7 CB 96 6B 8C DB D3 32 23 0A 47 D8 81 CC 7B 46 E2 C4|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-099; classtype:attempted-user; sid:21002; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word border use-after-free attempt"; flow:to_client,established; flowbits:isset,file.docx; file_data; content:"|D4 D5 56 69 9F 98 F1 99 39 67 6E 62 7B F7 AB A9 A3 13 D7 46 80 CC C9 62 9E 90 88 CB 02 98 90 C7|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-089; classtype:attempted-user; sid:20724; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 04 F0|"; byte_extract:4,0,reclen,relative,little; content:"|00 00 1F F0 08 00 00 00|"; within:reclen; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,50964; reference:cve,2011-3413; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-094; classtype:attempted-user; sid:20722; rev:21;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|03 80 79 6A D5 FF 04 20 F5 01 2A 00 3A 01 11 F0 0A 00 00 00 0A 00 00 00 01 68 42 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,50949; reference:cve,2011-3411; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-091; classtype:attempted-user; sid:20720; rev:16;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office PowerPoint pp4x322.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|pp4x322.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2011-3396; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-094; classtype:attempted-user; sid:20703; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office PowerPoint pp7x32.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|pp7x32.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2011-3396; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-094; classtype:attempted-user; sid:20702; rev:13;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OFFICE Microsoft Office PowerPoint pp4x322.dll dll-load exploit attempt"; flow:to_server,established; content:"p|00|p|00|4|00|x|00|3|00|2|00|2|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2011-3396; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-094; classtype:attempted-user; sid:20701; rev:13;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OFFICE Microsoft Office PowerPoint pp7x32.dll dll-load exploit attempt"; flow:to_server,established; content:"p|00|p|00|7|00|x|00|3|00|2|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2011-3396; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-094; classtype:attempted-user; sid:20700; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word document summary information string overflow attempt"; flow:to_client,established; file_data; content:"|00 00 00 00 1D 00 0F 00 03 00 00 00 00 00 FF FF FF FF FF FF FF 00 00 0D 00 02 00 01 00 0C 00 02 00 64 00 0F 00 02 00 01 00 11 00 02 00 00 00 10|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-1540; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-038; classtype:attempted-user; sid:20141; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word document summary information string overflow attempt"; flow:to_client,established; file_data; content:"|E0 85 9F F2 F9|Oh|10 AB 91 08 00|+'|B3 D9|"; content:"|1E 00 00 00|"; distance:0; content:"|63 65 6C 00 40 00 00 00 80 4E 50 3F D6 30 C6 01 40 00 00 00 00 F3 0F 47 D6 30 C6 01 03 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-1540; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-038; classtype:attempted-user; sid:20140; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word document summary information string overflow attempt"; flow:to_client,established; file_data; content:"|02 D5 CD D5 9C|.|1B 10 93 97 08 00|+,|F9 AE|"; content:"|1E 00 00 00|"; distance:0; content:"|74 33 00 00 00 00 00 43 65 6C 6C 31 00 0C 10 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-1540; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-038; classtype:attempted-user; sid:20139; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office invalid MS-OGRAPH DataFormat buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 10 08 00 FF FF|"; byte_test:2,>,255,2,little,relative; byte_extract:2,0,yi,little,relative; byte_test:2,>,yi,0,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49517; reference:cve,2011-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-072; classtype:attempted-user; sid:20128; rev:20;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Conditional Formatting record vulnerability"; flow:to_client,established; file_data; flowbits:isset,file.xls; file_data; content:"|3B 20 02 80 00 04 C0 02 02 00 00 00 C0 65 01 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1989; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-072; classtype:attempted-user; sid:20127; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel invalid Lbl record attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|09 00|"; depth:2; content:"scen_num|1E|"; distance:0; byte_test:1,<,0x7FFF,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49478; reference:cve,2011-1988; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-072; classtype:attempted-user; sid:20124; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel File Importing Code Execution"; flow:to_client,established; flowbits:isset,file.slk; file_data; content:"ID|3B|"; depth:3; pcre:"/ID\x3b[^A-Z]/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28095; reference:cve,2008-0112; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:attempted-user; sid:20062; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel FNGROUPNAME record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|9A 00 09 00 FF FF 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,38553; reference:cve,2010-0262; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-017; classtype:attempted-user; sid:20029; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls&file.ole; file_data; content:"|09 08|"; content:"|0A 00|"; distance:6; content:"|EB 00|"; byte_test:2,>,0,0,relative,little; byte_jump:2,0,relative,little; isdataat:2,relative; content:!"|EC 00|"; within:2; distance:2; content:"|5D 00 1A 00 15 00 12 00|"; within:8; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35243; reference:cve,2009-0559; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-021; classtype:attempted-user; sid:19943; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Publisher 2007 pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|01 2C 01 2B 01 2A 01 2F 01 2E 01 2D 01 52 00 12 12 00 00 00|"; content:"|02 00 13 00|"; within:4; distance:11; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35599; reference:cve,2009-0566; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-030; classtype:attempted-user; sid:19932; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint TextCharsAtom record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 A0 0F|"; byte_test:1,>,127,3,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,38108; reference:cve,2010-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-004; classtype:attempted-user; sid:19894; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word Converter sprmTSplit overflow attempt"; flow:to_client,established; file_data; content:"|00 00 29 76 00 FF E0 01 13 D6 30 00 00 00 FF 04 01 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-033; classtype:attempted-user; sid:19707; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio invalid UMLString data length exploit attempt"; flow:to_client,established; file_data; content:"|50 0F DF 21 DF 79 08 C8 AE CC ED D2 D0 E0 AF 00 8F BF 04 BF|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1979; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-060; classtype:attempted-user; sid:19675; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel format record code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; content:"|09 08 10 00 00 06|"; distance:0; content:"|1E 04|"; distance:0; fast_pattern; byte_test:2,>,392,2,relative,little; byte_test:2,>,4,0,relative,little; byte_test:2,<,256,4,relative,little; content:"Sheet1"; distance:0; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-3005; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-043; classtype:attempted-user; sid:19552; rev:15;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word sprmCMajority record buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|FF FF EC A5|"; byte_test:2,<,0xA4,0,relative,little; content:"|47 CA|"; content:"|3E C6|"; within:2; distance:1; byte_test:1,>,0x54,0,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,42136; reference:cve,2010-1900; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-056; classtype:attempted-user; sid:19459; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word sprmCMajority record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|FF FF EC A5|"; byte_test:2,<,0xA4,0,relative,little; content:"|47 CA|"; content:"|3E C6|"; within:2; distance:1; byte_test:1,>,0x54,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,42136; reference:cve,2010-1900; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-056; classtype:attempted-user; sid:19458; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|00 00 05 00 00 00 07 08 00 00 0F 00 EF 03 00 00 00 00 0F 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,38073; reference:cve,2010-0243; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-003; classtype:attempted-user; sid:19442; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Publisher 2007 and earlier stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|1D 00 01 04 01 00 00 04 FA 00 01 00 00 00 00 00 00 00 00 00 00 00 6C 02 00 41 41 41 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,39347; reference:cve,2010-0479; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-023; classtype:attempted-user; sid:19414; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Publisher 2007 and earlier stack buffer overflow attempt"; flow:to_client,established; file_data; content:"|1D 00 00 04 01 00 01 00 02 00 01 00 00 00 00 00 00 00 00 00 00 00 AE 02 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,39347; reference:cve,2010-0479; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-023; classtype:attempted-user; sid:19413; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record parsing memory corruption"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|01 00 00 00 FF FF FF FF 00 11 6D 79 63 6F 6D 61|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40525; reference:cve,2010-1247; classtype:attempted-user; sid:19412; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Outlook SMB attach by reference code execution attempt"; flow:to_client,established; file_data; content:"file://c:|5C|windows|5C|system32|5C|calc.exe?oooo.dat"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,41446; reference:cve,2010-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-045; classtype:attempted-user; sid:19405; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word sprmTDiagLine80 record parsing stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|6C 00 65 00 20 00 47 00 72 00 69 00 64 00 00 00 37 00 3A 56 0F 00 2A D6 30 00 00 00 FF 04 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43760; reference:cve,2010-3214; classtype:attempted-admin; sid:19317; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Publisher pubconv.dll corruption attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|39 00 39 00 39 00 39 01 1D 00 04 04 01 00 01 00 E2 00 01 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,45277; reference:cve,2010-2569; classtype:attempted-user; sid:19306; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|C3 0B 08|"; fast_pattern; byte_test:1,<,0x1,7,relative,little; content:"|C3 0B|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,38104; reference:cve,2010-0032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-004; classtype:attempted-user; sid:19303; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt"; flow:to_client,established; content:"powerpoint"; fast_pattern:only; pcre:"/Content\x2DDisposition\x3A\s*attachment[^\x0D\x0A]+name\x3D[^\x0D\x0A\x5C\x2F\x3A\x2A\x3F\x3C\x3E\x7C\x3D\s]{200}/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-004; classtype:attempted-user; sid:19296; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word HTML linked objects memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 00 00 46 00 00 00 13 3A 9F FF 9F 8C 0F 00 00 F0 38 00 00 00 00 00 06 F0 18 00 00 00 02 08 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,42130; reference:cve,2010-1903; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:19295; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|02 10 10 00|"; content:"|33 10 00 00 55 08 0C 00|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40521; reference:cve,2010-0823; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:19294; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel malformed MsoDrawingObject record attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|07 00 00 00 01 00 00 00 33 00 0B F0 12 00 00 00 46 C5 41 41 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3335; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:19260; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel WOpt record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|0B 08|"; content:"|0B 08|"; within:2; distance:2; byte_extract:2,14,num_charw,relative,multiplier 2,little; byte_test:2,<,num_charw,-20,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40522; reference:cve,2010-0824; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:19259; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|B0 00 3D 00 02 00 06 00 00 00 03 00 03 00 04 00 01 00 41 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40523; reference:cve,2010-1245; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:19258; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Scenario heap memory overflow"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|AF 00 48 00 01 00 01 00 0D|"; byte_jump:1,0,relative,little,post_offset 1; content:"|CE 00 00|"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1275; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:19227; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel SerAuxTrend biff record corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|4B 10|"; fast_pattern; content:"|00|"; within:1; distance:2; byte_test:1,>,0x06,0,relative; content:"|FF FF FF FF|"; within:4; distance:1; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,48159; reference:cve,2011-1274; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:19225; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel ObjBiff validation exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 85 00 0D 00 10 06 00 00 00 02 06 53 68 65|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1273; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:19222; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel pivot item index boundary corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"PivotTable"; content:"|B0 00|"; within:200; distance:-200; content:"|00 00|"; within:2; distance:18; byte_extract:2,4,cdim,relative,little; content:"|B2 00|"; within:76; byte_test:2,>,cdim,6,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,42199; reference:cve,2010-2562; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-057; classtype:attempted-user; sid:19180; rev:20;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt"; flow:to_client,established; flowbits:isset,file.cgm; file_data; content:"|20 42 00 01 00 80 41 3F 8F F8 00 00 00 95 00 C7 00 00 00 C7 00 95 00 AA 00 96 00 08 00 00 00 0C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3945; reference:cve,2012-2524; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-057; classtype:attempted-user; sid:19156; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel PtgExtraArray parsing attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|69 6F 6E 60 01 00 00 B4 01 C7 03 42 03 FF 00 01 00 00 41 41 41 41 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43654; reference:cve,2010-3239; classtype:attempted-user; sid:19154; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word malformed index code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|02 00 60 00 0C 14 FF 00 04 61 D5 00 B0 00 08 00 53 00 75 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43766; reference:cve,2010-2750; classtype:attempted-user; sid:19153; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Access Wizard control memory corruption ActiveX clsid access"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|27 03 23 53 2B 17 D0 11 AD 40 00 A0 C9 0D C8 D9|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,41442; reference:cve,2010-1881; classtype:attempted-user; sid:19141; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel PtgExtraArray data parsing vulnerability exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|39 00 02 00 01 00 0F 00 02 00 1D 00 00 00 FF FF 01 00 C0 09 1B FC 1E 00 23 01 00 00 00 17 0A 00 43 6F 6E 6E 65 63 74 69 6F 6E 60 23 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43647; reference:cve,2010-3231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:19134; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel EntExU2 write access violation attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|0E 00 24 41 41 41 41 24 04 00 02 C0 42 02 04 00 D7 00 0C 00 A2 00 00 00 3C 00 0E 00 0E 00 0E 00 C2 01 0C 00 00 00 06 00 00 00 03 00 02 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,38547; reference:cve,2010-0257; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:19133; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|EB 06 90 90 AD 57 00 30 81 C4 24 16 00 00 C3 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40524; reference:cve,2010-1246; classtype:attempted-user; sid:19132; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|5A 03 00 00 00 15|excelrtd.rtdfunctions"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40524; reference:cve,2010-1246; classtype:attempted-user; sid:19131; rev:14;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt"; flow:to_server,established; flowbits:isset,file.xls; content:"ZXUw"; fast_pattern:only; pcre:"/[A-Za-z0-9\\x2b\x2f][EUk0]ZXUw[ghijklmnopqr][A-Za-z0-9\\x2b\x2f]/"; metadata:policy max-detect-ips drop, service smtp; classtype:attempted-user; sid:19066; rev:11;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt"; flow:to_server,established; flowbits:isset,file.xls; content:"GV1M"; fast_pattern:only; pcre:"/[A-Za-z0-9\\x2b\x2f][A-Za-z0-9\\x2b\x2f][BFJNRVZdhlptx159]GV1M[IJK]/"; metadata:policy max-detect-ips drop, service smtp; classtype:attempted-user; sid:19065; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint converter bad indirection remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 20 02 00 00 18 00 00 00 B1 0F 00 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 00 10 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2572; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-088; classtype:attempted-user; sid:18948; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|09 02 00 00 00 00 00 00 00 00 00 00 5F 78 6C 66 6E 2E 52 54 44 1C 1D 13 08 48 00 13 08 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43655; reference:cve,2010-3240; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:18806; rev:20;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio Data Type Memory Corruption"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|80 12 00 0F 00 41 41 38 A4 EF 66 04 00 02 EC F0|"; content:"|56 41 52 43 48 41 A1 52 DC FF|"; within:10; distance:16; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46138; reference:cve,2011-0093; classtype:attempted-user; sid:18755; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|51 10 0F 00 00 02 00 00 00 00 07 00 3A 00 00 00 00 00 00|"; content:"|51 10 13 00 01 02 00 00 00 00 0B 00 3B 00 00 00 00 00 00 01 00 03 00|"; within:23; distance:16; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:18740; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF malformed pfragments field"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"pFragments"; nocase; content:"{|5C|sv"; within:15; nocase; pcre:"/[^\x3b\x7d]*\x3b[^\x3b\x7d]*\x3b.{8}/smiR"; byte_test:4,>,4,0,relative,string,hex; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18680; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word Converter sprmTTextFflow overflow attempt"; flow:to_client,established; file_data; content:"|29 76 00 FF E0 01 13 D6 30 00 00 00 FF 04 01 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,47236; reference:cve,2011-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-033; classtype:attempted-user; sid:18643; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel drawing layer use after free attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|0F 00 04 F0|"; fast_pattern; content:!"|0F 00 03 F0|"; within:4; distance:-12; byte_extract:4,0,container_size,relative,little; content:!"|0A F0 08 00 00 00|"; within:6; distance:2; content:"|0B F0|"; within:2; distance:18; content:"|00 00 11 F0 00 00 00 00|"; within:container_size; distance:-20; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46227; reference:cve,2011-0977; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-023; classtype:attempted-user; sid:18638; rev:20;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel malformed Label record exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|09 08 08 00 00 05 05 00|"; content:"|04 02|"; distance:0; byte_test:1,&,0x80,9,relative; byte_test:2,>,8,0,relative,little; byte_test:2,<,8225,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2004-0846; reference:cve,2011-0098; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-033; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:18632; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Works 4.x converter font name buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.works; file_data; content:"|00 00 00 00 A2 04 00 00 00 00 4E 03 00 00 54 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 10 FF 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-1533; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-024; classtype:attempted-user; sid:18615; rev:14;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word with embedded Flash file attachment"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"CONTROL ShockwaveFlash.ShockwaveFlash"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:attempted-user; sid:18549; rev:17;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"ShockwaveFlashObjects"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-3279; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-088; classtype:attempted-user; sid:18548; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint with embedded Flash file transfer"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|53 00 68 00 6F 00 63 00 6B 00 77 00 61 00 76 00 65 00 20 00 46 00 6C 00 61 00 73 00 68 00 20 00 4F 00 62 00 6A 00 65 00 63 00 74 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:18547; rev:17;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word with embedded Flash file transfer"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"CONTROL ShockwaveFlash.ShockwaveFlash"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:18546; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel with embedded Flash file transfer"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"ShockwaveFlashObjects"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3279; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-088; classtype:attempted-user; sid:18545; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel 2007 invalid comments.xml uninitialized pointer access attempt"; flow:to_client,established; file_data; content:"|6C 2F 63 6F 6D 6D 65 6E 74 73 31 2E 78 6D 6C AC AA AA AA AA|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0263; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:18541; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|1D 00 00 00 FF FF 21 00 34 02 C7 FC 1E 00 23 30 00 00 00 17|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43650; reference:cve,2010-3235; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:18538; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE OpenOffice.org Microsoft Office Word file processing integer underflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|08 D6 05 80 05 94 FF E0 10 2C 22 00 06 4C 11 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,38218; reference:cve,2009-3301; classtype:attempted-user; sid:18536; rev:15;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word file sprmTSetBrc processing buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.doc|file.xls; file_data; content:"|08 D6|"; byte_extract:1,2,NumOfColumns,relative; byte_jump:2,-3,relative,little; content:"|20 D6|"; within:2; distance:-1; byte_test:1,>,NumOfColumns,2,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,38218; reference:cve,2009-3302; reference:cve,2010-2563; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-067; classtype:attempted-user; sid:18535; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio VSD file icon memory corruption attempt"; flow:to_client,established; file_data; flowbits:isset,file.visio; content:"|A8 00 04 00 01 00 70 00 00 00 20 FF 20 00 00 00 DD 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0095; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-005; classtype:attempted-user; sid:18515; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint malformed shapeid arbitrary code execution attempt"; flow:to_client,established; file_data; content:"|0A F0 08 00 00 00 01 20 01 00 56 61 9A 92 B3 65 82 F0 30 00 00 00 81 01 00 00 B4 B0|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28146; reference:cve,2008-0118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-016; classtype:attempted-user; sid:18514; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio ORMinfo classes length overflow attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|F2 04 58 41 03 00 47 00 00 00 42 00 00 00 00 00 7B DA 02 EB F0 01 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-008; classtype:attempted-user; sid:18417; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio ORMinfo classes length overflow attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|FF FF FF FF 00 00 98 0C 3C BF 61 D1 D2 C9 00 00 01 00 02|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-008; classtype:attempted-user; sid:18416; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel BRAI record remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|02 00 0B 00 51 10 08 00 00 01 01 00 FF 00 00 00 27 10 06 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0549; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-021; classtype:attempted-user; sid:18399; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office thumbnail bitmap invalid biClrUsed attempt"; flow:to_client,established; file_data; content:"|C0 9C 83 4A FF F8 CE 11 A0 6B 00 AA 00 A7 11 91 30 00 00 00|"; content:"T|00|h|00|u|00|m|00|b|00|n|00|a|00|i|00|l|00 00 00 41 00 00 00|"; distance:0; content:"|28 00 00 00|"; within:4; distance:4; pcre:"/^(?=.{10}[\x01\x04\x08\x16\x24\x32]\x00)(.{3}[\x55-\xFF]|.{31}[\x80-\xFF])/sR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3970; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-006; classtype:attempted-user; sid:18398; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio DXF variable name overflow attempt"; flow:to_client,established; flowbits:isset,file.dxf; file_data; content:"HEADER"; content:"9"; distance:0; content:"|0A 24|"; distance:0; isdataat:92,relative; content:!"|0A|"; within:92; pcre:"/HEADER[\x20\r]*\n[\x20]*9[\x20\r]*\n\x24[^\n]{92}/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,39836; reference:cve,2010-1681; classtype:attempted-user; sid:18331; rev:11;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF parsing remote code execution attempt"; flow:to_server,established; file_data; content:"|5C|sp"; content:"|5C|sn"; within:100; nocase; content:"pFragments"; within:100; nocase; content:"|5C|sv"; within:100; nocase; pcre:"/\x5Csv\s+[^\x7D]*?\x3B[^\x7D]*?\x3B[^\x7B]{12}/smi"; byte_test:4,>,4,8,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18310; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office thumbnail bitmap invalid biClrUsed attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|E0 85 9F F2 F9 4F 68 10 AB 91 08 00 2B 27 B3 D9 30 00 00 00|"; content:"|11 00 00 00|"; distance:0; content:"|47 00 00 00|"; distance:0; content:"|08 00 00 00 28 00 00 00|"; within:8; distance:8; pcre:"/^(?=.{10}[\x01\x04\x08\x16\x24\x32]\x00)(.{3}[\x55-\xFF]|.{31}[\x80-\xFF])/sR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3970; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-006; classtype:attempted-user; sid:18265; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PICT graphics converter memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; content:"|00 A1|"; content:"|49 43|"; within:2; distance:10; byte_test:2,>,4094,0,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3946; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:18235; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Publisher Adobe Font Driver code execution attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"|E0 98 FF FF FF E1 FF 5F FF E2 DF E0 DE 71 DE 9E DE 71 DC 83|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3956; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-091; classtype:attempted-user; sid:18233; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Publisher tyo.oty field heap overflow attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|00 19 1D 00 04 04 01 00 01 00 F2 68 01 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2569; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-103; classtype:attempted-user; sid:18212; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt"; flow:to_client,established; file_data; content:"|41 3F 80 14 00 00 00 1F 00 1F 00 00 00 1F 00 1F 00 20 00 20 00 00 00 00 05 B8 80 80 FF FF FF 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3945; reference:cve,2012-2524; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-057; classtype:attempted-user; sid:18200; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Art drawing invalid shape identifier attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|0A F0 08 00 00 00|"; byte_test:1,=,0x2,-8,relative; byte_test:4,>,0x03FFD7FF,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3336; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18069; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel malformed MsoDrawingObject record attempt"; flow:established, to_client; flowbits:isset,file.xls; file_data; content:"|18 6A CB 01 70 7E 13 F2 DE 6E CB 01 06 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3335; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18068; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|5C|sp"; content:"|5C|sn"; within:100; nocase; content:"pFragments"; within:100; nocase; content:"|5C|sv"; within:100; nocase; pcre:"/\x5Csv\s+[^\x7D]*?\x3B[^\x7D]*?\x3B[^\x7B]{12}/smi"; byte_test:4,>,4,8,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18067; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|42 F1 00 00 00 00 03|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2573; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-088; classtype:attempted-user; sid:18066; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint converter bad indirection remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 0D 00 00 00 B0 0F 00 00 FF FF 00 00 8C 01 00 00 18 00 00 00 B1 0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B3|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2572; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-088; classtype:attempted-user; sid:18065; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft HtmlDlgHelper ActiveX clsid access"; flow:to_client,established; file_data; content:"3050f4e1-98b5-11cf-bb82-00aa00bdce0b"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3329; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17770; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 00 91 00 07 00 01 00 41 00 00 00 E0 29 BD 04 FF FF 00 00 05 00 01 FF 1E 00 23 02 30 00 00 17 0A 00 43 6F 6E 6E 65 63 74 69 6F 6E 60 02|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43650; reference:cve,2010-3235; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17764; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|13 08 48 00 13 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 00 00 00 00 11 6D 79 63 6F 6D 61 64 64 69 6E 2E 70 72 6F 67 69 64 00 0B 4C 4F 52 45 4D 5F 49 50 53 55 4D 05 50 72 69 63 65 10 00 00 00 2A 00 00 00 00 00 00 00 EA 4E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43655; reference:cve,2010-3240; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17760; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel invalid SerAr object exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|BD 04 FF FF 00 00 05 00 01 FF 1E 00 23 02 00 00 00 17 0A 00 43 6F 6E 6E 65 63 74 69 6F 6E 60 02 00 00 00 00 00 04 42 03 FF 00 02 00 00 B6 1E 00 00 5B 44 65 70 74 5D 2E 5B 57 73 7A 79 73 74 6B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3239; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17759; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel PtgExtraArray data parsing vulnerability exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 00 75 00 14 00 01 00 40 00 00 00 90 22 BD 04 FF FF 00 00 12 00 01 FF 1E 00 23 02 00 00 00 17 0A 00 43 6F 6E 6E 65 63 74 69 6F 6E 60 01 00 00 00 00 00 04 42 03 FF 00 01 00 24|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43647; reference:cve,2010-3231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17758; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel CrErr record integer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|09 08 08 00 00 05|"; content:"|65 08|"; distance:0; byte_test:1,&,0x80,19,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3230; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17757; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word XP PLFLSInTableStream heap overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|5C FE 00 01 02 5C FE 00 01 02 5C FE 00 01 02 5C FE 00 01 02 51 4A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-079; classtype:attempted-user; sid:17756; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word RTF parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|dpline |5C|dpline |5C|dpline |5C|dpline"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,29104; reference:cve,2008-1091; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-026; classtype:attempted-user; sid:17743; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|07 07 07 52 07 45 07 50 07 52 07 4F 07 07 07|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0563; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:17742; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel REPT integer underflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"|3D|rept|28|"; nocase; pcre:"/\x3ccell\s+[^\x3e]*\x3aFormula\s*\x3d\s*\x22\s*\x3drept\x28/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,31706; reference:cve,2008-4019; classtype:attempted-user; sid:17734; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 00 0D 0A 11|h|01 13 98 FE 0C|4|00 FF 8F 08 00 00 01 00 00 00 01 00 68 01 78|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0565; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:17690; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel malformed formula parsing code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|07 C9 C0 00 00 06 03 00 00 18 00 FF 02 00 00 02 7C 7C 7C 7C|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28167; reference:cve,2008-0115; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:attempted-user; sid:17655; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word array data handling buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|01 00 00 02 01 00 00 9E 01 00 00 02 01 00 00 96 01 00 00 FF|"; fast_pattern:only; content:"|EC A5|"; depth:2; offset:512; content:"|2E 05 00 00|"; within:4; distance:896; content:"|2C 00 00 00|"; within:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23804; reference:cve,2007-0035; classtype:attempted-user; sid:17649; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word crafted sprm structure memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc|file.ole; file_data; content:"|16 24|"; content:"|17 24|"; within:64; content:"|08 D6|"; within:64; byte_test:2,>,0xfffc,0,relative,little; byte_test:2,<,0xffff,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32584; reference:cve,2008-4837; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-072; classtype:attempted-user; sid:17591; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Drawing Record msofbtOPT Code Execution attempt"; flow:to_client,established; file_data; flowbits:isset,file.ole; content:"|0B F0|"; byte_extract:2,0,record,relative,little; content:"|00 00|"; within:2; content:"|A0 03|"; within:record; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,22383; reference:cve,2007-0671; classtype:attempted-user; sid:17579; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word Section Table Array Buffer Overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|24 00 61 24 03 00 00 00 00 00 00 00 D1 50 00 00 04 00 00 AC 00 00 00 00 FF FF FF FF 00 00 00 00 CE|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,22225; reference:cve,2007-0515; classtype:attempted-user; sid:17578; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Sophos Anti-Virus Visio File Parsing Buffer Overflow attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"Visio|20 28|TM|29 20|Drawing"; nocase; content:"|77 77 00 80|"; within:4; distance:30; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,14362; reference:cve,2005-2768; classtype:attempted-user; sid:17574; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint PP7 File Handling Memory Corruption attempt"; flow:to_client,established; file_data; content:"|08 00 00 00 00 00 00 00 AA FF FF 3F 00 00 00 00 FD 03 00 00 01 00 00 00 34 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,34880; reference:cve,2009-0225; classtype:attempted-user; sid:17565; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word global array index heap overflow attempt"; flow:to_client,established; flowbits:isset,file.doc|file.ole; file_data; content:"|31 90|"; content:"|1F B0|"; within:64; content:"|33 50|"; within:64; fast_pattern; byte_test:4,>,5,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32583; reference:cve,2008-4026; classtype:attempted-user; sid:17560; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word Font Parsing Buffer Overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|04 05 02 03 04 87 7A 00 20 00 00 00 80 08 00 00 00 00 00 00 00 FF 01 00 00 00 00 00 00 44 44|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,14216; reference:cve,2005-0564; classtype:attempted-user; sid:17550; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Column record handling memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 00 00 00 00 1C 00 0F 00 02 00 FF FF 00 00 01 00 03 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,21925; reference:cve,2007-0030; classtype:attempted-user; sid:17543; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel MalformedPalete Record Memory Corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 00 80 00 FF 93 02 04 00 14 80 05 FF 92 00 E2 00 80 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,21922; reference:cve,2007-0031; classtype:attempted-user; sid:17542; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel unspecified memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|53 68 65 65 74 31 00 00 00 00 00 00 53 68 65 65 74 32 00 00|"; depth:20; offset:688; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15926; classtype:attempted-user; sid:17538; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Micrsoft Office Excel TXO and OBJ Records Parsing Stack Memory Corruption"; flow:to_client,established; flowbits:isset,file.xls; content:"]|00|"; content:"|15|"; distance:0; byte_test:2,>,30,2,relative,little; content:"|04 01 BF 00 08 00 08 00 81 01 09 00 00 08 83 01|"; content:"|4D 00 00 08 BF 01 10 00 10 00 C0 01 17 00 00 08|"; within:16; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32618; reference:cve,2008-4265; classtype:attempted-user; sid:17532; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Malformed Record Code Execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|01 00 02 00|"; content:"|9C 00 02 00|"; within:4; distance:2; byte_test:2,>,0x20,0,relative,little; content:"|19 00 02 00|"; within:4; distance:2; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,17101; reference:cve,2006-0031; classtype:attempted-user; sid:17517; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel malformed Graphic Code Execution"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 0D 10 38 00 00 00 18 01 61 00 61 00 61 00|"; fast_pattern:only; pcre:"/(\x51\x10..\x01(\x02|\x00)|\x01(\x02|\x00)..\x51\x10)/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,16181; reference:cve,2006-0030; classtype:attempted-user; sid:17511; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:"|EC A5|"; within:2; distance:504; byte_test:4,>,0xFFFF,126,relative,little; content:"|00 00 00 00|"; within:4; distance:12; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,21589; reference:cve,2006-6561; classtype:attempted-user; sid:17506; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint malformed NamedShows record code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 10 04 1E 02 00 00 EB 0A 11 06 2E 02 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,20226; reference:cve,2006-4694; classtype:attempted-user; sid:17497; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint malformed NamedShows record code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 10 04 36 00 00 00 0F 00 11 05 2E 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,20226; reference:cve,2006-4694; classtype:attempted-user; sid:17496; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Malformed SELECTION Record Code Execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|1D 00 0F 00 03 00 00 00 00 00 00 FF FF FF FF FF FF 00 00 EF|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18853; reference:cve,2006-1301; classtype:attempted-user; sid:17492; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word mso.dll LsCreateLine memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|41 41 41 41 41 41 41 41 09 09 09 09 09 09 0D 41 41 41 41 41 41 41 41 41 41 41 41 41 41 09 0D 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18905; reference:cve,2006-3493; classtype:attempted-user; sid:17491; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Malformed Range Code Execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|18 02 1F|"; content:"|00 00 00 00|"; within:4; distance:8; byte_test:2,>,32767,-6,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15780; reference:cve,2005-4131; classtype:attempted-user; sid:17488; rev:19;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft OLE automation string manipulation overflow attempt"; flow:to_client,established; file_data; content:"|2E|substringData"; pcre:"/\x2esubstringData\s*\x28[^\x2c]*\x2c\s*0x7(f|F){6}[6-9AaBbCcDdEeFf]/"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25282; reference:cve,2007-2224; classtype:attempted-user; sid:17421; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word Converter XST structure buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|11 84 98 FE 5E 84 68 01 60 84 98 FE 4F 4A 06 00 51 4A 06 00 6F 28 00 87 68 00 00 00 00 88 48 00 00 42 43 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-4841; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-010; classtype:attempted-user; sid:17404; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE OpenOffice RTF File parsing heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"rtf"; nocase; content:"|5C|prtdata"; distance:0; nocase; isdataat:200,relative; content:!"|0A|"; within:200; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24450; reference:cve,2007-0245; classtype:attempted-user; sid:17403; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Publisher Object Handler Validation Code Execution attempted"; flow:to_client,established; file_data; content:"|00 00 03 68 1A 01 00 00 34 00 00 00 01 20 01 00|"; content:"|01 20 1D 01 00 00 02 20 1C 01 00 00 03 90 5A 05 00 00 00 78 00 78|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,29158; reference:cve,2008-0119; classtype:attempted-user; sid:17383; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Malformed Filter Records Handling Code Execution attempt"; flow:to_client,established; flowbits:isset,file.xls; content:"|43 6F 6C 75 6D 6E 20 42 3F 9B 00 00 00 9D 00 02 00 02 00 9E 00 1D 00 33 00 04 2A 06 02 8C 23 01 01 04 01 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23780; reference:cve,2007-1214; classtype:attempted-user; sid:17377; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word document stream handling code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|A8 00 00 00 00 00 00 00 41 41 41 41 10 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,25567; reference:cve,2007-0870; classtype:attempted-user; sid:17368; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel IMDATA buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|7F 00 54 01 09 00 01 00 00 00 00 00 0C 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,21856; reference:cve,2007-0027; classtype:attempted-user; sid:17362; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint MCAtom remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|F8 0F 04 00 00 00|"; byte_test:4,>,2,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,20495; reference:cve,2006-5296; classtype:attempted-user; sid:17318; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE OpenOffice OLE file stream buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"W|00|o|00|r|00|d|00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|"; nocase; byte_test:4,>,0x80000000,96,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28819; reference:cve,2008-0320; classtype:attempted-user; sid:17315; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|43 00 0B F0 26 00 00 00 7F 00 80 00 80 00 04 41 64 00 00 00 05 C1 0E 00 00 00 06 01 01 00 00 00 53|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:17310; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word SmartTag record code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 FF FF 01 00 00 00 05 00 4C 4F 0C 00 00 00 01 00 00 00 00 00 00 00 00 00 16 00 00 00 00 00 00 00 01 00 0E 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30124; reference:cve,2008-2244; classtype:attempted-user; sid:17308; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Works file converter file section header index table stack overflow attempt"; flow:to_client,established; flowbits:isset,file.works; file_data; content:"|22 07 00 00 00 22 22 22 22 00 22 06 00 00 00 02 00 46 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,27658; reference:cve,2008-0105; classtype:attempted-user; sid:17304; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word TextBox sub-document memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc&file.ole; file_data; content:"|FF FF FF FF FF FF EC A5 C1 00 4D 20 09 04 00 00 F0 12 BF 00|"; fast_pattern:only; content:"|09 04 16 00 22 0C 00 00 80 57 00 00 80 57 00 00 02|"; content:"|00 00 00 00 00 00 00 00 FF FF 0F 00|"; within:12; distance:23; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23380; reference:cve,2007-1910; classtype:attempted-user; sid:17301; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint malformed data record code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|F2 03|"; content:"|AA AA AA 2F 00 C8 0F 0C 00 00 00 30 00 D2 0F 04 00|"; within:17; distance:1; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,20322; reference:cve,2006-3876; classtype:attempted-user; sid:17292; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint PPT file parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|A4 37 7A 00 81 00 00 00 00 00 82 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18993; reference:cve,2006-3656; classtype:attempted-user; sid:17285; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office malformed routing slip code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"Routing|3A 20|"; content:"|B9 00 9B 05 56 04 3F 05 00 00 41 41 41 41|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,17000; reference:cve,2006-0009; classtype:attempted-user; sid:17284; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows Web View script injection attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|1E 00 00 00|"; fast_pattern; content:"javascript"; distance:0; nocase; pcre:"/\x1e\x00\x00\x00.{4}[^\x00]*?\x40[^\x00]*?javascript/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13248; reference:cve,2005-1191; classtype:attempted-user; sid:17271; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows WordPad sprmTSetBrc SPRM overflow attempt"; flow:to_client,established; flowbits:isset,file.doc|file.xls; file_data; content:"|08 D6|"; byte_extract:1,2,NumberOfColumns,relative,little; content:"|20 D6 0B|"; distance:0; byte_extract:1,0,itcFirst,relative,little; byte_test:1,>,itcFirst,0,relative,little; byte_test:1,>,NumberOfColumns,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43122; reference:cve,2009-3302; reference:cve,2010-2563; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-067; classtype:attempted-user; sid:17250; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel sheet name memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|01 16 01 00 00 F0 00 00 00 2C 03 00 00 D4 00 00 00 00 02 00 00 FF FF FF FF 34 03 00 00 D8 03 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24691; reference:cve,2007-3490; classtype:attempted-user; sid:17227; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel pivot item index boundary corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|D5 00 02 00|"; byte_extract:2,0,streamID,relative,little; content:"|B0 00|"; distance:0; content:"|00 00|"; within:2; distance:18; byte_extract:2,4,iCache,relative,little; content:"|C6 00|"; byte_test:2,=,streamID,6,relative,little; byte_test:2,!=,iCache,14,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,42199; reference:cve,2010-2562; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-057; classtype:attempted-user; sid:17134; rev:21;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word HTML linked objects memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 13 3A FF FF FF 8C 0F 00 00 F0 38 00 00 00 00 00 06 F0 18 00 00 00 02 08 00 00 02 00 00 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,42130; reference:cve,2010-1903; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:17124; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word rich text format invalid field size memory corruption attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|dpcallout"; nocase; content:"|5C|dppolycount"; within:50; nocase; byte_test:5,>,50,0,string,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1902; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:17123; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 3"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|datafield |5C|jpegblip"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1901; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:17122; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 2"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|datafield |5C|pngblip"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1901; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:17121; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 1"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|datafield |5C|emfblip"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1901; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:17120; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word sprmCMajority SPRM overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|01 08 5B 05 68 45 DE 11 13 6D 48 7B 07 7D 28 F0 6D 48 44 06 07|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1900; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-056; classtype:attempted-user; sid:17119; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Access ACCWIZ library release after free attempt - 2"; flow:to_client,established; file_data; content:"CLASSID|3D 22|CLSID|3A|53230327-172B-11D0-AD40-00A0C90DC8D9|22| data|3D|"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1881; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-044; classtype:attempted-user; sid:17039; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Access ACCWIZ library release after free attempt - 1"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|b|00|j|00|e|00|c|00|t|00|P|00|o|00|o|00|l|00|"; content:"|18 00 01 01 FF FF FF FF FF FF FF FF 06 00 00 00 27 03 23 53 2B 17 D0 11 AD 40 00 A0 C9 0D C8 D9|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1881; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-044; classtype:attempted-user; sid:17038; rev:15;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Outlook AttachMethods local file execution attempt"; flow:established, to_server; content:"Content-Type|3A|"; nocase; content:"application/ms-tnef"; within:25; nocase; content:"aWxlOi8vYzpcd2luZG93"; distance:0; fast_pattern; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-045; classtype:attempted-user; sid:17035; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel FRTWrapper record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|51 08 00 00|AAAAAAAAAAAAAAAA"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-3471; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-057; classtype:attempted-user; sid:16800; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel DBQueryExt record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|DC 00 0C 00|"; byte_test:1,&,0x04,0,relative; byte_test:1,!&,0x03,0,relative; content:"|CD 00|"; within:2; distance:12; content:"|03 08|"; distance:0; content:"|03 08 00 00|"; within:4; distance:2; content:!"|04 00|"; within:2; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1253; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16657; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel BIFF5 ExternSheet record stack overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|16 00 02 00|"; content:"|17 00|"; within:2; distance:2; byte_test:1,>,250,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1252; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16656; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Publisher record heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|88 00 08 00|"; content:"|01 00|"; within:2; distance:4; content:"|89 00|"; within:2; distance:2; byte_test:2,<,46,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1250; reference:cve,2012-1886; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-076; classtype:attempted-user; sid:16654; rev:20;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel ExternName record stack buffer overflow attempt - 4"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|AE 01|"; byte_jump:2,0,relative,little; content:"|23 00|"; within:2; byte_test:2,>,250,0,relative,little; byte_test:2,<,8225,0,relative,little; byte_test:1,!&,0x01,0,relative; byte_test:1,&,0x01,7,relative; byte_test:1,&,0x08,7,relative; content:"|01 00|"; within:2; distance:12; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16653; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel ExternName record stack buffer overflow attempt - 3"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|AE 01|"; byte_jump:2,0,relative,little; content:"|23 00|"; within:2; byte_test:2,>,250,0,relative,little; byte_test:2,<,8225,0,relative,little; byte_test:1,!&,0x01,0,relative; byte_test:1,!&,0x01,7,relative; byte_test:1,&,0x08,7,relative; content:"|01|"; within:1; distance:12; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16652; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel ExternName record stack buffer overflow attempt - 2"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|AE 01|"; byte_jump:2,0,relative,little; content:"|23 00|"; within:2; byte_test:2,>,250,0,relative,little; byte_test:2,<,8225,0,relative,little; byte_test:1,!&,0x01,0,relative; byte_test:1,&,0x01,7,relative; byte_test:1,!&,0x08,7,relative; content:"|01 00|"; within:2; distance:10; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16651; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel ExternName record stack buffer overflow attempt - 1"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|AE 01|"; byte_jump:2,0,relative,little; content:"|23 00|"; within:2; byte_test:2,>,250,0,relative,little; byte_test:2,<,8225,0,relative,little; byte_test:1,!&,0x01,0,relative; byte_test:1,!&,0x01,7,relative; byte_test:1,!&,0x08,7,relative; content:"|01|"; within:1; distance:10; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16650; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 1"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|13 08 E9 0B 0F 00 00 F0 E1 0B 00 00 00 00 06 F0 00 01 00 00 00 FF FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1247; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16648; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 2"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|13 08|"; content:"|13 08 00 00 00 00 00 00 00 00 00 00|"; within:12; distance:2; pcre:"/^(.{3}[\x80-\xFF]|.{7}[\x80-\xFF])/sR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1247; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16647; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt "; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|13 08 E9 0B 0F 00 00 F0 E1 0B 00 00 00 00 06 F0 00 00 00 00 02 04 00 00 02 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1246; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16646; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|B0 00 3D 00 02 00 08 00 00 00 01 00 04 00 04 00 01 00 FF 7F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1245; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16645; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel WOpt record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|0B 08 3F 00 2C 00 3A 00 00 5F 28 22 24 22 2A 20 23 2C 23 23 1F 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0824; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16644; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|02 10 10 00|"; content:"|33 10 00 00|"; within:4; distance:16; content:"|54 08 0C 00 54 08 00 00|"; distance:0; content:"|55 08 0C 00|"; distance:8; content:"|55 08 0C 00|"; within:4; distance:12; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0823; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16643; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with macro and linkFmla"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|"; within:6; distance:2; content:"|0C 00 14 00|"; within:4; distance:16; content:"|04 00|"; within:2; distance:20; byte_jump:2,0,relative,little; content:"|0E 00|"; within:2; byte_jump:2,0,relative,little; content:"|13 00|"; within:2; byte_test:2,>,0,0,relative,little; byte_jump:2,2,relative,little; byte_test:2,>,1024,14,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0822; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16641; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with linkFmla"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|"; within:6; distance:2; content:"|0C 00 14 00|"; within:4; distance:16; content:"|0E 00|"; within:2; distance:20; byte_jump:2,0,relative,little; content:"|13 00|"; within:2; byte_test:2,>,0,0,relative,little; byte_jump:2,2,relative,little; byte_test:2,>,1024,14,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0822; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16640; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with macro"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|"; within:6; distance:2; content:"|0C 00 14 00|"; within:4; distance:16; content:"|04 00|"; within:2; distance:20; byte_jump:2,0,relative,little; content:"|13 00|"; within:2; byte_test:2,>,0,0,relative,little; byte_jump:2,2,relative,little; byte_test:2,>,1024,14,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0822; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16639; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|"; within:6; distance:2; content:"|0C 00 14 00|"; within:4; distance:16; content:"|13 00|"; within:2; distance:20; byte_test:2,>,1024,18,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40520; reference:cve,2010-0822; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16638; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft VBE6.dll stack corruption attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|50 00 6F 00 69 00 6E 00 74 00 20 00 44 00 6F 00 63 00 75 00 6D 00|"; content:"|01 00 C3 0F 18 00 00 00|"; distance:0; content:"|00 00 00 00|"; within:4; distance:16; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,39931; reference:cve,2010-0815; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-031; classtype:attempted-user; sid:16593; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Publisher 2007 and earlier stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|1D 00 00 04 01 00 01 00 FE 00 01 00 00 00 00 00 00 00 00 00 00 00 AE 02 00 00 C9 02 00 00 02 00 1D 00 04 04|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,39347; reference:cve,2010-0479; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-023; classtype:attempted-user; sid:16542; rev:20;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel DbOrParamQry.fWeb parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|DC 00 0C 00|"; byte_test:1,!&,0x07,0,relative,little; byte_test:1,&,0x48,0,relative,little; content:"|CD 00|"; within:2; distance:12; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16471; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel DbOrParamQry.fWeb parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|DC 00 0C 00|"; byte_test:1,&,0x03,0,relative,little; byte_test:1,&,0x40,0,relative,little; content:"|CD 00|"; within:2; distance:12; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16470; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel DbOrParamQry.fOdbcConn parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|DC 00 0C 00|"; byte_test:1,&,0x06,0,relative,little; byte_test:1,&,0x08,0,relative,little; content:!"|00 00|"; within:2; distance:10; content:"|CD 00|"; within:2; distance:12; content:!"|00 00|"; within:2; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16469; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel 2007 invalid comments.xml uninitialized pointer access attempt"; flow:to_client,established; file_data; content:"|87 0C 14 B9 C6 B7 BD BB 1A 78 3F 9F EE 0A 50 1C D1 B5 38 78 47 06 BE 88 E1 58 DF DE 41 41 41 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0263; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16468; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel 2007 invalid comments.xml uninitialized pointer access attempt"; flow:to_client,established; file_data; content:"|5A 73 6B C9 23 EF E2 40 41 3A 97 98 3C 66 81 E9 AA 79 48 84 1D 5B A2 EC 7B FD 5C 14 41 41 41 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0263; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16467; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel uninitialized stack variable code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:">|02 12 00 B6 06 00 00 00 00|@|00 00 00 00 00 00 00 00 00 00 00 1D 00 0F 00 03 00 00 00 00 00 00 01 00 00 00 00 00 00 00 9A 00 06 00 FF FF 00 00 00 00 0A 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0262; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16466; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel ContinueFRT12 and MDXSet heap overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|87 08|"; byte_jump:2,0,relative,little; content:"|7F 08|"; within:2; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0261; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16465; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel ContinueFRT12 heap overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|86 08|"; byte_jump:2,0,relative,little; content:"|7F 08|"; within:2; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0260; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16464; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel BIFF5 formulas from records parsing code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|3B FF FF 00 00 00 00 00 00 01 00 00 00 00 00 01 00 01 00 00 02|"; content:"|3B FF FF 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 02|"; within:21; distance:12; content:"|3B FF FF 00 00 00 00 00 00 01 00 00 00 00 00 02 00 02 00 00 02|"; within:21; distance:74; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16463; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel BIFF8 formulas from records parsing code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|3B 00 00 01 00 01 00 00 00 02 00|"; content:"|3B 00 00 00 00 00 00 00 00 02 00|"; within:11; distance:12; content:"|3B 00 00 02 00 02 00 00 00 02 00|"; within:11; distance:92; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16462; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel EntExU2 write access violation attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 00|"; byte_test:2,!=,5,24,little,relative; byte_test:1,!=,1,26,little,relative; content:"|C2 01|"; within:100; byte_test:1,!&,8,8,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,38547; reference:cve,2010-0257; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16461; rev:22;) # alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Outlook Express and Windows Mail NNTP handling buffer overflow attempt"; flow:to_client,established; content:"1094795585 |0D 0A|1094795585 |0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service nntp; reference:cve,2007-3897; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-056; classtype:attempted-user; sid:16428; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|C3 0B 00 02 00 00 FF 01 04 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-004; classtype:attempted-user; sid:16421; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Malformed MSODrawing Record attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|EC 00|"; byte_test:2,>,0,0,relative; content:"|02 F0|"; within:2; distance:4; byte_test:4,>,0,0,relative; content:"|08 F0|"; within:2; distance:6; content:"|04 F0|"; within:2; distance:22; byte_test:4,>,0,0,relative; content:"|09 F0|"; within:2; distance:6; byte_test:4,>,0,0,relative; byte_test:4,=,0,-16,relative; content:!"|03 F0|"; within:2; distance:-18; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0243; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-003; classtype:attempted-user; sid:16416; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint invalid TextByteAtom remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 A8 0F|"; byte_test:1,&,0x80,3,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0033; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-004; classtype:attempted-user; sid:16412; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 C3 0B 08 00 00 00|"; byte_test:1,>,0,4,relative,little; byte_test:1,<,27,4,relative,little; byte_test:4,>,7,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0031; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-004; classtype:attempted-user; sid:16411; rev:15;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt"; flow:to_server,established; content:".ppt"; nocase; http_uri; pcre:"/[^\x5C\x2F\x3A\x2A\x3F\x22\x3C\x3E\x7C\x3D\s]{200}\x2Eppt($|\x3f)/Ui"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-0029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-004; classtype:attempted-user; sid:16409; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio invalid ho tag attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|00 02 0B|@|00 00 00 00 00 00 00 00 FE 00 FF 00 90 03 A7 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33660; reference:cve,2009-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-005; classtype:attempted-user; sid:16318; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint bad text header txttype attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 00 00 9F 0F 04 00 00 00|"; byte_test:1,>,8,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0022; reference:cve,2011-1269; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-036; classtype:attempted-user; sid:16188; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel malformed file format parsing code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|02 00 09 00 00 00 02 00 40 00 00 03 00 05 00 09 00 FF FF FF FF 41 15 00 01 00 05 00 09 00 01 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-012; classtype:attempted-user; sid:16059; rev:17;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Outlook Web Access Cross-Site Scripting attempt"; flow:to_server,established; content:"javascript|3A|alert|28|'Attacker supplied script"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,13952; reference:cve,2005-0563; classtype:attempted-user; sid:15947; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Publisher 2007 file format arbitrary code execution attempt"; flow:to_client,established; file_data; content:"R|00 12 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 13 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0566; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-030; classtype:attempted-user; sid:15681; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Qsir and Qsif record remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 08|"; content:"|06 08|"; within:2; distance:2; byte_test:1,&,0x10,16,relative; byte_test:1,!&,0x40,16,relative; byte_test:4,>,0,18,relative,little; content:"|07 08|"; distance:0; content:"|07 08 00 00|"; within:4; distance:2; byte_test:1,&,8,0,relative; byte_test:1,<,0x10,2,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-1134; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-021; classtype:attempted-user; sid:15542; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel SST record remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"Sheet"; content:"|FC 00|"; distance:0; byte_test:4,>,0,2,relative,little; byte_test:4,>,0x10000000,6,relative,little; byte_test:2,>,10,0,relative,little; byte_test:2,<,8225,0,relative,little; byte_jump:2,0,relative,little; pcre:"/^(\xFF|\x3C)\x00/R"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,36042; reference:cve,2009-0561; reference:cve,2009-3037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-021; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21396492; classtype:attempted-user; sid:15541; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Formula record remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 00|"; byte_test:2,>,0,0,relative,little; byte_test:1,>,3,8,relative,little; content:"|FF FF|"; within:2; distance:14; byte_test:1,!&,41,0,relative,little; content:"|00|"; within:1; distance:1; byte_test:2,>,0,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35244; reference:cve,2009-0560; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-021; classtype:attempted-user; sid:15539; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint CurrentUserAtom remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 F6 0F|"; content:"|14 00 00 00|"; within:4; distance:4; byte_test:2,>,255,8,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-1131; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:15506; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint HashCode10Atom memory corruption attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 F0 03|"; content:"|00 00|+"; within:3; distance:5; isdataat:4,relative; content:!"|04 00 00 00|"; within:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-1130; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:15505; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint Download of version 4.0 file"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"R|00|o|00|o|00|t|00| |00|E|00|n|00|t|00|r|00|y|00|"; content:"P|00|P|00|4|00|0|00|"; within:8; distance:108; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0220; reference:cve,2009-0223; reference:cve,2009-0226; reference:cve,2009-0227; reference:cve,2009-1137; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:15504; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint LinkedSlide memory corruption"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 E7|.|08 00 00 00|"; byte_test:4, >, 1000000, 4, relative, little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0221; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:15500; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint PP7 Component buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|CC 0F 00 00 FF FF 00 00|"; byte_test:4,>,0x100,0,relative,little; byte_extract:4,0,length,relative,little; content:"|00 00 00 00|"; within:4; content:"|BA 0F 00 00|"; within:length; byte_test:4,>,0x100,4,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-1129; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:15499; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office WordPad and Office Text Converters PlcPcd aCP buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|02 10 00 00 00 00 00 00 00|"; byte_test:4,>,2147483648,0,relative,little; content:"|00 00 10|"; within:3; distance:5; content:"@|00 00 FF FF 01 00|"; within:8; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0235; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-010; classtype:attempted-user; sid:15467; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office WordPad WordPerfect 6.x converter buffer overflow attempt"; flow:to_client,established; file_data; content:"|1E 00 00 00 10 00 00 00|Nullcode.com.ar|00 03 00 00 00 01 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-010; classtype:attempted-user; sid:15466; rev:13;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Outlook web access script injection attempt"; flow:to_server,established; content:"Content-Type|3A|"; nocase; content:"text/html"; distance:0; nocase; pcre:"/\x3c[^\x3e]*\x00[^\x3e]*\x3e/Rsmi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18381; reference:cve,2006-1193; classtype:attempted-user; sid:15367; rev:12;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio Object Header Buffer Overflow attempt"; flow:to_client,established; file_data; content:"|10|@|DE|naaa|87|a|17|@|DE FD F2 F1 09|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-1089; classtype:attempted-user; sid:15163; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word .rtf file stylesheet buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|stylesheet"; nocase; content:"|5C|stylesheet"; distance:0; nocase; content:"|5C|stylesheet"; distance:0; nocase; content:"|5C|stylesheet"; distance:0; nocase; content:"|5C|stylesheet"; distance:0; nocase; content:"|5C|stylesheet"; distance:0; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-4031; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-072; classtype:attempted-user; sid:15107; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word .rtf file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|dppolycount"; nocase; byte_test:5,>,8186,0,relative,string,dec; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-4025; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-072; classtype:misc-attack; sid:15106; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word rtf malformed dpcallout buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|dpcallout"; fast_pattern:only; pcre:"/\x5cdpcallout\s*\x5cdpcallout\s*\x5cdpcallout/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32585; reference:cve,2008-4028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-072; classtype:attempted-user; sid:15082; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel file with embedded ActiveX control"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00|_|00|_|00|S|00|R|00|P|00|_|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-3477; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-057; classtype:attempted-user; sid:14642; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"Sheet"; content:"|51 08|"; distance:0; fast_pattern; byte_test:2,<,8,0,relative,little; content:"|51 08|"; within:2; distance:2; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-3471; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-057; classtype:attempted-user; sid:14641; rev:21;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office OneNote iframe caller exploit attempt"; flow:to_client,established; file_data; content:"iframe"; nocase; content:"onenote|3A|"; distance:0; nocase; pcre:"/iframe[^\x3e]+onenote\x3a(\x2f|\x5c){2}[^\x3e]+(\x2fbackuppath|\x2fcachepath)/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-3007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-055; classtype:web-application-attack; sid:14262; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel malformed chart arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|41 10 12 00|"; byte_test:2,>,1,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-3004; reference:cve,2011-1987; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-043; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-072; classtype:attempted-user; sid:13981; rev:22;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel country record arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|8C 00 04 00|"; byte_test:2,>,5,0,relative,little; content:"|18 00|"; within:2; distance:4; byte_test:1,&,0x20,2,relative,little; byte_test:2,>,14,16,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-3006; reference:cve,2008-4266; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-043; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-074; classtype:attempted-user; sid:13972; rev:23;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint TxMasterStyle10Atom atom numLevels buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 F8 03|"; byte_extract:4,4,master_record,relative,little; content:"|B2 0F|"; within:master_record; byte_test:2,>,5,4,relative,little; byte_test:1,<,0x90,-4,relative; byte_test:1,!&,0x01,-4,relative; byte_test:1,!&,0x02,-4,relative; byte_test:1,!&,0x04,-4,relative; byte_test:1,!&,0x08,-4,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-1455; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-051; classtype:attempted-user; sid:13971; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio DXF file invalid memory allocation exploit attempt"; flow:to_client,established; flowbits:isset,file.dxf; file_data; content:"|0D 0A|HATCH|0D 0A|"; nocase; pcre:!"/^\s*[1-9][0-9]*\x0d\x0a/R"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-1090; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-019; classtype:attempted-user; sid:13665; rev:20;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Outlook arbitrary command line attempt"; flow:to_client,established; file_data; content:"mailto|3A|"; nocase; content:"|2F|importprf"; distance:0; nocase; pcre:"/\x3c[^\x3e]+[\x22\x27]mailto\x3a[^\x3e]+\x3f[^\x3e]*\x2fimportprf/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-015; classtype:misc-attack; sid:13573; rev:20;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint malformed shapeid arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; content:"|0A F0 08 00 00 00|"; byte_test:2,&,1024,4,relative,little; byte_test:2,&,8,4,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28146; reference:cve,2008-0118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-016; classtype:attempted-user; sid:13572; rev:22;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel dval record arbitrary code excecution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|B2 01|"; byte_test:4,>,4294967293,16,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0111; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:attempted-user; sid:13571; rev:23;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel cf record arbitrary code excecution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|B1 01|"; byte_test:2,&,1,12,relative,little; byte_test:2,>,69,14,relative,little; byte_test:2,>,13,0,relative,little; byte_test:2,<,8225,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0117; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:attempted-user; sid:13570; rev:21;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel macro validation arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|FF FF FF FF 09 08|"; content:"|00 00|"; within:2; distance:1; content:"|05 00|"; within:2; distance:1; pcre:"/\xff\xff\xff\xff\x09\x08[\x08\x10]\x00\x00[\x05\x06]\x05\x00[^\x85]*\xdf/sm"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0081; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:attempted-user; sid:13569; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Works file converter field length invalid chunk size buffer overflow attempt"; flow:to_client,established; file_data; content:"CHNKWKS"; content:"|18 00|TEXT"; distance:0; isdataat:4,relative; content:!"|01 00|"; within:2; distance:2; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,27659; reference:cve,2008-0108; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-011; classtype:attempted-user; sid:13472; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Publisher memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|00 00 01 18 E8 AC 02 68 43 43 43 00 03 20 13 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,27739; reference:cve,2008-0102; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-012; classtype:attempted-user; sid:13470; rev:21;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Works file converter file section length headers memory corruption attempt"; flow:to_client,established; flowbits:isset,file.works; file_data; content:"STSH"; byte_test:2,>,32768,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,27657; reference:cve,2007-0216; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-011; classtype:attempted-user; sid:13466; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel rtWnDesk record memory corruption exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"8|00 04 00|"; byte_test:2,>,32767,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3890; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-044; classtype:attempted-user; sid:12284; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|60 10 0A 00|"; byte_test:2,>,32767,8,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23826; reference:cve,2007-1203; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-023; classtype:attempted-user; sid:12256; rev:25;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel workbook workspace designation handling arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|FF FF FF FF FF FF FF FF 09 08|"; fast_pattern:only; pcre:"/\xff{8}\x09\x08[\x08\x10]\x00\x00[\x05\x06]\x00\x01/sm"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24803; reference:cve,2007-3030; reference:url,secunia.com/advisories/25995; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-036; classtype:attempted-user; sid:12184; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel rtWindow1 record handling arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|FF FF FF FF FF FF FF FF 09 08|"; content:"|00 00|"; within:2; distance:1; content:"|05 00|"; within:2; distance:1; pcre:"/\x3d\x00\x12\x00..........(.[\x80-\xff]|...[\x80-\xff])/smiR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,22555; reference:cve,2007-3029; reference:url,secunia.com/advisories/25995; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-036; classtype:attempted-user; sid:12099; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel malformed version field"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|09 08 10 00|"; fast_pattern:only; pcre:"/\x09\x08\x10\x00\x00[\x00\x01\x07-\xff]/sm"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24801; reference:cve,2007-1756; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-036; classtype:attempted-user; sid:12070; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio version number anomaly"; flow:to_client,established; flowbits:isset,file.visio&file.ole; file_data; content:"Visio |28|TM|29| Drawing|0D 0A 00 00 00 00|"; fast_pattern:only; pcre:"/Visio \x28TM\x29 Drawing\r\n\x00{4}([^\x00]|\x00[^\x00]|\x00\x00[^\x0b]|\x00\x00\x0b[^\x00])/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24349; reference:cve,2007-0934; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-030; classtype:misc-activity; sid:11836; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel malformed named graph information ascii overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|81 00 02 00|"; content:"|95 00|"; within:25; byte_test:2,>,313,0,relative,little; isdataat:314,relative; pcre:"/^(.{92}[^\x00]{41}|.{148}[^\x00]{41}|.{172}[^\x00]{41}|.{212}[^\x00]{41}|.{252}[^\x00]{22}|.{272}[^\x00]{22}|.{292}[^\x00]{22}|.{312}[^\x00]{22}|.{332}[^\x00]{22})/Rs"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-0215; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-023; classtype:attempted-user; sid:11290; rev:20;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Malformed Named Graph Information unicode overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|81 00 02 00|"; content:"|95 00|"; within:25; isdataat:72,relative; content:!"|00 00|"; within:72; distance:3; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-0215; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-023; classtype:attempted-user; sid:11258; rev:24;) # alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Outlook Express NNTP response overflow attempt"; flow:to_client,established; content:"215 "; depth:4; content:"|0D|"; distance:0; isdataat:50; content:!"|0D|"; within:50; metadata:policy max-detect-ips drop, service nntp; reference:bugtraq,13951; reference:cve,2005-1213; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-030; classtype:attempted-user; sid:9431; rev:15;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel colinfo XF record overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|55 00 02 00|"; content:!"|00 02 0E 00|"; within:4; distance:2; content:"|7D 00 0C 00 00 00|"; within:200; byte_test:2,>,256,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-3875; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-059; classtype:attempted-user; sid:8448; rev:19;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office GIF image descriptor memory corruption attempt"; flow:to_client,established; file_data; content:"GIF8"; depth:4; content:"a"; within:1; distance:1; byte_test:1,&,0x80,4,relative; pcre:"/^(.{13}|.{19}|.{31}|.{55}|.{103}|.{199}|.{391}|.{775})\x2C.{5}([\xE0-\xFF]|.{2}[\xE0-\xFF])/sR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18915; reference:bugtraq,22630; reference:cve,2006-0007; reference:cve,2007-1071; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-039; classtype:attempted-user; sid:8414; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel FngGroupCount record overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|0B 02|"; content:"|00 00 00 00|"; within:4; distance:2; content:"|9C 00 02 00|"; within:50; fast_pattern; byte_test:2,>,0x50,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18890; reference:cve,2006-1308; classtype:attempted-user; sid:7205; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel object ftCmo overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00|"; within:4; distance:2; byte_test:2,>,0x1E,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18886; reference:cve,2006-1306; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-037; classtype:attempted-user; sid:7204; rev:20;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word information string overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|FE FF 00 00|"; content:"|E0 85 9F F2 F9 4F 68 10 AB 91 08 00 2B 27 B3 D9|"; within:16; distance:24; byte_jump:4,0,relative,little,post_offset -48; byte_extract:4,0,sectLength,relative,little; content:"|1E 00 00 00|"; within:sectLength; byte_test:4,>,2147483647,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-1540; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-038; classtype:attempted-user; sid:7203; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word document summary information string overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|FE FF 00 00|"; content:"|02 D5 CD D5 9C 2E 1B 10 93 97 08 00 2B 2C F9 AE|"; within:16; distance:24; byte_jump:4,0,relative,little,post_offset -48; byte_extract:4,0,sectLength,relative,little; content:"|1E 00 00 00|"; within:sectLength; byte_test:4,>,2147483646,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-1540; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-038; classtype:attempted-user; sid:7202; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel MSO.DLL malformed string parsing single byte buffer over attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 00 00 00 00 00 1D 00 0F 00 03 00 00 00|"; isdataat:2,relative; content:!"|00|"; within:1; distance:2; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,17252; reference:cve,2006-1540; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-038; classtype:attempted-user; sid:7197; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel object record overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; byte_test:2,>,8224,0,relative,little; content:"|15 00 12 00|"; within:4; distance:2; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18886; reference:cve,2006-1306; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-037; classtype:attempted-user; sid:7048; rev:17;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel url unicode overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"n|DB 7C D2|m|AE CF 11 96 B8|DEST|00 00|"; content:"FWS"; within:3; distance:8; content:"javascript|3A|"; distance:0; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18583; reference:cve,2006-3014; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-069; classtype:attempted-user; sid:7025; rev:16;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel url unicode overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|E0 C9 EA|y|F9 BA CE 11 8C 82 00 AA 00|K|A9 0B|"; byte_test:4,>,3628,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18422; reference:bugtraq,18500; reference:cve,2006-3059; reference:cve,2006-3086; reference:cve,2011-0104; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-037; classtype:attempted-user; sid:7002; rev:20;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel OBJ record invalid cmo.ot exploit attempt"; flow:established,to_client; flowbits:isset,file.xls; content:"|00 00 02 1A 00 4B 00 00 00 11 F0 00 00 00 00 5D 00 4E 00 15 00 12 00 B3 00 02 00 11 60 00 00 00 00 0C 14 FF 00 00 00 00 00 07 00 02 00 02 00 08|"; fast_pattern:only; reference:cve,2011-0980; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-admin; sid:18641; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel malformed SupBook record attempt"; flow:established,to_client; flowbits:isset,file.xls; content:"|AE 01|"; byte_test:2,>,0x300,4,relative,little; byte_test:2,<,0x400,4,relative,little; metadata:policy max-detect-ips drop, service http; reference:cve,2011-0979; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:18640; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; content:"|09 08 10 00 00 06|"; content:"|A7 00|"; fast_pattern; byte_test:2,>,2056,3,relative,little; byte_test:2,&,0x12f,7,relative,little; byte_jump:2,0,relative,little; content:"|3C 00|"; within:2; metadata:service http; reference:cve,2011-0097; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:18631; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; content:"|09 08 08 00 00 05|"; fast_pattern:only; content:"|A7 00|"; byte_test:2,>,520,3,relative,little; byte_test:2,&,0x12f,7,relative,little; byte_jump:2,0,relative,little; content:"|3C 00|"; within:2; metadata:policy max-detect-ips drop, service http; reference:cve,2011-0097; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:18630; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel malformed StartObject record arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; content:"T|08 0C 00|T|08 00 00|"; byte_test:1,&,0x80,5,relative; metadata:service http; reference:cve,2009-3134; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-admin; sid:16228; rev:8;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Download of PowerPoint 95 file"; flow:to_client,established; content:"|03 00 00 00 FF FF 00 00|"; content:"|00 00 00 00 E8 03 00 00 FF FF 00 00|"; within:12; distance:4; content:"|00 00 00 00 E9 03 00 00 04 00 00 00|"; within:12; distance:4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:15503; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Publisher invalid pathname overwrite attempt"; flow:established,to_client; flowbits:isset,file.pub; content:"C|00 3A 00 5C 00|D|00|O|00|C|00|U|00|M|00|E|00|~|00|1|00 5C 00|A|00|A|00|A|00|A|00|A|00|A|00|A|00|"; reference:cve,2008-0104; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-012; classtype:attempted-user; sid:13471; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Publisher column and row remote code execution attempt"; flow:established, to_client; flowbits:isset,file.pub; content:"|8C 00 00 00 00 00 10 AC 52 00 D1 D2 4C 00 FD FF 1A 00 1A 00|"; fast_pattern:only; metadata:service http; reference:cve,2010-2570; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-103; classtype:attempted-user; sid:18213; rev:9;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word ActiveX object uninitialized memory access attempt"; flow:to_server,established; file_data; content:"|A4 11 D8 28 D3 E5 EC FD ED 1A 1E 59 E0 08 4C 03 03 1A 99 33 83 EC 54 3C 3E 64 B0 A4 28 96 C0 07|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1770; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-059; classtype:attempted-user; sid:34744; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word ActiveX object uninitialized memory access attempt"; flow:to_client,established; file_data; content:"|A4 11 D8 28 D3 E5 EC FD ED 1A 1E 59 E0 08 4C 03 03 1A 99 33 83 EC 54 3C 3E 64 B0 A4 28 96 C0 07|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1770; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-059; classtype:attempted-user; sid:34743; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word WordPerfect converter EnumFontFamProc use after free attempt"; flow:to_server,established; file_data; content:"|05 DC 05 0C 00 01 D0 D0 02 08 00 00 01 80 01 08 00 02 D0 D1 01 23 00 00 8A 02 54 00 F4 1A 5C 12|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1760; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-059; classtype:attempted-user; sid:34740; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word WordPerfect converter EnumFontFamProc use after free attempt"; flow:to_client,established; file_data; content:"|05 DC 05 0C 00 01 D0 D0 02 08 00 00 01 80 01 08 00 02 D0 D1 01 23 00 00 8A 02 54 00 F4 1A 5C 12|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1760; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-059; classtype:attempted-user; sid:34739; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word WordPerfect converter ForeignToRtf32 use after free attempt"; flow:to_server,established; file_data; content:"|23 60 09 28 23 14 00 E0 DD 08 17 00 83 01 3B 00 02 00 33 A3 F7 03 00 00 2E 04 00 00 17 00 DD 8C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1759; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-059; classtype:attempted-user; sid:34738; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word WordPerfect converter ForeignToRtf32 use after free attempt"; flow:to_client,established; file_data; content:"|23 60 09 28 23 14 00 E0 DD 08 17 00 83 01 3B 00 02 00 33 A3 F7 03 00 00 2E 04 00 00 17 00 DD 8C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1759; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-059; classtype:attempted-user; sid:34737; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Visio UML string object heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.visio; file_data; content:"|00 00 00 FF FF FF FF|d|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|a|00|t|00|i|00|o|00|n"; fast_pattern:only; metadata:service smtp; reference:cve,2011-1979; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-060; classtype:attempted-user; sid:34975; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Visio UML string object heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|00 00 00 FF FF FF FF|d|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|a|00|t|00|i|00|o|00|n"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1979; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-060; classtype:attempted-user; sid:34974; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word nested tblStylePr element use after free attempt"; flow:to_server,established; file_data; content:"|BA 37 6E 65 CE 88 EF 89 39 3B 43 BE B7 F7 9C AC 4A 5D 80 A3 11 2C 42 1D CF 34 CC 2F 9F E9 87 9B D8 74 FF A2 48 C7 3C D2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4117; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-061; classtype:attempted-user; sid:35021; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word nested tblStylePr element use after free attempt"; flow:to_client,established; file_data; content:"|BA 37 6E 65 CE 88 EF 89 39 3B 43 BE B7 F7 9C AC 4A 5D 80 A3 11 2C 42 1D CF 34 CC 2F 9F E9 87 9B D8 74 FF A2 48 C7 3C D2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4117; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-061; classtype:attempted-user; sid:35020; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word nested tblStylePr element use after free attempt"; flow:to_server,established; file_data; content:" $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word nested tblStylePr element use after free attempt"; flow:to_client,established; file_data; content:" $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word OCX use after free attempt"; flow:to_server,established; file_data; content:"|36 1E 98 27 F1 00 24 63 BB 20 B5 52 23 25 9E D8 AB F5 0A 27 28 2F 40 E8 88 B3 F3 5B E4 C8 DE 6B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2380; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-070; classtype:attempted-user; sid:35202; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word OCX use after free attempt"; flow:to_client,established; file_data; content:"|36 1E 98 27 F1 00 24 63 BB 20 B5 52 23 25 9E D8 AB F5 0A 27 28 2F 40 E8 88 B3 F3 5B E4 C8 DE 6B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2380; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-070; classtype:attempted-user; sid:35201; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word sprmPItap heap corruption attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|16 24 01|"; content:"|49 66|"; within:50; byte_test:4,>,0xffffff,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2379; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-070; classtype:attempted-user; sid:35191; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word sprmPItap heap corruption attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|16 24 01|"; content:"|49 66|"; within:50; byte_test:4,>,0xffffff,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2379; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-070; classtype:attempted-user; sid:35190; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel c legend remote code execution attempt"; flow:to_server,established; file_data; content:"|F8 B5 E3 70 73 9B E3 C3 E1 F5 31 AB FC AF A5 28 2D 99 41 5A EF 09 37 65 06 E8 C7 DD 28 04 77 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2377; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-070; classtype:attempted-user; sid:35177; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel c legend remote code execution attempt"; flow:to_client,established; file_data; content:"|F8 B5 E3 70 73 9B E3 C3 E1 F5 31 AB FC AF A5 28 2D 99 41 5A EF 09 37 65 06 E8 C7 DD 28 04 77 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2377; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-070; classtype:attempted-user; sid:35176; rev:3;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OFFICE Microsoft Office request for rapi.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"|5C 00|r|00|a|00|p|00|i|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2015-2369; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-069; classtype:attempted-user; sid:35169; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office rapi.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|rapi.dll"; nocase; http_uri; metadata:service http; reference:cve,2015-2369; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-069; classtype:attempted-user; sid:35168; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF object remote code execution attempt"; flow:to_server,established; file_data; content:"{|5C|rtf1"; depth:6; nocase; content:"574D444D434553502E574D444D434553502E3100"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2369; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-069; classtype:attempted-user; sid:35167; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF object remote code execution attempt"; flow:to_client,established; file_data; content:"{|5C|rtf1"; depth:6; nocase; content:"574D444D434553502E574D444D434553502E3100"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2369; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-069; classtype:attempted-user; sid:35166; rev:2;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OFFICE Microsoft Office Excel Viewer request for msostyle.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"m|00|s|00|o|00|s|00|t|00|y|00|l|00|e|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2015-2378; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-070; classtype:attempted-user; sid:35144; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office Excel Viewer msostyle.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|msostyle.dll"; nocase; http_uri; metadata:service http; reference:cve,2015-2378; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-070; classtype:attempted-user; sid:35143; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel malformed workbook record remote code execution attempt"; flow:to_server,established; file_data; content:"|70 B5 81 BE 90 F1 CF 01 C0 45 C9 BE 90 F1 CF 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2415; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-070; classtype:attempted-user; sid:35142; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel malformed workbook record remote code execution attempt"; flow:to_client,established; file_data; content:"|70 B5 81 BE 90 F1 CF 01 C0 45 C9 BE 90 F1 CF 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2415; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-070; classtype:attempted-user; sid:35141; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel out of bounds memory access attempt"; flow:to_server,established; file_data; content:"|AA 04 98 A6 6F 2D AB C3 00 15 4C 3C D3 4C 51 9D D7 59 6D 4A 74 2E 3F 26 84 27 3F 16 AA 71 57 69|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2376; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-070; classtype:attempted-user; sid:35138; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel out of bounds memory access attempt"; flow:to_client,established; file_data; content:"|AA 04 98 A6 6F 2D AB C3 00 15 4C 3C D3 4C 51 9D D7 59 6D 4A 74 2E 3F 26 84 27 3F 16 AA 71 57 69|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2376; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-070; classtype:attempted-user; sid:35137; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel invalid table information disclosure attempt"; flow:to_server,established; file_data; content:"|EA EA 47 3E 0B ED CA 64 99 37 31 A9 E6 6D 53 BC 25 6B 5E 92 C5 4D B2 3F B6 D9 66 6F D9 92 EC B1|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2375; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-070; classtype:attempted-recon; sid:35130; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel invalid table information disclosure attempt"; flow:to_client,established; file_data; content:"|EA EA 47 3E 0B ED CA 64 99 37 31 A9 E6 6D 53 BC 25 6B 5E 92 C5 4D B2 3F B6 D9 66 6F D9 92 EC B1|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2375; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-070; classtype:attempted-recon; sid:35129; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word RTF Control.TaskSymbol.1 heap corruption attempt - Win.Trojan.Sofacy"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"{|5C|*|5C|objclass Control.TaskSymbol.1}"; fast_pattern; nocase; content:"d0cf11e"; within:200; nocase; content:"{|5C|*|5C|objclass Forms.Image.1}"; distance:0; nocase; content:"466F726D732E496D6167652E31"; distance:0; nocase; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2424; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-070; reference:url,www.virustotal.com/en/file/9e5fbd79d8febe7a162cd5200041772db60dc83244605b1ff37ef8d14334f512/analysis/; classtype:trojan-activity; sid:35326; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word RTF Control.TaskSymbol.1 heap corruption attempt - Win.Trojan.Sofacy"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"{|5C|*|5C|objclass Control.TaskSymbol.1}"; fast_pattern; nocase; content:"d0cf11e"; within:200; nocase; content:"{|5C|*|5C|objclass Forms.Image.1}"; distance:0; nocase; content:"466F726D732E496D6167652E31"; distance:0; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2424; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-070; reference:url,www.virustotal.com/en/file/9e5fbd79d8febe7a162cd5200041772db60dc83244605b1ff37ef8d14334f512/analysis/; classtype:trojan-activity; sid:35325; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 04 F0 B2 00 00 00|"; content:"|0A F0 08 00 00 00|"; within:6; distance:2; content:"|0B F0 3C 00 00 00|"; within:6; distance:10; content:"|00 00|"; within:2; distance:60; byte_test:1,>,0xf1,1,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,50964; reference:cve,2011-3413; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-094; classtype:attempted-user; sid:35443; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 04 F0 B2 00 00 00|"; content:"|0A F0 08 00 00 00|"; within:6; distance:2; content:"|0B F0 3C 00 00 00|"; within:6; distance:10; content:"|00 00|"; within:2; distance:60; byte_test:1,<,0xf0,1,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,50964; reference:cve,2011-3413; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-094; classtype:attempted-user; sid:35442; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 04 F0 B2 00 00 00|"; content:"|0A F0 08 00 00 00|"; within:6; distance:2; content:"|0B F0 3C 00 00 00|"; within:6; distance:10; content:"|00 00|"; within:2; distance:60; byte_test:1,>,0xf1,1,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,50964; reference:cve,2011-3413; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-094; classtype:attempted-user; sid:35441; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 04 F0 B2 00 00 00|"; content:"|0A F0 08 00 00 00|"; within:6; distance:2; content:"|0B F0 3C 00 00 00|"; within:6; distance:10; content:"|00 00|"; within:2; distance:60; byte_test:1,<,0xf0,1,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,50964; reference:cve,2011-3413; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-094; classtype:attempted-user; sid:35440; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word malformed document file use after free attempt"; flow:to_server,established; file_data; content:"|0E 16 68 5F 61 63 00 43 4A 14 00 61 4A 14 00 00 1A 15 68 DB 18 04 00 16 68 A2 09 13 00 35 08 81|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2467; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-081; classtype:attempted-admin; sid:35522; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word malformed document file use after free attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|0E 16 68 5F 61 63 00 43 4A 14 00 61 4A 14 00 00 1A 15 68 DB 18 04 00 16 68 A2 09 13 00 35 08 81|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2467; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-081; classtype:attempted-admin; sid:35521; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word msptls.dll integer underflow attempt"; flow:to_server,established; file_data; content:"|68 01 67 64 9A 06 9B 00 00 10 00 00 03 24 03 11 84 E0 01 12 64 2C 01 01 00 57 44 C8 00 60 84 E0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2470; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-081; classtype:attempted-user; sid:35512; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word msptls.dll integer underflow attempt"; flow:to_client,established; file_data; content:"|68 01 67 64 9A 06 9B 00 00 10 00 00 03 24 03 11 84 E0 01 12 64 2C 01 01 00 57 44 C8 00 60 84 E0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2470; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-081; classtype:attempted-user; sid:35511; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word wwlib.dll out of bounds read attempt"; flow:to_server,established; file_data; content:"|84 93 00 00 86 13 00 00 88 13 00 00 8A 13 00 00 8C 13 00 00 8E 13 00 00 90 13 00 00 F1 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2469; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-081; classtype:attempted-user; sid:35510; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word wwlib.dll out of bounds read attempt"; flow:to_client,established; file_data; content:"|84 93 00 00 86 13 00 00 88 13 00 00 8A 13 00 00 8C 13 00 00 8E 13 00 00 90 13 00 00 F1 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2469; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-081; classtype:attempted-user; sid:35509; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word mso.dll use-after-free attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|16 00 1A 15 68 C3 70 FB 00 16 68 AC 1B 40 00 35 08 81 43 4A 16 00 5C 08 81 61 4A 16 00 00 0E 16|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2468; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-081; classtype:attempted-user; sid:35506; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word mso.dll use-after-free attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|16 00 1A 15 68 C3 70 FB 00 16 68 AC 1B 40 00 35 08 81 43 4A 16 00 5C 08 81 61 4A 16 00 00 0E 16|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2468; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-081; classtype:attempted-user; sid:35505; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word incomplete ActiveX control use-after-free attempt"; flow:to_server,established; file_data; content:"|65 90 41 6B C3 30 0C 85 EF 83 FD 87 A0 7B 62 B7 09 5D 1B E2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1642; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-081; classtype:attempted-user; sid:35504; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word incomplete ActiveX control use-after-free attempt"; flow:to_client,established; file_data; content:"|65 90 41 6B C3 30 0C 85 EF 83 FD 87 A0 7B 62 B7 09 5D 1B E2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1642; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-081; classtype:attempted-user; sid:35503; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt"; flow:to_server,established; file_data; content:"|C6 7A 00 00 A6 00 00 00 6C 73 00 00 00 00 00 00 6C 73 00 00 00 00 00 00 6C 73 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,76192; reference:cve,2015-2477; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-081; classtype:attempted-user; sid:35502; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt"; flow:to_client,established; file_data; content:"|C6 7A 00 00 A6 00 00 00 6C 73 00 00 00 00 00 00 6C 73 00 00 00 00 00 00 6C 73 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,76192; reference:cve,2015-2477; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-081; classtype:attempted-user; sid:35501; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word Document invalid directory entry use after free attempt"; flow:to_server,established; file_data; content:"|20 00 20 00 08 FF 31 00 09 FF 39 68 6E 63 BB 79 57 53 17 53 81 67 DC 8F D1 8F 6E 78 9A 5B 57 53|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2431; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-080; classtype:attempted-user; sid:35498; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word Document invalid directory entry use after free attempt"; flow:to_client,established; file_data; content:"|20 00 20 00 08 FF 31 00 09 FF 39 68 6E 63 BB 79 57 53 17 53 81 67 DC 8F D1 8F 6E 78 9A 5B 57 53|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2431; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-080; classtype:attempted-user; sid:35497; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel bad file pointer memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|00 1D 1C 02 00 00 00 03 00 49 49 49 85 00 09 00 63 C8 02 00 00 00 01 00 56 85 00 0A 00 F3 67 03|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2520; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-099; classtype:attempted-user; sid:36003; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel bad file pointer memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 1D 1C 02 00 00 00 03 00 49 49 49 85 00 09 00 63 C8 02 00 00 00 01 00 56 85 00 0A 00 F3 67 03|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2520; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-099; classtype:attempted-user; sid:36002; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel malformed XF record use after free attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|90 EC B7 BD 89 36 CE 01 FE FF FF FF 00 00 00 00 00 00 00 00 57 00 6F 00 72 00 6B 00 62 00 6F 00 6F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2523; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-099; classtype:attempted-user; sid:36001; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel malformed XF record use after free attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|90 EC B7 BD 89 36 CE 01 FE FF FF FF 00 00 00 00 00 00 00 00 57 00 6F 00 72 00 6B 00 62 00 6F 00 6F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2523; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-099; classtype:attempted-user; sid:36000; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel OLESS directory entry type confusion remote code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|C0 F7 22 A4 65 D2 9B 3E 62 FF AE C2 E7 48 71 C0 0D D2 A7 73 AC 49 26 BD 44 6A E4 D2 06 3F 2D 28|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2521; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-099; classtype:attempted-user; sid:35997; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel OLESS directory entry type confusion remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|C0 F7 22 A4 65 D2 9B 3E 62 FF AE C2 E7 48 71 C0 0D D2 A7 73 AC 49 26 BD 44 6A E4 D2 06 3F 2D 28|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2521; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-099; classtype:attempted-user; sid:35996; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word EPS filter PostScript object use after free attempt"; flow:to_server,established; flowbits:isset,file.docx; file_data; content:"|D6 3B F7 71 19 1B D3 A5 20 E0 4A B0 01 30 E8 55 ED DF B9 2C AE 6E 1C 30 A5 AA 71 29 1F 0E 80 B8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2545; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-099; classtype:attempted-user; sid:36027; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word EPS filter PostScript object use after free attempt"; flow:to_client,established; flowbits:isset,file.docx; file_data; content:"|D6 3B F7 71 19 1B D3 A5 20 E0 4A B0 01 30 E8 55 ED DF B9 2C AE 6E 1C 30 A5 AA 71 29 1F 0E 80 B8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2545; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-099; classtype:attempted-user; sid:36026; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Windows OLE Packer Remote Code Execution attempt"; flow:to_server,established; file_data; content:"|36 64 12 62 40 EE E8 DA 5E F7 87 2B 87 14 2A 9A 31 86 7B E8 FC D9 D5 F5 5E 73 57 AC 75 D6 7A CD BA 38 13 C9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service smtp; reference:cve,2014-6352; reference:url,technet.microsoft.com/library/security/3010060; classtype:attempted-user; sid:36148; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows OLE Packer Remote Code Execution attempt"; flow:to_client,established; file_data; content:"|36 64 12 62 40 EE E8 DA 5E F7 87 2B 87 14 2A 9A 31 86 7B E8 FC D9 D5 F5 5E 73 57 AC 75 D6 7A CD BA 38 13 C9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6352; reference:url,technet.microsoft.com/library/security/3010060; classtype:attempted-user; sid:36147; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office XML nested num tag double-free attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"|10 00 08 01|docProps/app.xml"; fast_pattern; content:"|92 C1 4E C3 30 0C 86 EF 48 BC 43 95 7B 9B A4 63 88 55 6D 27 01 DA 89 49 48 0C 81 B8 45 89 D7 45|"; within:960; distance:40; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,74011; reference:cve,2015-1650; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:36245; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office XML nested num tag double-free attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"|10 00 08 01|docProps/app.xml"; fast_pattern; content:"|92 C1 4E C3 30 0C 86 EF 48 BC 43 95 7B 9B A4 63 88 55 6D 27 01 DA 89 49 48 0C 81 B8 45 89 D7 45|"; within:960; distance:40; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,74011; reference:cve,2015-1650; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:36244; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom uninitialized memory access attempt "; flow:to_server,established; file_data; content:"|2B 14 00 00 24 01 00 00 4F 15 00 00 00 00 00 00 4F 15 00 00 00 00 00 00 4F 15 00 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,76192; reference:cve,2015-2477; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-081; classtype:attempted-user; sid:36204; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom uninitialized memory access attempt "; flow:to_client,established; file_data; content:"|2B 14 00 00 24 01 00 00 4F 15 00 00 00 00 00 00 4F 15 00 00 00 00 00 00 4F 15 00 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,76192; reference:cve,2015-2477; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-081; classtype:attempted-user; sid:36203; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel malformed binary format use after free attempt"; flow:to_server,established; flowbits:isset,file.xlsx; file_data; content:"|6B 95 3B DD B6 40 58 44 DD E9 D5 09 C5 31 69 56 86 32 14 D4 9B 58 CA 41 03 2B 33 C5 5F 69 82 E8 FF F9 CA EC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2555; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-110; classtype:attempted-user; sid:36430; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel malformed binary format use after free attempt"; flow:to_client,established; flowbits:isset,file.xlsx; file_data; content:"|6B 95 3B DD B6 40 58 44 DD E9 D5 09 C5 31 69 56 86 32 14 D4 9B 58 CA 41 03 2B 33 C5 5F 69 82 E8 FF F9 CA EC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2555; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-110; classtype:attempted-user; sid:36429; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Visio lmetaclasscount buffer overflow attempt"; flow:to_server,established; file_data; content:"|A0 3B E5 40 3C E5 40 3D E5 40 3E E5 40 55 3F E5 40 40 E5 40 41 E5 40|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2557; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-110; classtype:attempted-user; sid:36428; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Visio lmetaclasscount buffer overflow attempt"; flow:to_client,established; file_data; content:"|A0 3B E5 40 3C E5 40 3D E5 40 3E E5 40 55 3F E5 40 40 E5 40 41 E5 40|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2557; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-110; classtype:attempted-user; sid:36427; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt"; flow:to_server,established; flowbits:isset,file.xlsx; file_data; content:"|F0 A9 1E E3 D8 98 6C 44 88 0E 63 96 50 7D 20 33 96 C2 C9 52 AA 84 1A D8 AA 15 D1 99 62 34 D2 31|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-2558; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-110; classtype:attempted-user; sid:36426; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt"; flow:to_client,established; flowbits:isset,file.xlsx; file_data; content:"|F0 A9 1E E3 D8 98 6C 44 88 0E 63 96 50 7D 20 33 96 C2 C9 52 AA 84 1A D8 AA 15 D1 99 62 34 D2 31|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2558; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-110; classtype:attempted-user; sid:36425; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word .rtf file stylesheet buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|stylesheet"; nocase; content:"|5C|stylesheet"; distance:0; nocase; content:"|5C|stylesheet"; distance:0; nocase; content:"|5C|stylesheet"; distance:0; nocase; content:"|5C|stylesheet"; distance:0; nocase; content:"|5C|stylesheet"; distance:0; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-4031; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-072; classtype:attempted-user; sid:36631; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt"; flow:to_server,established; file_data; content:"|A2 31 2A EB 46 25 1B A3 72 6E 54 D0 18 95 B7 51 E6 2A 22 44 39 7A A1 95 D5 EA CE 50 12 CD 70 59|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6038; reference:cve,2016-0136; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-116; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-042; classtype:attempted-user; sid:36752; rev:5;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt"; flow:to_client,established; file_data; content:"|A2 31 2A EB 46 25 1B A3 72 6E 54 D0 18 95 B7 51 E6 2A 22 44 39 7A A1 95 D5 EA CE 50 12 CD 70 59|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6038; reference:cve,2016-0136; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-116; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-042; classtype:attempted-user; sid:36751; rev:5;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word FGetCpFlowDr memory corruption attempt"; flow:to_server,established; file_data; content:"|68 F8 74 CB 00 00 2D 15 68 35 07 3B 00 16 68 35 07 3B 00 42 2A 01 43 4A 10 00 4B 48 00 00 4F 4A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6091; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-116; classtype:attempted-user; sid:36741; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word FGetCpFlowDr memory corruption attempt"; flow:to_client,established; file_data; content:"|68 F8 74 CB 00 00 2D 15 68 35 07 3B 00 16 68 35 07 3B 00 42 2A 01 43 4A 10 00 4B 48 00 00 4F 4A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6091; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-116; classtype:attempted-user; sid:36740; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word CoCreateInstance elevation of privilege attempt"; flow:to_server,established; file_data; content:"0|00|0|00|0|00|2|00|0|00|9|00|f|00|f|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|c|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; content:"0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|c|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2503; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-116; classtype:attempted-user; sid:36721; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word CoCreateInstance elevation of privilege attempt"; flow:to_client,established; file_data; content:"0|00|0|00|0|00|2|00|0|00|9|00|f|00|f|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|c|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; content:"0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|c|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2503; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-116; classtype:attempted-user; sid:36720; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word PmwdFromDoc use after free attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|00 0F 00 00 03 24 03 0F 84 D0 02 11 84 E4 FD 5E 84 D0 02 60 84 E4 FD 61 24 03 67 E4 C5 22 D4 00 00 07|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6092; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-116; classtype:attempted-user; sid:36717; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word PmwdFromDoc use after free attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 0F 00 00 03 24 03 0F 84 D0 02 11 84 E4 FD 5E 84 D0 02 60 84 E4 FD 61 24 03 67 E4 C5 22 D4 00 00 07|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6092; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-116; classtype:attempted-user; sid:36716; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel slicer style use-after-free attempt"; flow:to_server,established; file_data; content:"|69 44 94 38 14 27 D4 CE E9 FC 0C F9 33 7F F2 C0 9E 44 51 15 3B E4 FB 38 DC 0C 93 68 CD A2 B4 C5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-116; classtype:attempted-user; sid:36715; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel slicer style use-after-free attempt"; flow:to_client,established; file_data; content:"|69 44 94 38 14 27 D4 CE E9 FC 0C F9 33 7F F2 C0 9E 44 51 15 3B E4 FB 38 DC 0C 93 68 CD A2 B4 C5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-116; classtype:attempted-user; sid:36714; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office malformed odttf integer overflow attempt"; flow:to_server,established; flowbits:isset,file.docx; file_data; content:"word/fonts/"; content:".odttf"; within:25; content:"|3B 76 37 13 DA 99 B7 E2 F6 D8 B7 BE 9E 79 D3 AE BF BB 7E 71 63 8D AA 9C AA 5A 53 FD EA CC 03 BF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6093; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-116; classtype:attempted-user; sid:36708; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office malformed odttf integer overflow attempt"; flow:to_client,established; flowbits:isset,file.docx; file_data; content:"word/fonts/"; content:".odttf"; within:25; content:"|3B 76 37 13 DA 99 B7 E2 F6 D8 B7 BE 9E 79 D3 AE BF BB 7E 71 63 8D AA 9C AA 5A 53 FD EA CC 03 BF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6093; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-116; classtype:attempted-user; sid:36707; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel WOpt record memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|0B 08|"; content:"|0B 08|"; within:2; distance:2; byte_extract:2,14,num_charw,relative,multiplier 2,little; byte_test:2,<,num_charw,-20,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,40522; reference:cve,2010-0824; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:36857; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|00 00 C3 0B 08 00 00 00|"; byte_test:1,>,0,4,relative,little; byte_test:1,<,27,4,relative,little; byte_test:4,>,7,0,relative,little; metadata:policy security-ips drop, service smtp; reference:cve,2010-0031; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-004; classtype:attempted-user; sid:36888; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint malformed record call to freed object attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|1F 00 44 F1|"; content:"|27 F1|"; within:8; content:"|0F 00 2D F1|"; within:750; content:"|0F 00 2E F1|"; within:750; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-0655; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-022; classtype:attempted-admin; sid:37035; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint malformed record call to freed object attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|1F 00 44 F1|"; content:"|27 F1|"; within:8; content:"|0F 00 2D F1|"; within:750; content:"|0F 00 2E F1|"; within:750; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0655; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-022; classtype:attempted-admin; sid:37034; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint malformed record call to freed object attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|1F 00 44 F1|"; content:"|27 F1|"; within:8; content:"|0F 00 31 F1|"; within:750; content:"|1F 00 32 F1|"; within:750; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-0655; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-022; classtype:attempted-admin; sid:37033; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint malformed record call to freed object attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|1F 00 44 F1|"; content:"|27 F1|"; within:8; content:"|0F 00 2E F1|"; within:750; content:"|0F 00 2E F1|"; within:750; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-0655; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-022; classtype:attempted-admin; sid:37032; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint malformed record call to freed object attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|1F 00 44 F1|"; content:"|27 F1|"; within:8; content:"|0F 00 31 F1|"; within:750; content:"|1F 00 2C F1|"; within:750; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-0655; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-022; classtype:attempted-admin; sid:37031; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint malformed record call to freed object attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|1F 00 44 F1|"; content:"|27 F1|"; within:8; content:"|0F 00 31 F1|"; within:750; content:"|1F 00 2D F1|"; within:750; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-0655; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-022; classtype:attempted-admin; sid:37030; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint malformed record call to freed object attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|1F 00 44 F1|"; content:"|27 F1|"; within:8; content:"|0F 00 31 F1|"; within:750; content:"|1F 00 2D F1|"; within:750; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0655; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-022; classtype:attempted-admin; sid:37029; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt"; flow:to_server,established; file_data; content:"|D0 CF 11 E0|"; depth:4; content:"__substg1"; content:"__substg1"; distance:0; content:"__substg1"; distance:0; content:"__substg1"; distance:0; content:"__substg1"; distance:0; content:"Ole|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6172; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-131; classtype:attempted-user; sid:37013; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt"; flow:to_server,established; file_data; content:"|78 9F 3E 22|"; depth:4; content:"|D0 CF 11 E0 A1 B1 1A E1|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6172; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-131; classtype:attempted-user; sid:37012; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt"; flow:to_server,established; file_data; content:"|78 9F 3E 22|"; depth:4; content:"|0E 11 FC 0D D0 CF 11 0E|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6172; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-131; classtype:attempted-user; sid:37011; rev:3;) alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OFFICE Microsoft Office request for nwdblib.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"n|00|w|00|d|00|b|00|l|00|i|00|b|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; pcre:"/(\x19\x00|\x00\x5C)\x00n\x00w\x00d\x00b\x00l\x00i\x00b\x00\.\x00d\x00l\x00l\x00\x00\x00/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2015-6128; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-132; classtype:attempted-user; sid:37002; rev:3;) alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OFFICE Microsoft Office request for elsext.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"e|00|l|00|s|00|e|00|x|00|t|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; pcre:"/(\x17\x00|\x00\x5C)\x00e\x00l\x00s\x00e\x00x\x00t\x00\.\x00d\x00l\x00l\x00\x00\x00/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2015-6128; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-132; classtype:attempted-user; sid:37001; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office nwdblib.dll dll-load exploit attempt"; flow:to_server,established; content:"/nwdblib.dll"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-6128; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-132; classtype:attempted-user; sid:37000; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office elsext.dll dll-load exploit attempt"; flow:to_server,established; content:"/elsext.dll"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-6128; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-132; classtype:attempted-user; sid:36999; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office spframe.dll dll-load exploit attempt"; flow:to_server,established; content:"/spframe.dll"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-6132; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-132; classtype:attempted-user; sid:36996; rev:3;) alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OFFICE Microsoft Office request for spframe.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"s|00|p|00|f|00|r|00|a|00|m|00|e|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; pcre:"/(\x19\x00|\x00\x5C)\x00s\x00p\x00f\x00r\x00a\x00m\x00e\x00\.\x00d\x00l\x00l\x00\x00\x00/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2015-6132; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-132; classtype:attempted-user; sid:36995; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt"; flow:to_server,established; content:"/mqrt.dll"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-6132; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-132; classtype:attempted-user; sid:36994; rev:3;) alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OFFICE Microsoft Office request for mqrt.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"m|00|q|00|r|00|t|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; pcre:"/(\x13\x00|\x00\x5C)\x00m\x00q\x00r\x00t\x00\.\x00d\x00l\x00l\x00\x00\x00/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2015-6132; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-132; classtype:attempted-user; sid:36993; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel out of bounds read attempt"; flow:to_server,established; file_data; content:"|FF FF FF 7F 01 00 B7 01 00 19 1E 05 00 1E 0A 00 B1 01 8E 00 02 00 08 00 00 00 FF FF 3A 24 02 00 00 00 09 00 0D 00 07|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6177; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-131; classtype:attempted-user; sid:36975; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel out of bounds read attempt"; flow:to_client,established; file_data; content:"|FF FF FF 7F 01 00 B7 01 00 19 1E 05 00 1E 0A 00 B1 01 8E 00 02 00 08 00 00 00 FF FF 3A 24 02 00 00 00 09 00 0D 00 07|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6177; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-131; classtype:attempted-user; sid:36974; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word OGL module out of bounds read attempt"; flow:to_server,established; file_data; content:"|02 04 00 00 03 24 03 61 24 03 00 04 00 00 03 24 01 61 24 01 08 01 00 03 24 01 0A 26 00 0B 46 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6106; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-128; classtype:attempted-user; sid:36967; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word OGL module out of bounds read attempt"; flow:to_client,established; file_data; content:"|02 04 00 00 03 24 03 61 24 03 00 04 00 00 03 24 01 61 24 01 08 01 00 03 24 01 0A 26 00 0B 46 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6106; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-128; classtype:attempted-user; sid:36966; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word gdiplus integer overflow attempt"; flow:to_server,established; file_data; content:"|2B 15 68 16 13 A5 00 16 68 2F 7D 31 00 35 08 81 43 4A 20 00 61 4A 20 00 66 48 00 99 6F 28 01 71|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6107; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-128; classtype:attempted-user; sid:36965; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word gdiplus integer overflow attempt"; flow:to_client,established; file_data; content:"|2B 15 68 16 13 A5 00 16 68 2F 7D 31 00 35 08 81 43 4A 20 00 61 4A 20 00 66 48 00 99 6F 28 01 71|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6107; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-128; classtype:attempted-user; sid:36964; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word XML parsing use after free attempt"; flow:to_server,established; file_data; content:"|75 EF C1 4E 11 EE 13 76 0B 97 04 A4 65 87 82 99 FE C6 65 4D DA 9D A4 9C 8F 2F 4D 09 6A A5 64 BE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-131; classtype:attempted-user; sid:36961; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word XML parsing use after free attempt"; flow:to_client,established; file_data; content:"|75 EF C1 4E 11 EE 13 76 0B 97 04 A4 65 87 82 99 FE C6 65 4D DA 9D A4 9C 8F 2F 4D 09 6A A5 64 BE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-131; classtype:attempted-user; sid:36960; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel StyleXF invalid icvXF out of bounds read attempt"; flow:to_server,established; file_data; content:"|E0 00 14 00 05 00 2C 00 F5 FF 20 00 00 F8 00 00 00 00 00 00 00 00 C0 60 E0 00 14 00 18 00 2A 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6122; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-131; classtype:attempted-user; sid:36959; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel StyleXF invalid icvXF out of bounds read attempt"; flow:to_client,established; file_data; content:"|E0 00 14 00 05 00 2C 00 F5 FF 20 00 00 F8 00 00 00 00 00 00 00 00 C0 60 E0 00 14 00 18 00 2A 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6122; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-131; classtype:attempted-user; sid:36958; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word pointer release validation use after free attempt"; flow:to_server,established; file_data; content:"|B2 04 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 06 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-124; classtype:attempted-user; sid:36935; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word pointer release validation use after free attempt"; flow:to_client,established; file_data; content:"|B2 04 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 06 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-124; classtype:attempted-user; sid:36934; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office wuaext.dll dll-load exploit attempt"; flow:to_server,established; content:"/wuaext.dll"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-6133; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-132; classtype:attempted-user; sid:36931; rev:4;) alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OFFICE Microsoft Office request for wuaext.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"w|00|u|00|a|00|e|00|x|00|t|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; pcre:"/(\x17\x00|\x00\x5C)\x00w\x00u\x00a\x00e\x00x\x00t\x00\.\x00d\x00l\x00l\x00\x00\x00/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2015-6133; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-132; classtype:attempted-user; sid:36930; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel MSO reference count use after free attempt"; flow:to_server,established; file_data; content:"|D1 7F EF 90 92 63 27 59 74 0B BB 40 6D 80 E2 75 38 3C 73 E6 72 FF E1 D0 70 F4 4C 55 C7 A4 C8 B1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6040; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-131; classtype:attempted-user; sid:36925; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel MSO reference count use after free attempt"; flow:to_client,established; file_data; content:"|D1 7F EF 90 92 63 27 59 74 0B BB 40 6D 80 E2 75 38 3C 73 E6 72 FF E1 D0 70 F4 4C 55 C7 A4 C8 B1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6040; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-131; classtype:attempted-user; sid:36924; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt"; flow:to_server,established; file_data; content:"|D0 CF 11 E0|"; depth:4; content:"__substg1.0_3701000D"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6172; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-131; classtype:attempted-user; sid:37120; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel CrErr record integer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|09 08 08 00 00 05|"; content:"|65 08|"; distance:0; byte_test:1,&,0x80,19,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,43643; reference:cve,2010-3230; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-080; classtype:attempted-user; sid:37246; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF parser heap overflow attempt"; flow:to_server,established; file_data; content:"{|5C|rt"; depth:4; content:"|5C|pict"; content:"|5C|wbmwidthbytes"; within:200; byte_extract:4,0,widthbytesvalue,relative,multiplier 7,string,dec; content:"|5C|picw"; within:190; distance:-200; byte_test:4,<,widthbytesvalue,0,relative,string,dec; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0010; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-004; classtype:attempted-user; sid:37274; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF parser heap overflow attempt"; flow:to_client,established; file_data; content:"{|5C|rt"; depth:4; content:"|5C|pict"; content:"|5C|wbmwidthbytes"; within:200; byte_extract:4,0,widthbytesvalue,relative,multiplier 7,string,dec; content:"|5C|picw"; within:190; distance:-200; byte_test:4,<,widthbytesvalue,0,relative,string,dec; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0010; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-004; classtype:attempted-user; sid:37273; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office metafile conversion out of bounds read attempt"; flow:to_server,established; file_data; content:"|87 03 05 95 16 01 29 15 B4 55 25 92 16 15 A9 15 12 BF 0A AA DA 5C 9F 77 6E D7 BE A4 4E 70 28 6A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0008; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-005; classtype:attempted-user; sid:37266; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office metafile conversion out of bounds read attempt"; flow:to_client,established; file_data; content:"|87 03 05 95 16 01 29 15 B4 55 25 92 16 15 A9 15 12 BF 0A AA DA 5C 9F 77 6E D7 BE A4 4E 70 28 6A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0008; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-005; classtype:attempted-user; sid:37265; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office api-ms-win-core-winrt-l1-1-0.dll dll-load exploit attempt"; flow:to_server,established; content:"/api-ms-win-core-winrt-l1-1-0.dll"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0018; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-007; classtype:attempted-user; sid:37264; rev:3;) alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OFFICE Microsoft Office request for api-ms-win-core-winrt-l1-1-0.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"a|00|p|00|i|00|-|00|m|00|s|00|-|00|w|00|i|00|n|00|-|00|c|00|o|00|r|00|e|00|-|00|w|00|i|00|n|00|r|00|t|00|-|00|l|00|1|00|-|00|1|00|-|00|0|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2016-0018; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-007; classtype:attempted-user; sid:37263; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office mfplat.dll dll-load exploit attempt"; flow:to_server,established; content:"/mfplat.dll"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0016; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-007; classtype:attempted-user; sid:37262; rev:3;) alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OFFICE Microsoft Office request for mfplat.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"m|00|f|00|p|00|l|00|a|00|t|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; pcre:"/(\x17\x00|\x00\x5C)\x00m\x00f\x00p\x00l\x00a\x00t\x00\.\x00d\x00l\x00l\x00\x00\x00/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2016-0016; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-007; classtype:attempted-user; sid:37261; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel mso20win32client use after free attempt"; flow:to_server,established; file_data; content:"|43 52 0D 7D 55 C6 3D 66 8C D0 9D 3F B6 C7 B8 18 AB 76 09 7D 62 91 D8 9B 9A EC 95 58 AA 3B 75 AE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-004; classtype:attempted-user; sid:37260; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel mso20win32client use after free attempt"; flow:to_client,established; file_data; content:"|43 52 0D 7D 55 C6 3D 66 8C D0 9D 3F B6 C7 B8 18 AB 76 09 7D 62 91 D8 9B 9A EC 95 58 AA 3B 75 AE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-004; classtype:attempted-user; sid:37259; rev:2;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OFFICE Microsoft Office Word request for rpawinet.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"r|00|p|00|a|00|w|00|i|00|n|00|e|00|t|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:bugtraq,47246; reference:cve,2010-3142; reference:cve,2011-0107; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-023; classtype:attempted-user; sid:37319; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt"; flow:to_server,established; content:"/rpawinet.dll"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,47246; reference:cve,2010-3142; reference:cve,2011-0107; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-023; classtype:attempted-user; sid:37318; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt "; flow:to_server,established; file_data; content:"|00 00 5F 78 6C 66 6E 2E 52 54 44 1C 1D 13 08 23 02 13 08 FF FF FF FF FF FF FF FF FF FF FF FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-1246; reference:url,technet.microsoft.com/en-us/security/bulletin/ms1-038; classtype:attempted-user; sid:37294; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt "; flow:to_client,established; file_data; content:"|00 00 5F 78 6C 66 6E 2E 52 54 44 1C 1D 13 08 23 02 13 08 FF FF FF FF FF FF FF FF FF FF FF FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1246; reference:url,technet.microsoft.com/en-us/security/bulletin/ms1-038; classtype:attempted-user; sid:37293; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word ActiveX object uninitialized memory access attempt"; flow:to_server,established; file_data; content:"|37 D6 77 4E 4B C6 57 DE 7E 2E B7 6D 46 13 DE 5F 6F 8A 31 60 5E 44 24 71 47 F2 AA F6 BE 1A EE F2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1770; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-059; classtype:attempted-user; sid:37410; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word ActiveX object uninitialized memory access attempt"; flow:to_client,established; file_data; content:"|37 D6 77 4E 4B C6 57 DE 7E 2E B7 6D 46 13 DE 5F 6F 8A 31 60 5E 44 24 71 47 F2 AA F6 BE 1A EE F2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1770; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-059; classtype:attempted-user; sid:37409; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Publisher 2007 conversion library code execution attempt"; flow:to_server,established; flowbits:isset,file.pub; file_data; content:"|01 00 00 00 FF FF FF 7F 01 00 00 80 01 00 00 00 10 0E FE 7F 01 00 00 00 58 00 7C 96 18 CB 7C 96|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,22702; reference:cve,2007-1754; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-037; classtype:attempted-user; sid:37362; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word rtf file bitmap width integer overflow attempt"; flow:to_server,established; file_data; content:"{|5C|rtf1{|5C|pict|5C|wbitmap0|5C|picw117|5C|pi"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0052; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-015; classtype:attempted-user; sid:37607; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word rtf file bitmap width integer overflow attempt"; flow:to_client,established; file_data; content:"{|5C|rtf1{|5C|pict|5C|wbitmap0|5C|picw117|5C|pi"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0052; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-015; classtype:attempted-user; sid:37606; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Powerpoint shape objects null pointer dereference memory corruption attempt"; flow:to_server,established; file_data; content:"word/_rels/webSettings.xml.rels"; fast_pattern:only; content:"|01 02 2D 00 14 00 06 00 08 00 00 00 21 00 93 1C 78 62 E0 06|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0056; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-015; classtype:attempted-user; sid:37601; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Powerpoint shape objects null pointer dereference memory corruption attempt"; flow:to_client,established; file_data; content:"word/_rels/webSettings.xml.rels"; fast_pattern:only; content:"|01 02 2D 00 14 00 06 00 08 00 00 00 21 00 93 1C 78 62 E0 06|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0056; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-015; classtype:attempted-user; sid:37600; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word external document access use-after-free attempt"; flow:to_server,established; file_data; content:"Target="; nocase; content:"http://"; within:20; nocase; content:".docx"; within:40; nocase; content:"TargetMode="; within:40; nocase; content:"External"; within:40; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0056; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-015; classtype:attempted-user; sid:37599; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word external document access use-after-free attempt"; flow:to_client,established; file_data; content:"Target="; nocase; content:"http://"; within:20; nocase; content:".docx"; within:40; nocase; content:"TargetMode="; within:40; nocase; content:"External"; within:40; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0056; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-015; classtype:attempted-user; sid:37598; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel formula length heap corruption attempt"; flow:to_server,established; file_data; content:"|35 3B D9 E5 CE C8 31 DA 9A BE 93 4B CB FD 0C 08 E1 7F E1 91 41 22 D3 5A B7 C9 43 CC 9F 74 E7 9F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0054; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-015; classtype:attempted-user; sid:37593; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel formula length heap corruption attempt"; flow:to_client,established; file_data; content:"|35 3B D9 E5 CE C8 31 DA 9A BE 93 4B CB FD 0C 08 E1 7F E1 91 41 22 D3 5A B7 C9 43 CC 9F 74 E7 9F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0054; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-015; classtype:attempted-user; sid:37592; rev:2;) alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OFFICE Microsoft Office Word request for OLMAPI32.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"O|00|L|00|M|00|A|00|P|00|I|00|3|00|2|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2016-0042; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-014; classtype:attempted-user; sid:37591; rev:3;) alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OFFICE Microsoft Office Word request for BCSRuntime.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"B|00|C|00|S|00|R|00|u|00|n|00|t|00|i|00|m|00|e|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2016-0042; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-014; classtype:attempted-user; sid:37590; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office Word OLMAPI32.dll dll-load exploit attempt"; flow:to_server,established; content:"/OLMAPI32.dll"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0042; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-014; classtype:attempted-user; sid:37589; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office Word BCSRuntime.dll dll-load exploit attempt"; flow:to_server,established; content:"/BCSRuntime.dll"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0042; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-014; classtype:attempted-user; sid:37588; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Powerpoint shape object null pointer dereference attempt"; flow:to_server,established; file_data; content:"|0B 11 37 5D 88 62 8B F8 13 DC 15 DD 48 89 8B E9 B4 52 48 8B 07 2E 3C E7 E5 9C 73 EF 3D E7 5E 48|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0055; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-015; classtype:attempted-user; sid:37580; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Powerpoint shape object null pointer dereference attempt"; flow:to_client,established; file_data; content:"|0B 11 37 5D 88 62 8B F8 13 DC 15 DD 48 89 8B E9 B4 52 48 8B 07 2E 3C E7 E5 9C 73 EF 3D E7 5E 48|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0055; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-015; classtype:attempted-user; sid:37579; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word missing dpinfo structure integer overflow attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|dpgroup|5C|dpcount"; nocase; content:!"dpinfo"; within:200; nocase; content:!"dpendgroup"; within:300; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-015; classtype:attempted-user; sid:37564; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word missing dpinfo structure integer overflow attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C 00|d|00|p|00|g|00|r|00|o|00|u|00|p|00 5C 00|d|00|p|00|c|00|o|00|u|00|n|00|t"; nocase; content:!"d|00|p|00|i|00|n|00|f|00|o"; within:200; nocase; content:!"d|00|p|00|e|00|n|00|d|00|g|00|r|00|o|00|u|00|p"; within:300; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-015; classtype:attempted-user; sid:37563; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word missing dpinfo structure integer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|dpgroup|5C|dpcount"; nocase; content:!"dpinfo"; within:200; nocase; content:!"dpendgroup"; within:300; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-015; classtype:attempted-user; sid:37562; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word missing dpinfo structure integer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C 00|d|00|p|00|g|00|r|00|o|00|u|00|p|00 5C 00|d|00|p|00|c|00|o|00|u|00|n|00|t"; nocase; content:!"d|00|p|00|i|00|n|00|f|00|o"; within:200; nocase; content:!"d|00|p|00|e|00|n|00|d|00|g|00|r|00|o|00|u|00|p"; within:300; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-015; classtype:attempted-user; sid:37561; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word rtf file ffdefres integer underflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.rtf|file.ole; content:"|5C|rtf"; content:"|5C|field"; distance:0; content:"|5C|fldinst"; within:50; content:"|5C|formfield"; distance:0; content:"|5C|ffdefres-"; within:50; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-015; classtype:attempted-user; sid:37560; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word rtf file ffdefres integer underflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.rtf|file.ole; content:"|5C|rtf"; content:"|5C|field"; distance:0; content:"|5C|fldinst"; within:50; content:"|5C|formfield"; distance:0; content:"|5C|ffdefres-"; within:50; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-015; classtype:attempted-user; sid:37559; rev:2;) alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OFFICE Microsoft Office request for phoneinfo.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"p|00|h|00|o|00|n|00|e|00|i|00|n|00|f|00|o|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2016-0041; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-014; classtype:attempted-user; sid:37558; rev:3;) alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OFFICE Microsoft Office request for msdaora.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"m|00|s|00|d|00|a|00|o|00|r|00|a|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2016-0041; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-014; classtype:attempted-user; sid:37557; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office phoneinfo.dll dll-load exploit attempt"; flow:to_server,established; content:"/phoneinfo.dll"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0041; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-014; classtype:attempted-user; sid:37556; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office msdaora.dll dll-load exploit attempt"; flow:to_server,established; content:"/msdaora.dll"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0041; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-014; classtype:attempted-user; sid:37555; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office ole object external file loading attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"|49 65 19 4F A9 DA D6 B6 DA 4A D1 7E B4 AD 95 FA 13 FC 81 17 A2 49 40 04 04 AB 28 A8 B1 45 9D 78|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4114; reference:cve,2014-6352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-060; classtype:attempted-admin; sid:37707; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office ole object external file loading attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"|49 65 19 4F A9 DA D6 B6 DA 4A D1 7E B4 AD 95 FA 13 FC 81 17 A2 49 40 04 04 AB 28 A8 B1 45 9D 78|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4114; reference:cve,2014-6352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-060; classtype:attempted-admin; sid:37706; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office ole object external file loading attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"|B6 9A 62 AD 55 6B 6D B5 2D DE C3 A5 06 D4 2A 28 22 2A 08 B6 A2 07 43 2B 2A 62 50 F4 BC 7B 4E B0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4114; reference:cve,2014-6352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-060; classtype:attempted-admin; sid:37705; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office ole object external file loading attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"|B6 9A 62 AD 55 6B 6D B5 2D DE C3 A5 06 D4 2A 28 22 2A 08 B6 A2 07 43 2B 2A 62 50 F4 BC 7B 4E B0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4114; reference:cve,2014-6352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-060; classtype:attempted-admin; sid:37704; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office ole object external file loading attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"|6B 3B D4 89 B3 B6 B2 4E 6A 2F E2 61 78 04 DE 80 37 80 47 80 2B 07 DE 80 86 35 4D A4 14 09 A9 70|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4114; reference:cve,2014-6352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-060; classtype:attempted-admin; sid:37703; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office ole object external file loading attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"|6B 3B D4 89 B3 B6 B2 4E 6A 2F E2 61 78 04 DE 80 37 80 47 80 2B 07 DE 80 86 35 4D A4 14 09 A9 70|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4114; reference:cve,2014-6352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-060; classtype:attempted-admin; sid:37702; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office ole object external file loading attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"|B4 03 3C C4 29 20 6B 0F 74 00 3A 02 9D 00 2F A0 33 D0 05 F0 06 7C 80 AE 80 2F D0 0D E8 0E F4 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4114; reference:cve,2014-6352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-060; classtype:attempted-admin; sid:37701; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office ole object external file loading attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"|B4 03 3C C4 29 20 6B 0F 74 00 3A 02 9D 00 2F A0 33 D0 05 F0 06 7C 80 AE 80 2F D0 0D E8 0E F4 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4114; reference:cve,2014-6352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-060; classtype:attempted-admin; sid:37700; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel file with embedded ActiveX control"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|00|_|00|_|00|S|00|R|00|P|00|_|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-3477; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-057; classtype:attempted-user; sid:37846; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|C6 1D 3F 74 BA 5A 9F 42 DF 8B C2 3D 25 03 4D C5|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:37994; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|C6 1D 3F 74 BA 5A 9F 42 8B DF C5 4D 03 25 3D C2|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:37993; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|AD 55 79 66 3B 6B CA 43 B9 49 BC 69 B5 BA FF 7F|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:37992; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|AD 55 79 66 3B 6B CA 43 49 B9 7F FF BA B5 69 BC|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:37991; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|A2 D9 C1 E4 F7 CB BD 48 9A 69 34 A5 5E 0D 89 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:37990; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|A0 7B FE EB 8D 62 D2 11 AE 0F 00 60 97 B0 14 11|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:37989; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|90 42 93 53 8D 62 D2 11 AE 0F 00 60 97 B0 14 11|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:37988; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|75 67 2B 3B B6 70 AF 45 EA 8D F3 59 95 C6 09 A2|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:37987; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|75 67 2B 3B B6 70 AF 45 8D EA A2 09 C6 95 59 F3|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:37986; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|60 5D 3B 74 8D 62 D2 11 AE 0F 00 60 97 B0 14 11|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:37985; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|60 5D 3B 74 8D 62 D2 11 0F AE 11 14 B0 97 60 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:37984; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|50 36 4A 6D 8D 62 D2 11 AE 0F 00 60 97 B0 14 11|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:37983; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|50 36 4A 6D 8D 62 D2 11 0F AE 11 14 B0 97 60 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:37982; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|4D 48 6F 28 5E 37 58 44 A2 72 B1 38 E2 F8 0A 6A|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:37981; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|4D 48 6F 28 5E 37 58 44 72 A2 6A 0A F8 E2 38 B1|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:37980; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|2C AF 75 F9 51 9A F0 4A 91 EA 06 03 86 98 CE 38|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:37979; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|23 95 4A 93 CA A3 C5 4B AD A0 D6 D9 5D 97 94 21|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:37978; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|23 95 4A 93 CA A3 C5 4B A0 AD 21 94 97 5D D9 D6|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:37977; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|1B 5E 82 DA 30 68 D7 43 83 5D 0B 5A D8 29 56 A2|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:37976; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|0E 06 47 FC 53 61 34 4B B9 75 8E 41 21 EB 7F 3C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,56839; reference:cve,2012-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-082; classtype:attempted-dos; sid:37975; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Publisher tyo.oty field heap overflow attempt"; flow:to_server,established; flowbits:isset,file.pub; file_data; content:"|00 19 1D 00 04 04 01 00 01 00 F2 68 01 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-2569; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-103; classtype:attempted-user; sid:37921; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Publisher pubconv.dll corruption attempt"; flow:to_server,established; flowbits:isset,file.pub; file_data; content:"|39 00 39 00 39 00 39 01 1D 00 04 04 01 00 01 00 E2 00 01 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,45277; reference:cve,2010-2569; classtype:attempted-user; sid:37920; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word ipdesign.dll ActiveX object access attempt"; flow:to_server,established; file_data; content:"496e666f506174682e44657369676e6572576f7264496d706f7274"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0021; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-029; classtype:attempted-user; sid:38129; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word ipdesign.dll ActiveX object access attempt"; flow:to_server,established; file_data; content:"496e666f506174682e44657369676e6572457863656c496d706f7274"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0021; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-029; classtype:attempted-user; sid:38128; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word ipdesign.dll ActiveX object access attempt"; flow:to_client,established; file_data; content:"496e666f506174682e44657369676e6572576f7264496d706f7274"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0021; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-029; classtype:attempted-user; sid:38127; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word ipdesign.dll ActiveX object access attempt"; flow:to_client,established; file_data; content:"496e666f506174682e44657369676e6572457863656c496d706f7274"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0021; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-029; classtype:attempted-user; sid:38126; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word bitmap stream parsing remote code execution attempt"; flow:to_server,established; file_data; content:"0900000026060F000800FFFFFFFF01000000040000002D0100000400"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0091; reference:cve,2016-0092; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-030 ; classtype:attempted-user; sid:38111; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word bitmap stream parsing remote code execution attempt"; flow:to_client,established; file_data; content:"0900000026060F000800FFFFFFFF01000000040000002D0100000400"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0091; reference:cve,2016-0092; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-030 ; classtype:attempted-user; sid:38110; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word wwlib.dll invalid pointer read attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|08 00 29 59 02 58 B3 6C 08 FF 17 53 AC 4E B5 6B 09 FF B0 65 3A 67 3A 57 39 65 BF 7E 08 FF 00 4E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0134; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-029; classtype:attempted-user; sid:38101; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word wwlib.dll invalid pointer read attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|08 00 29 59 02 58 B3 6C 08 FF 17 53 AC 4E B5 6B 09 FF B0 65 3A 67 3A 57 39 65 BF 7E 08 FF 00 4E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0134; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-029; classtype:attempted-user; sid:38100; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word RTF parsing memory corruption attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|dpline |5C|dpline |5C|dpline |5C|dpline"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,29104; reference:cve,2008-1091; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-026; classtype:attempted-user; sid:38237; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word HTML linked objects memory corruption attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|00 00 00 46 00 00 00 13 3A 9F FF 9F 8C 0F 00 00 F0 38 00 00 00 00 00 06 F0 18 00 00 00 02 08 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,42130; reference:cve,2010-1903; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:38267; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word HTML linked objects memory corruption attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|00 13 3A FF FF FF 8C 0F 00 00 F0 38 00 00 00 00 00 06 F0 18 00 00 00 02 08 00 00 02 00 00 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,42130; reference:cve,2010-1903; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:38266; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel Formula record remote code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|06 00|"; byte_test:2,>,0,0,relative,little; byte_test:1,>,3,8,relative,little; content:"|FF FF|"; within:2; distance:14; byte_test:1,!&,41,0,relative,little; content:"|00|"; within:1; distance:1; byte_test:2,>,0,0,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35244; reference:cve,2009-0560; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-021; classtype:attempted-user; sid:38265; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word rtf malformed dpcallout buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|dpcallout"; fast_pattern:only; pcre:"/\x5cdpcallout\s*\x5cdpcallout\s*\x5cdpcallout/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,32585; reference:cve,2008-4028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-072; classtype:attempted-user; sid:38262; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:"|EC A5|"; within:2; distance:504; byte_test:4,>,0xFFFF,138,relative,little; content:"|00 00 00 00|"; within:4; distance:12; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,21589; reference:cve,2006-6561; classtype:attempted-user; sid:38274; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:"|EC A5|"; within:2; distance:504; byte_test:4,>,0xFFFF,126,relative,little; content:"|00 00 00 00|"; within:4; distance:12; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,21589; reference:cve,2006-6561; classtype:attempted-user; sid:38273; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:"|EC A5|"; within:2; distance:504; byte_test:4,>,0xFFFF,114,relative,little; content:"|00 00 00 00|"; within:4; distance:12; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,21589; reference:cve,2006-6561; classtype:attempted-user; sid:38272; rev:2;) # alert tcp $HOME_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word out of bound read exception attempt"; flow:to_server,established; file_data; flowbits:isset,file.rtf; content:"dpgroup"; content:"dpgroup"; within:100; content:"dpgroup"; within:100; content:"dpendgroup"; within:100; content:"dpendgroup"; within:100; content:"dpendgroup"; within:100; content:"dpcount"; pcre:"/(dpgroup)(?!.{0,10}dpendgroup).{0,10}(dpgroup)(?!.{0,5}dpendgroup).{0,10}(dpgroup)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0127; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-042; classtype:attempted-user; sid:38496; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word out of bound read exception attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"dpgroup"; content:"dpgroup"; within:100; content:"dpgroup"; within:100; content:"dpendgroup"; within:100; content:"dpendgroup"; within:100; content:"dpendgroup"; within:100; content:"dpcount"; pcre:"/(dpgroup)(?!.{0,10}dpendgroup).{0,10}(dpgroup)(?!.{0,5}dpendgroup).{0,10}(dpgroup)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0127; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-042; classtype:attempted-user; sid:38495; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word OleRegEnumVerbs object icon memory corruption attempt"; flow:to_server,established; file_data; content:"EMBED Package"; fast_pattern:only; content:"|00 03 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; content:"OLE Package"; within:11; distance:4; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0153; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-044; classtype:attempted-user; sid:38490; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word OleRegEnumVerbs object icon memory corruption attempt"; flow:to_client,established; file_data; content:"EMBED Package"; fast_pattern:only; content:"|00 03 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; content:"OLE Package"; within:11; distance:4; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0153; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-044; classtype:attempted-user; sid:38489; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel msxml6 ParseElementN use after free attempt"; flow:to_server,established; file_data; content:"|40 97 A6 92 FA 90 D1 E7 DD 26 B8 A3 C4 79 A1 2B A1 8C 86 8C BE 81 A3 F7 EB CF 9F 56 83 B1 C7 5F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0122; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-042; classtype:attempted-user; sid:38482; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel msxml6 ParseElementN use after free attempt"; flow:to_client,established; file_data; content:"|40 97 A6 92 FA 90 D1 E7 DD 26 B8 A3 C4 79 A1 2B A1 8C 86 8C BE 81 A3 F7 EB CF 9F 56 83 B1 C7 5F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0122; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-042; classtype:attempted-user; sid:38481; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel sheet object use after free attempt"; flow:to_server,established; file_data; content:"|29 00 00 00 00 00 00 5D 00 CE 00 20 00 7C 02 AC 00 01 00 0C 00 F2 04 38 34 00 00 00 00 00 00 5D 00 CE 00 20 00 7C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0139; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-042; classtype:attempted-user; sid:38472; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel sheet object use after free attempt"; flow:to_client,established; file_data; content:"|29 00 00 00 00 00 00 5D 00 CE 00 20 00 7C 02 AC 00 01 00 0C 00 F2 04 38 34 00 00 00 00 00 00 5D 00 CE 00 20 00 7C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0139; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-042; classtype:attempted-user; sid:38471; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RFT document malformed header"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|7B 5C|rtvpn"; depth:7; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:38581; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RFT document malformed header"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|7B 5C|rtvpn"; depth:7; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:38580; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office document with auto-start VBA macro detected"; flow:to_server,established; file_data; content:"|00|Document_Open"; content:"|00|Run"; content:"|00|CreateObject"; content:"|00|CallByName"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:38640; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office document with auto-start VBA macro detected"; flow:to_client,established; file_data; content:"|00|Document_Open"; content:"|00|Run"; content:"|00|CreateObject"; content:"|00|CallByName"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:38639; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt"; flow:to_server,established; file_data; flowbits:isset,file.rtf; content:"{|5C|sv 8"; pcre:"/{\\sv\s*8\s*\x3b\s*\w+\s*[^},]*\x3b\s*\w{9}\s*\x3b/"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0183; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-054; classtype:attempted-recon; sid:38815; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt"; flow:to_server,established; file_data; flowbits:isset,file.rtf; content:"{|5C|sv 4"; pcre:"/{\\sv\s*4\s*\x3b\s*\w+\s*[^},]*\x3b\s*\w{7}\s*\x3b/"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0183; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-054; classtype:attempted-recon; sid:38814; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt"; flow:to_server,established; file_data; flowbits:isset,file.rtf; content:"{|5C|sv 2"; pcre:"/{\\sv\s*2\s*\x3b\s*\w+\s*[^},]*\x3b\s*\w{5}\s*\x3b/"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0183; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-054; classtype:attempted-recon; sid:38813; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt"; flow:to_client,established; file_data; flowbits:isset,file.rtf; content:"{|5C|sv"; content:"8"; within:10; content:"|3B|"; within:5; pcre:"/{\\sv\s*8\s*\x3b\s*\w+\s*[^},]*\x3b\s*\w{9}\s*\x3b/"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0183; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-054; classtype:attempted-recon; sid:38812; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt"; flow:to_client,established; file_data; flowbits:isset,file.rtf; content:"{|5C|sv"; content:"4"; within:10; content:"|3B|"; within:5; pcre:"/{\\sv\s*4\s*\x3b\s*\w+\s*[^},]*\x3b\s*\w{7}\s*\x3b/"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0183; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-054; classtype:attempted-recon; sid:38811; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt"; flow:to_client,established; file_data; flowbits:isset,file.rtf; content:"{|5C|sv"; content:"2"; within:10; content:"|3B|"; within:5; pcre:"/{\\sv\s*2\s*\x3b\s*\w+\s*[^},]*\x3b\s*\w{5}\s*\x3b/"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0183; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-054; classtype:attempted-recon; sid:38810; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt"; flow:to_server,established; flowbits:isset, file.xls; file_data; content:"|09 08 10 00 00 06 05 00|"; content:"|07|"; within:1; distance:3; byte_test:1,&,16, 0, relative; byte_test:1,&,1, 0, relative; byte_test:1,&,8, 0, relative; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-0140; reference:cve,2018-8162; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8162; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-054; classtype:attempted-recon; sid:38786; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt"; flow:to_client,established; flowbits:isset, file.xls; file_data; content:"|09 08 10 00 00 06 05 00|"; content:"|07|"; within:1; distance:3; byte_test:1,&,16, 0, relative; byte_test:1,&,1, 0, relative; byte_test:1,&,8, 0, relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0140; reference:cve,2018-8162; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8162; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-054; classtype:attempted-recon; sid:38785; rev:5;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word TTF out-of-bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.docx; file_data; content:"|BE B9 76 67 F6 9C 9D 63 67 47 D7 EE 0A 59 08 04 36 08 24 64 AD 0C 26 8A C4 19 21 09 01 06 1C 1B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0126; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-054; classtype:attempted-user; sid:38783; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word TTF out-of-bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.docx; file_data; content:"|BE B9 76 67 F6 9C 9D 63 67 47 D7 EE 0A 59 08 04 36 08 24 64 AD 0C 26 8A C4 19 21 09 01 06 1C 1B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0126; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-054; classtype:attempted-user; sid:38782; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF file with embedded OLE object itself embedding a Flash file"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"d0cf11e"; nocase; content:"53686F636B77617665466C6173682E53686F636B77617665466C617368"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:39037; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF file with embedded OLE object itself embedding a Flash file"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"d0cf11e"; nocase; content:"53686F636B77617665466C6173682E53686F636B77617665466C617368"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:39036; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|13 08 48 00 13 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 00 00 00 00 11 6D 79 63 6F 6D 61 64 64 69 6E 2E 70 72 6F 67 69 64 00 0B 4C 4F 52 45 4D 5F 49 50 53 55 4D 05 50 72 69 63 65 10 00 00 00 2A 00 00 00 00 00 00 00 EA 4E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,43655; reference:cve,2010-3240; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:39158; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|09 02 00 00 00 00 00 00 00 00 00 00 5F 78 6C 66 6E 2E 52 54 44 1C 1D 13 08 48 00 13 08 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,43655; reference:cve,2010-3240; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:39157; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel malformed XLS out of bounds memory read attempt"; flow:to_server,established; file_data; content:"|03 E4 72 94 46 3F A5 AA 28 94 8C 1A 73 9E EE B5 4E 76 C4 08 A9 E6 09 A9 6C 7A 96 08 B9 8C 32 E8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3233; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-070; classtype:attempted-user; sid:39224; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel malformed XLS out of bounds memory read attempt"; flow:to_client,established; file_data; content:"|03 E4 72 94 46 3F A5 AA 28 94 8C 1A 73 9E EE B5 4E 76 C4 08 A9 E6 09 A9 6C 7A 96 08 B9 8C 32 E8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3233; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-070; classtype:attempted-user; sid:39223; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word mso.dll subcomponent use after free attempt"; flow:to_server,established; file_data; content:"|31 24 01 61 24 02 00 0B 10 00 03 24 01 0C 24 01 13 A4 78 00 14 A4 78 00 31 24 01 61 24 01 00 0B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-070; classtype:attempted-user; sid:39222; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word mso.dll subcomponent use after free attempt"; flow:to_client,established; file_data; content:"|31 24 01 61 24 02 00 0B 10 00 03 24 01 0C 24 01 13 A4 78 00 14 A4 78 00 31 24 01 61 24 01 00 0B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-070; classtype:attempted-user; sid:39221; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word wwlib.dll out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|mailmerge"; nocase; content:"|5C|mmodso"; distance:0; nocase; content:"|5C|mmodsoudldata"; distance:0; fast_pattern; nocase; isdataat:100,relative; content:!"500072006F00760069006400650072003D00"; within:100; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3234; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-070; classtype:attempted-user; sid:39204; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word wwlib.dll out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|mailmerge"; nocase; content:"|5C|mmodso"; distance:0; nocase; content:"|5C|mmodsoudldata"; distance:0; fast_pattern; nocase; isdataat:100,relative; content:!"500072006F00760069006400650072003D00"; within:100; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3234; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-070; classtype:attempted-user; sid:39203; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|04 00 11 80 06 FF 93 02 04 00 12 80 04 FF 93 02 04 00 13 80 07 FF 93 02 04 00 00 80 00 FF 93 02|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,43655; reference:cve,2010-3240; reference:cve,2013-1315; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-067; classtype:attempted-user; sid:39347; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|04 00 11 80 06 FF 93 02 04 00 12 80 04 FF 93 02 04 00 13 80 07 FF 93 02 04 00 00 80 00 FF 93 02|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43655; reference:cve,2010-3240; reference:cve,2013-1315; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-067; classtype:attempted-user; sid:39346; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|FF FE|"; depth:2; offset:28; content:"|03 91 00 00|"; distance:0; isdataat:502,relative; content:!"|00|"; within:502; content:"|D2 7D|"; within:2; distance:502; isdataat:409,relative; content:!"|00|"; within:409; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-2209; reference:url,symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_00; classtype:attempted-user; sid:39428; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|FF FE|"; depth:2; offset:28; content:"|03 91 00 00|"; distance:0; isdataat:502,relative; content:!"|00|"; within:502; content:"|9B A3|"; within:2; distance:502; isdataat:409,relative; content:!"|00|"; within:409; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-2209; reference:url,symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_00; classtype:attempted-user; sid:39427; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|FE FF|"; depth:2; offset:28; content:"|A9 03 00 00|"; distance:0; isdataat:50,relative; content:!"|00|"; within:50; content:"|D6 06|"; within:2; distance:50; isdataat:885,relative; content:!"|00|"; within:885; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-2209; reference:url,symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_00; classtype:attempted-user; sid:39426; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|FE FF|"; depth:2; offset:28; content:"|91 03 00 00|"; distance:0; isdataat:502,relative; content:!"|00|"; within:502; content:"|A3 9B|"; within:2; distance:502; isdataat:409,relative; content:!"|00|"; within:409; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-2209; reference:url,symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_00; classtype:attempted-user; sid:39425; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|FE FF|"; depth:2; offset:28; content:"|91 03 00 00|"; distance:0; isdataat:502,relative; content:!"|00|"; within:502; content:"|7D D2|"; within:2; distance:502; isdataat:409,relative; content:!"|00|"; within:409; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-2209; reference:url,symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_00; classtype:attempted-user; sid:39424; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|FE FF|"; depth:2; offset:28; content:"|03 A9 00 00|"; distance:0; isdataat:50,relative; content:!"|00|"; within:50; content:"|06 D6|"; within:2; distance:50; isdataat:885,relative; content:!"|00|"; within:885; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-2209; reference:url,symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_00; classtype:attempted-user; sid:39423; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|FF FE|"; depth:2; offset:28; content:"|03 A9 00 00|"; distance:0; isdataat:50,relative; content:!"|00|"; within:50; content:"|06 D6|"; within:2; distance:50; isdataat:885,relative; content:!"|00|"; within:885; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-2209; reference:url,symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_00; classtype:attempted-user; sid:39422; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|FF FE|"; depth:2; offset:28; content:"|03 91 00 00|"; distance:0; isdataat:502,relative; content:!"|00|"; within:502; content:"|D2 7D|"; within:2; distance:502; isdataat:409,relative; content:!"|00|"; within:409; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-2209; reference:url,symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_00; classtype:attempted-user; sid:39421; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|FF FE|"; depth:2; offset:28; content:"|03 91 00 00|"; distance:0; isdataat:502,relative; content:!"|00|"; within:502; content:"|9B A3|"; within:2; distance:502; isdataat:409,relative; content:!"|00|"; within:409; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-2209; reference:url,symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_00; classtype:attempted-user; sid:39420; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|FE FF|"; depth:2; offset:28; content:"|A9 03 00 00|"; distance:0; isdataat:50,relative; content:!"|00|"; within:50; content:"|D6 06|"; within:2; distance:50; isdataat:885,relative; content:!"|00|"; within:885; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-2209; reference:url,symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_00; classtype:attempted-user; sid:39419; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|FE FF|"; depth:2; offset:28; content:"|91 03 00 00|"; distance:0; isdataat:502,relative; content:!"|00|"; within:502; content:"|A3 9B|"; within:2; distance:502; isdataat:409,relative; content:!"|00|"; within:409; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-2209; reference:url,symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_00; classtype:attempted-user; sid:39418; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|FE FF|"; depth:2; offset:28; content:"|91 03 00 00|"; distance:0; isdataat:502,relative; content:!"|00|"; within:502; content:"|7D D2|"; within:2; distance:502; isdataat:409,relative; content:!"|00|"; within:409; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-2209; reference:url,symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_00; classtype:attempted-user; sid:39417; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF document incorrect file magic attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|7B 5C|rt|0D 3C|"; depth:6; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:39527; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF document incorrect file magic attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|7B 5C|rt|0D 3C|"; depth:6; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:39526; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt"; flow:to_server,established; flowbits:isset,file.xlsx; file_data; content:"/workbook.xml|8D 91 4D 6A C3 30 10 85 AF 22 B4 8F 65 17 5A 8A B1 9D 4D 28|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3284; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-088; classtype:attempted-dos; sid:39525; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt"; flow:to_client,established; flowbits:isset,file.xlsx; file_data; content:"/workbook.xml|8D 91 4D 6A C3 30 10 85 AF 22 B4 8F 65 17 5A 8A B1 9D 4D 28|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3284; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-088; classtype:attempted-dos; sid:39524; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word unsupported XML schema out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|68 00 74 00 74 00 70 00 3A 00 2F 00 2F 00|"; content:"|00 2E 00 78 00 6D 00 6C 00 00 00|"; within:150; content:"|FF FF 00 00 00 00|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3282; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-088; classtype:attempted-user; sid:39523; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word unsupported XML schema out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|68 00 74 00 74 00 70 00 3A 00 2F 00 2F 00|"; content:"|00 2E 00 78 00 6D 00 6C 00 00 00 FF FF 00 00 00 00|"; within:150; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3282; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-088; classtype:attempted-user; sid:39522; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word unsupported XML schema out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|68 00 74 00 74 00 70 00 3A 00 2F 00 2F 00|"; content:"|00 2E 00 78 00 6D 00 6C 00 00 00|"; within:150; content:"|FF FF 00 00 00 00|"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3282; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-088; classtype:attempted-user; sid:39521; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word unsupported XML schema out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|68 00 74 00 74 00 70 00 3A 00 2F 00 2F 00|"; content:"|00 2E 00 78 00 6D 00 6C 00 00 00 FF FF 00 00 00 00|"; within:150; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3282; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-088; classtype:attempted-user; sid:39520; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word wwlib out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"dpgroup"; nocase; content:"dpgroup"; within:20; nocase; content:"dpgroup"; within:20; nocase; content:"dpgroup"; within:20; nocase; content:"dpgroup"; within:20; nocase; content:"dpgroup"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3280; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-088; classtype:attempted-user; sid:39519; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word wwlib out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"dpgroup"; nocase; content:"dpgroup"; within:20; nocase; content:"dpgroup"; within:20; nocase; content:"dpgroup"; within:20; nocase; content:"dpgroup"; within:20; nocase; content:"dpgroup"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3280; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-088; classtype:attempted-user; sid:39518; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word wwlib out-of-bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|F4 C7 01 00 02 C8 01 00 04 C8 01 00 7C C8 01 00 8A C8 01 00 8C C8 01 00 C4 C8 01 00 C8 C8 01 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3281; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-088; classtype:attempted-user; sid:39504; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word wwlib out-of-bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|F4 C7 01 00 02 C8 01 00 04 C8 01 00 7C C8 01 00 8A C8 01 00 8C C8 01 00 C4 C8 01 00 C8 C8 01 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3281; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-088; classtype:attempted-user; sid:39503; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office mso.dll out of bounds memory access attempt"; flow:to_server,established; file_data; content:"|80 1E 34 54 DE 2A DA E2 35 5A 2E CA 24 DE 32 A4 2D 0A 2F 1F 80 DE EC F2 BE 20 E4 07 CD F2 08 EB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3313; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-099; classtype:attempted-user; sid:39838; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office mso.dll out of bounds memory access attempt"; flow:to_client,established; file_data; content:"|80 1E 34 54 DE 2A DA E2 35 5A 2E CA 24 DE 32 A4 2D 0A 2F 1F 80 DE EC F2 BE 20 E4 07 CD F2 08 EB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3313; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-099; classtype:attempted-user; sid:39837; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word malformed jpeg memory corruption attempt"; flow:to_server,established; file_data; content:"|5C|*|5C|shppict"; nocase; content:"|5C|pict"; within:100; nocase; content:"|5C|jpegblip"; within:100; nocase; content:"0000000000000000"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3318; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-099; classtype:attempted-admin; sid:39836; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word malformed jpeg memory corruption attempt"; flow:to_client,established; file_data; content:"|5C|*|5C|shppict"; nocase; content:"|5C|pict"; within:100; nocase; content:"|5C|jpegblip"; within:100; nocase; content:"0000000000000000"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3318; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-099; classtype:attempted-admin; sid:39835; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|nesttableprops"; fast_pattern:only; content:"|5C|nestrow"; nocase; content:"|5C|nestcell"; nocase; content:"|5C|gridtbl"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3317; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-099; classtype:attempted-recon; sid:39832; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|nesttableprops"; fast_pattern:only; content:"|5C|nestrow"; nocase; content:"|5C|nestcell"; nocase; content:"|5C|gridtbl"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3317; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-099; classtype:attempted-recon; sid:39831; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|20 B0|"; content:"|21 B0|"; within:100; distance:2; content:"|22 B0|"; within:100; distance:2; content:"|23 90|"; within:100; distance:2; byte_test:2,>,0x0BB8,0,relative,little; byte_test:2,<,0xF448,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3316; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-099; classtype:attempted-user; sid:39817; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|20 B0|"; content:"|21 B0|"; within:100; distance:2; content:"|22 B0|"; within:100; distance:2; content:"|23 90|"; within:100; distance:2; byte_test:2,>,0x0BB8,0,relative,little; byte_test:2,<,0xF448,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3316; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-099; classtype:attempted-user; sid:39816; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE LexMark Perceptive Document Filters wSectorShift heap buffer overflow attempt"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; content:"|FE FF|"; within:2; distance:20; byte_test:2,>,30,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,talosintel.com/reports/TALOS-2016-0185/; classtype:attempted-user; sid:39872; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE LexMark Perceptive Document Filters wSectorShift heap buffer overflow attempt"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; content:"|FE FF|"; within:2; distance:20; byte_test:2,>,30,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,talosintel.com/reports/TALOS-2016-0185/; classtype:attempted-user; sid:39871; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE LexMark Perceptive Document Filters msofbtCLSID stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|0F 00 00 F0|"; content:"|00 00 06 F0|"; within:4; distance:4; byte_jump:4,0,relative,little; content:"|16 F0|"; within:2; distance:2; byte_test:4,>,112,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,talosintel.com/reports/TALOS-2016-0172/; classtype:attempted-user; sid:39869; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE LexMark Perceptive Document Filters msofbtCLSID stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|0F 00 00 F0|"; content:"|00 00 06 F0|"; within:4; distance:4; byte_jump:4,0,relative,little; content:"|16 F0|"; within:2; distance:2; byte_test:4,>,112,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,talosintel.com/reports/TALOS-2016-0172/; classtype:attempted-user; sid:39868; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"FILE-OFFICE Microsoft Windows RTF file with embedded object package SMTP upload attempt"; flow:to_server,established; file_data; content:"{|5C|rt"; nocase; content:"{|5C|object|5C|objemb{|5C|*|5C|objclass Package}"; distance:0; nocase; flowbits:set,file.rtf.embed; metadata:policy max-detect-ips alert, ruleset community, service smtp; reference:url,en.wikipedia.org/wiki/Rich_Text_Format; classtype:misc-activity; sid:39903; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel 2007 invalid comments.xml uninitialized pointer access attempt"; flow:to_server,established; file_data; content:"|87 0C 14 B9 C6 B7 BD BB 1A 78 3F 9F EE 0A 50 1C D1 B5 38 78 47 06 BE 88 E1 58 DF DE 41 41 41 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0263; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:39992; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel 2007 invalid comments.xml uninitialized pointer access attempt"; flow:to_server,established; file_data; content:"|6C 2F 63 6F 6D 6D 65 6E 74 73 31 2E 78 6D 6C AC AA AA AA AA|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0263; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:39991; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel 2007 invalid comments.xml uninitialized pointer access attempt"; flow:to_server,established; file_data; content:"|57 15 C0 E1 3D 12 DF C1 F2 1E EC 73 FF 9E 53 C5 A9 10 A2 12 12 05 16 85 BD 49 A6 4D A4 C4 8E 3C|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0263; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:39990; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel 2007 invalid comments.xml uninitialized pointer access attempt"; flow:to_server,established; file_data; content:"|5A 73 6B C9 23 EF E2 40 41 3A 97 98 3C 66 81 E9 AA 79 48 84 1D 5B A2 EC 7B FD 5C 14 41 41 41 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0263; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:39989; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel 2007 invalid comments.xml uninitialized pointer access attempt"; flow:to_client,established; file_data; content:"|57 15 C0 E1 3D 12 DF C1 F2 1E EC 73 FF 9E 53 C5 A9 10 A2 12 12 05 16 85 BD 49 A6 4D A4 C4 8E 3C|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0263; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:39988; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint ppcore invalid pointer reference attempt"; flow:to_server,established; file_data; content:"|7D EB 06 A6 AC AB F5 A3 CF 3A 1E 85 5E 66 15 7F 04 50 5A 7A 68 D6 1F B3 CA 42 28 60 16 8A A8 1A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3360; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-107; classtype:attempted-user; sid:40148; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint ppcore invalid pointer reference attempt"; flow:to_client,established; file_data; content:"|7D EB 06 A6 AC AB F5 A3 CF 3A 1E 85 5E 66 15 7F 04 50 5A 7A 68 D6 1F B3 CA 42 28 60 16 8A A8 1A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3360; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-107; classtype:attempted-user; sid:40147; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft PowerPoint bogus JPEG marker length heap buffer overflow"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|FF DB|"; content:"|FF C0|"; distance:0; content:"|FF C4|"; distance:0; byte_extract:2,0,len,relative; content:"|FF DA|"; within:len; distance:-2; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3357; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-107; classtype:attempted-user; sid:40143; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft PowerPoint bogus JPEG marker length heap buffer overflow"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|FF DB|"; content:"|FF C0|"; distance:0; content:"|FF C4|"; distance:0; byte_extract:2,0,len,relative; content:"|FF DA|"; within:len; distance:-2; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3357; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-107; classtype:attempted-user; sid:40142; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt"; flow:to_server,established; flowbits:isset,file.xlsb; file_data; content:"|34 67 E6 CC F4 FB BE 7B EE 39 67 CE 3C 15 78 22 FC 81 E4 CE A7 0F DF 3C DB 5F AE CC 46 43 9F 37|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3381; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-107; classtype:attempted-admin; sid:40122; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt"; flow:to_client,established; flowbits:isset,file.xlsb; file_data; content:"|34 67 E6 CC F4 FB BE 7B EE 39 67 CE 3C 15 78 22 FC 81 E4 CE A7 0F DF 3C DB 5F AE CC 46 43 9F 37|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3381; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-107; classtype:attempted-admin; sid:40121; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt"; flow:to_server,established; flowbits:isset,file.xlsb; file_data; content:"|C4 83 0F 66 E6 9B 79 F3 7D 6F DE DC 23 AC 52 26 EB FE 7E FD FC FD 68 E7 ED 99 4A 69 F6 CD 87 AF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3362; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-107; classtype:attempted-admin; sid:40117; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt"; flow:to_client,established; flowbits:isset,file.xlsb; file_data; content:"|C4 83 0F 66 E6 9B 79 F3 7D 6F DE DC 23 AC 52 26 EB FE 7E FD FC FD 68 E7 ED 99 4A 69 F6 CD 87 AF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3362; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-107; classtype:attempted-admin; sid:40116; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt"; flow:to_server,established; flowbits:isset,file.xlsb; file_data; content:"|38 12 FE 7E C0 FD 07 9D D0 FD 98 E8 FD 2D A8 BD 70 9C F5 A2 B8 74 1B D4 D9 5D E0 BE D1 12 6D F3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-107; classtype:attempted-admin; sid:40107; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt"; flow:to_client,established; flowbits:isset,file.xlsb; file_data; content:"|38 12 FE 7E C0 FD 07 9D D0 FD 98 E8 FD 2D A8 BD 70 9C F5 A2 B8 74 1B D4 D9 5D E0 BE D1 12 6D F3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-107; classtype:attempted-admin; sid:40106; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt"; flow:to_server,established; flowbits:isset,file.xlsb; file_data; content:"|56 5B 44 D6 D0 D6 5F D0 10 0D 35 37 B5 37 94 B8 B4 B9 47 75 EE 67 61 75 1F EF BD 7B EE 3B 3F DE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3358; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-107; classtype:attempted-admin; sid:40105; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt"; flow:to_client,established; flowbits:isset,file.xlsb; file_data; content:"|56 5B 44 D6 D0 D6 5F D0 10 0D 35 37 B5 37 94 B8 B4 B9 47 75 EE 67 61 75 1F EF BD 7B EE 3B 3F DE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3358; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-107; classtype:attempted-admin; sid:40104; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt"; flow:to_server,established; flowbits:isset,file.xlsb; file_data; content:"|AB DF 46 F9 3B 44 51 1A A1 97 22 14 C1 F2 D4 0E 6F 11 3D 15 F4 56 F4 D5 20 B5 A3 5F BE 45 94 1E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3358; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-107; classtype:attempted-admin; sid:40103; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt"; flow:to_client,established; flowbits:isset,file.xlsb; file_data; content:"|AB DF 46 F9 3B 44 51 1A A1 97 22 14 C1 F2 D4 0E 6F 11 3D 15 F4 56 F4 D5 20 B5 A3 5F BE 45 94 1E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3358; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-107; classtype:attempted-admin; sid:40102; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel Ordinal43 out of bounds read attempt"; flow:to_server,established; file_data; content:"|0D 00 FF 00 00 00 00 00 80 01 34 00 08 02 10 00 16 00 00 00 0D 00 FF 00 00 00 00 00 80 01 34 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3363; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-107; classtype:attempted-user; sid:40083; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Ordinal43 out of bounds read attempt"; flow:to_client,established; file_data; content:"|0D 00 FF 00 00 00 00 00 80 01 34 00 08 02 10 00 16 00 00 00 0D 00 FF 00 00 00 00 00 80 01 34 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3363; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-107; classtype:attempted-user; sid:40082; rev:2;) alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OFFICE Microsoft Office Visio request for visdlgu.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"v|00|i|00|s|00|d|00|l|00|g|00|u|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2016-3364; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-107; classtype:attempted-user; sid:40080; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office Visio visdlgu.dll dll-load exploit attempt"; flow:to_server,established; content:"/visdlgu.dll"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-3364; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-107; classtype:attempted-user; sid:40079; rev:5;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel LPenHelper out of bounds write attempt"; flow:to_server,established; file_data; content:"|D8 F7 6F DB 46 14 00 60 93 C7 13 49 D9 F2 88 57 9C 38 71 3C E3 BD 92 36 A3 49 9C D9 BD F7 DE BB E8 04 BA 0B 74|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3365; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-107; classtype:attempted-user; sid:40076; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel LPenHelper out of bounds write attempt"; flow:to_client,established; file_data; content:"|D8 F7 6F DB 46 14 00 60 93 C7 13 49 D9 F2 88 57 9C 38 71 3C E3 BD 92 36 A3 49 9C D9 BD F7 DE BB E8 04 BA 0B 74|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3365; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-107; classtype:attempted-user; sid:40075; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Wordpad font conversion buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|FF 40|"; content:"|90 01 00 00|"; within:4; distance:4; fast_pattern; isdataat:129,relative; content:!"|00|"; within:129; metadata:service smtp; reference:cve,2004-0901; classtype:attempted-admin; sid:40282; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Wordpad font conversion buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|FF 40|"; content:"|90 01 00 00|"; within:4; distance:4; fast_pattern; isdataat:129,relative; content:!"|00|"; within:129; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2004-0901; classtype:attempted-admin; sid:40281; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word document containing VBA project entry detected"; flow:to_server,established; file_data; content:"V|00|B|00|A|00|_|00|P|00|R|00|O|00|J|00|E|00|C|00|T|00||00|"; fast_pattern:only; content:"MSComctlLib"; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:40307; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word document containing VBA project entry detected"; flow:to_client,established; file_data; content:"V|00|B|00|A|00|_|00|P|00|R|00|O|00|J|00|E|00|C|00|T|00||00|"; fast_pattern:only; content:"MSComctlLib"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:40306; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word RTF file parsing buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objemb"; content:"|5C|objclass otkloadr."; distance:0; fast_pattern; content:"|5C|objdata"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7193; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-121; classtype:attempted-user; sid:40369; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word RTF file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objemb"; content:"|5C|objclass otkloadr."; distance:0; fast_pattern; content:"|5C|objdata"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7193; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-121; classtype:attempted-user; sid:40368; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|06 00 26 00 9C 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 29 08 01 00 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1315; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-073; classtype:attempted-user; sid:40460; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 00 26 00 9C 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 29 08 01 00 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1315; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-073; classtype:attempted-user; sid:40459; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF hex encoded WRLoader CLSID ASLR bypass download attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"30353734313532302d433445422d343430412d414333462d393634334242433946383437"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:40635; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF hex encoded WRAssembly CLSID ASLR bypass download attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"41303841303333442d314137352d344142362d413136362d454144303246353437393539"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:40634; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF hex encoded WRLoader CLSID ASLR bypass download attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"30353734313532302d433445422d343430412d414333462d393634334242433946383437"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:40633; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF hex encoded WRAssembly CLSID ASLR bypass download attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"41303841303333442d314137352d344142362d413136362d454144303246353437393539"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:40632; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF hex encoded wrLoader ASLR bypass download attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"77724C6f61646572"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:40631; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF hex encoded WRLoader ASLR bypass download attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"57524c6f61646572"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:40630; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF hex encoded WRAssembly ASLR bypass download attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"5752417373656d626c79"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:40629; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF hex encoded WRAsembly ASLR bypass download attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"57524173656d626c79"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:40628; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF WRLoader CLSID ASLR bypass download attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"05741520-C4EB-440A-AC3F-9643BBC9F847"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:40627; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF WRLoader ASLR bypass download attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"WRLoader"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:40626; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF WRAssembly CLSID ASLR bypass download attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"A08A033D-1A75-4AB6-A166-EAD02F547959"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:40625; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF hex encoded wrLoader ASLR bypass download attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"77724C6f61646572"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:40624; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF hex encoded WRLoader ASLR bypass download attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"57524c6f61646572"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:40623; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF WRLoader CLSID ASLR bypass download attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"05741520-C4EB-440A-AC3F-9643BBC9F847"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:40622; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF WRLoader ASLR bypass download attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"WRLoader"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:40621; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF WRAssembly CLSID ASLR bypass download attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"A08A033D-1A75-4AB6-A166-EAD02F547959"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:40620; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel invalid signed integer attempt"; flow:to_server,established; file_data; content:"|A5 7C B4 C1 2D BB B4 AB AC B3 66 A8 AE A6 58 AE E6 C3 D2 A9 FA 28 39 37 2E 31 32 2E 33 31 29 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7229; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-133; classtype:attempted-user; sid:40726; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel invalid signed integer attempt"; flow:to_client,established; file_data; content:"|A5 7C B4 C1 2D BB B4 AB AC B3 66 A8 AE A6 58 AE E6 C3 D2 A9 FA 28 39 37 2E 31 32 2E 33 31 29 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7229; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-133; classtype:attempted-user; sid:40725; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel Viewer remote code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|5C 00 70 00 04 00 01 E8 96 97 67 28 67 CE 98 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-133; classtype:attempted-user; sid:40724; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel Viewer remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|5C 00 70 00 04 00 01 E8 96 97 67 28 67 CE 98 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-133; classtype:attempted-user; sid:40723; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel SST record use after free attempt "; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|F1 10 00 00 00 0D 00 00 08 0C 00 00 08 17 00 00 08 F7 00 00 10 FC 00 20 20 70 13 00 00 9D 06 00 00 0C 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7213; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-133; classtype:attempted-user; sid:40720; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel SST record use after free attempt "; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|F1 10 00 00 00 0D 00 00 08 0C 00 00 08 17 00 00 08 F7 00 00 10 FC 00 20 20 70 13 00 00 9D 06 00 00 0C 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7213; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-133; classtype:attempted-user; sid:40719; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel LPenHelper use after free attempt"; flow:to_server,established; file_data; content:"|08 09 66 7B 9B 5A 27 1B D5 A6 F4 BB C0 8E 10 03 9C BD 10 98 DF E9 20 08 91 A6 FC 0F AA 91 D3 1A 71 32 08 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7236; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-133; classtype:attempted-user; sid:40718; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel LPenHelper use after free attempt"; flow:to_client,established; file_data; content:"|08 09 66 7B 9B 5A 27 1B D5 A6 F4 BB C0 8E 10 03 9C BD 10 98 DF E9 20 08 91 A6 FC 0F AA 91 D3 1A 71 32 08 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7236; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-133; classtype:attempted-user; sid:40717; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office 2016 arbitrary pointer dereference vulnerability attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|7D 00 0C 00 05 F4 00 00 49 96 1F 0D F6 4D 00 00 7D 00 0C 00 01 00 01 00 00 10 0F 00 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7228; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-133; classtype:attempted-user; sid:40712; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office 2016 arbitrary pointer dereference vulnerability attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|7D 00 0C 00 05 F4 00 00 49 96 1F 0D F6 4D 00 00 7D 00 0C 00 01 00 01 00 00 10 0F 00 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7228; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-133; classtype:attempted-user; sid:40711; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word out of bounds memory read attempt"; flow:to_server,established; file_data; content:"|FF EC A5 C1 00 23 60 09 04 00 00 F8 12 BF 00 00 00 00 00 00 10 00 00 00 00 00 06 00 00 18 17 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7234; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-133; classtype:attempted-admin; sid:40702; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word out of bounds memory read attempt"; flow:to_client,established; file_data; content:"|FF EC A5 C1 00 23 60 09 04 00 00 F8 12 BF 00 00 00 00 00 00 10 00 00 00 00 00 06 00 00 18 17 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7234; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-133; classtype:attempted-admin; sid:40701; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft PowerPoint ntdll out of bounds read attempt"; flow:to_server,established; file_data; content:"|D2 EC 1F 59 AB DC D1 FE DC 94 75 89 3F 5A 3F B7 25 FF 00 9E 29 F9 9A CC 34 9D A8 FA B5 2E C1 F5 AA BD CD 4F ED C9 3F E7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7230; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-133; classtype:attempted-user; sid:40682; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft PowerPoint ntdll out of bounds read attempt"; flow:to_client,established; file_data; content:"|D2 EC 1F 59 AB DC D1 FE DC 94 75 89 3F 5A 3F B7 25 FF 00 9E 29 F9 9A CC 34 9D A8 FA B5 2E C1 F5 AA BD CD 4F ED C9 3F E7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7230; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-133; classtype:attempted-user; sid:40681; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt"; flow:to_server,established; file_data; content:"|06 5E 84 38 04 60 84 98 FE 6F 28 00 02 00 00 00 2E 00 01 00 00 00 04 10 01 00 00 98 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7233; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-133; classtype:attempted-user; sid:40680; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt"; flow:to_client,established; file_data; content:"|06 5E 84 38 04 60 84 98 FE 6F 28 00 02 00 00 00 2E 00 01 00 00 00 04 10 01 00 00 98 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7233; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-133; classtype:attempted-user; sid:40679; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt"; flow:to_server,established; file_data; content:"|FA 13 6D C5 00 75 1A 6C F1 6A 5A 25 A5 C0 59 3C AB 9B 64 7D B3 7D FD AC A0 E1 BD F9 E6 B9 5D 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7235; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-133; classtype:attempted-user; sid:40674; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt"; flow:to_client,established; file_data; content:"|FA 13 6D C5 00 75 1A 6C F1 6A 5A 25 A5 C0 59 3C AB 9B 64 7D B3 7D FD AC A0 E1 BD F9 E6 B9 5D 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7235; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-133; classtype:attempted-user; sid:40673; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word PrcData out of bounds read attempt"; flow:to_server,established; file_data; content:"|FB 16 EA EC 55 A4 7E 85 B6 3A B9 4D FE 32 FD 18 5D 65 A2 57 5F 7D B5 F0 F9 F7 BB DF FD 6E DC 63|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7232; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-133; classtype:attempted-user; sid:40668; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word PrcData out of bounds read attempt"; flow:to_client,established; file_data; content:"|FB 16 EA EC 55 A4 7E 85 B6 3A B9 4D FE 32 FD 18 5D 65 A2 57 5F 7D B5 F0 F9 F7 BB DF FD 6E DC 63|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7232; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-133; classtype:attempted-user; sid:40667; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel insecure workbook load via reference to named share attempt"; flow:to_server,established; file_data; content:"|09 08 10 00 00 06|"; depth:6; content:"|17 00|"; content:"|00 01 01|@"; within:4; distance:4; byte_jump:2,-8,relative,little; content:"|0A 00 00 00|"; within:4; content:".xls"; within:5; distance:-9; nocase; metadata:policy max-detect-ips drop, policy security-ips alert, service smtp; reference:cve,2016-7267; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-148; classtype:policy-violation; sid:40978; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel insecure workbook load via reference to named share attempt"; flow:to_client,established; file_data; content:"|09 08 10 00 00 06|"; depth:6; content:"|17 00|"; content:"|00 01 01|@"; within:4; distance:4; byte_jump:2,-8,relative,little; content:"|0A 00 00 00|"; within:4; content:".xls"; within:5; distance:-9; nocase; metadata:policy max-detect-ips drop, policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7267; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-148; classtype:policy-violation; sid:40977; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint WMF conversion information disclosure attempt"; flow:to_server,established; file_data; content:"|C8 9A F4 79 E2 D5 AA 5C BD 26 0D A1 CA B6 F7 96 CA 7B 07 F1 E2 31 C6 93 68 3D 80 D6 64 F1 D8 E8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7257; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-146; classtype:attempted-user; sid:40968; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint WMF conversion information disclosure attempt"; flow:to_client,established; file_data; content:"|C8 9A F4 79 E2 D5 AA 5C BD 26 0D A1 CA B6 F7 96 CA 7B 07 F1 E2 31 C6 93 68 3D 80 D6 64 F1 D8 E8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7257; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-146; classtype:attempted-user; sid:40967; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Publisher out of bounds read attempt"; flow:to_server,established; file_data; content:"|08 00 02 00 00 40 00 AF 01 20 00 AF 00 80 C3 05 22 F1 28 02 00 00 9E 01 FF FF FE 00 9F 01 C0 FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7289; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-148; classtype:attempted-user; sid:40966; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Publisher out of bounds read attempt"; flow:to_client,established; file_data; content:"|08 00 02 00 00 40 00 AF 01 20 00 AF 00 80 C3 05 22 F1 28 02 00 00 9E 01 FF FF FE 00 9F 01 C0 FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7289; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-148; classtype:attempted-user; sid:40965; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel type confusion attempt"; flow:to_server,established; file_data; content:"|48 83 AF 95 37 05 24 2F 77 08 A9 A3 45 AF 7F F0 06 C1 A3 21 18 0A ED B7 05 C8 1D FF 33 14 01 6D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7277; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-148; classtype:attempted-user; sid:40964; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel type confusion attempt"; flow:to_client,established; file_data; content:"|48 83 AF 95 37 05 24 2F 77 08 A9 A3 45 AF 7F F0 06 C1 A3 21 18 0A ED B7 05 C8 1D FF 33 14 01 6D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7277; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-148; classtype:attempted-user; sid:40963; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel ddeService command execution attempt"; flow:to_server,established; file_data; content:"|BE 78 B3 47 A0 3C 4D 1C C1 B1 6F 4F 69 B0 21 49 C1 D4 0F 88 07 6E DE 48 83 DD 39 B0 F6 C1 F2 2E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7262; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-148; classtype:attempted-user; sid:40960; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel ddeService command execution attempt"; flow:to_client,established; file_data; content:"|BE 78 B3 47 A0 3C 4D 1C C1 B1 6F 4F 69 B0 21 49 C1 D4 0F 88 07 6E DE 48 83 DD 39 B0 F6 C1 F2 2E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7262; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-148; classtype:attempted-user; sid:40959; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel security descriptor out of bounds read attempt"; flow:to_server,established; file_data; content:"|97 EA 73 7A 9A 4E 36 4F FB AA FE 83 1F B6 9F 6F F9 F0 4E FD 27 F1 DA 63 DF DE FE 55 9D 5F AF D7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7265; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-148; classtype:attempted-user; sid:40958; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel security descriptor out of bounds read attempt"; flow:to_client,established; file_data; content:"|97 EA 73 7A 9A 4E 36 4F FB AA FE 83 1F B6 9F 6F F9 F0 4E FD 27 F1 DA 63 DF DE FE 55 9D 5F AF D7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7265; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-148; classtype:attempted-user; sid:40957; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word XST structure out of bounds read attempt"; flow:to_server,established; file_data; content:"|35 00 A7 F0 01 00 00 00 17 10 00 00 00 00 00 00 00 00 00 00 68 01 00 00 00 00 00 00 0B 18 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-148; classtype:attempted-user; sid:40952; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word XST structure out of bounds read attempt"; flow:to_client,established; file_data; content:"|35 00 A7 F0 01 00 00 00 17 10 00 00 00 00 00 00 00 00 00 00 68 01 00 00 00 00 00 00 0B 18 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-148; classtype:attempted-user; sid:40951; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|9E 08|"; content:"|9E 08 00 00 00 00 00 00 00 00 00 00|"; within:12; distance:2; byte_test:4,>,0x400,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-148; classtype:attempted-user; sid:40945; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|9E 08|"; content:"|9E 08 00 00 00 00 00 00 00 00 00 00|"; within:12; distance:2; byte_test:4,>,0x400,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-148; classtype:attempted-user; sid:40944; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office hyperlink object out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.doc|file.xls; file_data; content:"|D0 C9 EA 79 F9 BA CE 11 8C 82 00 AA 00 4B A9 0B|"; content:!"_|00|T|00|o"; within:5; distance:12; byte_jump:4,8,relative,little,multiplier 2,post_offset -2; content:!"|00 00|"; within:2; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,82650; reference:bugtraq,94716; reference:cve,2016-0059; reference:cve,2016-7278; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-009; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-144; classtype:attempted-user; sid:40941; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office hyperlink object out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.doc|file.xls; file_data; content:"|D0 C9 EA 79 F9 BA CE 11 8C 82 00 AA 00 4B A9 0B|"; content:!"_|00|T|00|o"; within:5; distance:12; byte_jump:4,8,relative,little,multiplier 2,post_offset -2; content:!"|00 00|"; within:2; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,82650; reference:bugtraq,94716; reference:cve,2016-0059; reference:cve,2016-7278; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-009; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-144; classtype:attempted-user; sid:40940; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint OpenType font overly large instructionLength out of bounds read attempt"; flow:to_server,established; file_data; content:"|00 01 08 40 00 02 10 80 C0 AA AA 7B F8 F2 AF 31 A0 93 06 0D 02 D9 13 97 F6 DD 63 64 A1 2A 91 EA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7276; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-148; classtype:attempted-user; sid:40939; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint OpenType font overly large instructionLength out of bounds read attempt"; flow:to_client,established; file_data; content:"|00 01 08 40 00 02 10 80 C0 AA AA 7B F8 F2 AF 31 A0 93 06 0D 02 D9 13 97 F6 DD 63 64 A1 2A 91 EA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7276; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-148; classtype:attempted-user; sid:40938; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt"; flow:to_server,established; content:"powerpoint"; fast_pattern:only; content:"uuencode"; nocase; pcre:"/begin\s*[^\x0D\x0A\x5C\x2F\x3A\x2A\x3F\x3C\x3E\x7C\x3D\s]{200}/i"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-004; classtype:attempted-user; sid:41094; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF file with embedded OLE object"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objdata"; content:"d0cf11e0a1b11ae1"; fast_pattern:only; metadata:service smtp; classtype:policy-violation; sid:41132; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt"; flow:to_server,established; flowbits:isset, file.rtf; file_data; content:"|5C|*|5C|shppict"; content:!"{|5C|pict"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-002; classtype:attempted-user; sid:41141; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt"; flow:to_client,established; flowbits:isset, file.rtf; file_data; content:"|5C|*|5C|shppict"; content:!"{|5C|pict"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-002; classtype:attempted-user; sid:41140; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt"; flow:established, to_server; file_data; flowbits:isset, file.ppt; content:"|0D F0|"; byte_extract:4,0,record_len,relative,little; isdataat:record_len,relative; content:"|9F 0F|"; within:record_len; content:"|9E 0F|"; within:record_len; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-0556; classtype:attempted-admin; sid:41414; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt"; flow:established, to_client; file_data; flowbits:isset, file.ppt; content:"|0D F0|"; byte_extract:4,0,record_len,relative,little; isdataat:record_len,relative; content:"|9F 0F|"; within:record_len; content:"|9E 0F|"; within:record_len; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0556; classtype:attempted-admin; sid:41413; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Works file converter field length invalid chunk size buffer overflow attempt"; flow:to_server,established; file_data; content:"CHNKWKS"; content:"|18 00|TEXT"; distance:0; isdataat:4,relative; content:!"|01 00|"; within:2; distance:2; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,27659; reference:cve,2008-0108; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-011; classtype:attempted-user; sid:41453; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|B5 00 46 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0184; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-030; classtype:attempted-user; sid:41731; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|B5 00 46 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0184; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-030; classtype:attempted-user; sid:41730; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|B5 00 14 00 00 80 00 00 01 00 00 10 00 00 00 00 00 00 01 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0184; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-030; classtype:attempted-user; sid:41729; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|B5 00 1E 00 00 80 00 00 01 00 00 00 00 00 00 00 00 00 01 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0184; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-030; classtype:attempted-user; sid:41728; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"ffba86e9c94c78ab90c80d8a9f0913ee69"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0105; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-014; classtype:attempted-user; sid:41982; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"ffba86e9c94c78ab90c80d8a9f0913ee69"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0105; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-014; classtype:attempted-user; sid:41981; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel shared strings memory corruption attempt"; flow:to_server,established; file_data; content:"|7F 9A 86 7D 80 47 ED 6C C6 E3 B9 E4 0C 6C E1 4A 6D AB 8C 3F 3D DE 46 17 9C 21 29 5B AA C6 59 C8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0052; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-014; classtype:attempted-user; sid:41980; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel shared strings memory corruption attempt"; flow:to_client,established; file_data; content:"|7F 9A 86 7D 80 47 ED 6C C6 E3 B9 E4 0C 6C E1 4A 6D AB 8C 3F 3D DE 46 17 9C 21 29 5B AA C6 59 C8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0052; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-014; classtype:attempted-user; sid:41979; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel shared strings memory corruption attempt"; flow:to_server,established; file_data; content:"|A3 8A 49 29 85 EC BC FC 7F F8 9F 37 C3 98 CD 47 DF A9 43 18 39 65 B2 B0 5E 55 A0 02 35 D9 27 DA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0006; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-014; classtype:attempted-user; sid:41977; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel shared strings memory corruption attempt"; flow:to_client,established; file_data; content:"|A3 8A 49 29 85 EC BC FC 7F F8 9F 37 C3 98 CD 47 DF A9 43 18 39 65 B2 B0 5E 55 A0 02 35 D9 27 DA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0006; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-014; classtype:attempted-user; sid:41976; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word 2010 use-after-free memory corruption vulnerability attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|32 00 31 90 68 01 3A 70 0B 0E B7 00 1F B0 82 2E 20 B0 C6 41 21 B0 A5 06 22 B0 A5 06 23 90 89 05|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0030; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-014; classtype:attempted-user; sid:41965; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word 2010 use-after-free memory corruption vulnerability attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|32 00 31 90 68 01 3A 70 0B 0E B7 00 1F B0 82 2E 20 B0 C6 41 21 B0 A5 06 22 B0 A5 06 23 90 89 05|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0030; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-014; classtype:attempted-user; sid:41964; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word template remote code execution attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"IPM.Document.Outlook.File.msg.15"; fast_pattern:only; content:"|5C 2A 5C|template"; nocase; content:"http"; within:20; nocase; content:".dotx"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0106; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-014; classtype:attempted-user; sid:41963; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word template remote code execution attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"IPM.Document.Outlook.File.msg.15"; fast_pattern:only; content:"|5C 2A 5C|template"; nocase; content:"http"; within:20; nocase; content:".dotx"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0106; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-014; classtype:attempted-user; sid:41962; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Ichitaro Office JTD Figure handling code execution attempt"; flow:to_server,established; file_data; content:"|09 00 01 01 01 06 01 00 0C 00 00 00 0F 00 00 0E 00 00 02 01 00 06 01 00 0C 00 00 00 0E 00 00 00 0F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2789; reference:url,www.talosintelligence.com/reports/TALOS-2016-0196/; classtype:attempted-user; sid:41111; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Ichitaro Office JTD Figure handling code execution attempt"; flow:to_client,established; file_data; content:"|09 00 01 01 01 06 01 00 0C 00 00 00 0F 00 00 0E 00 00 02 01 00 06 01 00 0C 00 00 00 0E 00 00 00 0F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2789; reference:url,www.talosintelligence.com/reports/TALOS-2016-0196/; classtype:attempted-user; sid:41110; rev:3;) # alert tcp $SMTP_SERVERS any -> $HOME_NET 25 (msg:"FILE-OFFICE Oracle Outside In Technology image export use after free attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|footer"; nocase; content:"|5C|footer"; distance:0; nocase; content:!"|5C|"; within:20; pcre:"/\x5cfooter[^ylrf].*\x5cfooter[^ylrf\x5c]([^\x5c]{19}|\s*?\x7d)/si"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4333; reference:cve,2017-3293; reference:url,www.talosintelligence.com/reports/TALOS-2016-0179; reference:url,www.talosintelligence.com/reports/TALOS-2016-0215/; classtype:attempted-user; sid:41109; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Oracle Outside In Technology image export use after free attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|footer"; nocase; content:"|5C|footer"; distance:0; nocase; content:!"|5C|"; within:20; pcre:"/\x5cfooter[^ylrf].*\x5cfooter[^ylrf\x5c]([^\x5c]{19}|\s*?\x7d)/si"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4333; reference:cve,2017-3293; reference:url,www.talosintelligence.com/reports/TALOS-2016-0179; reference:url,www.talosintelligence.com/reports/TALOS-2016-0215/; classtype:attempted-user; sid:41108; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE JustSystems Ichitaro Word Processor malformed PersistDirectory memory corruption attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|72 17 10 00 00 00 01 00 10 00 C7 36 08 00 BB 00 10 00 B0 57 08 00|"; content:"|81 2D 00 00 82 2D 00 00 83 2D 00 00 84 2D 00 00|"; within:16; distance:130; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2791; reference:url,www.talosintelligence.com/reports/TALOS-2016-0199/; classtype:attempted-user; sid:40491; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE JustSystems Ichitaro Word Processor malformed PersistDirectory memory corruption attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|72 17 10 00 00 00 01 00 10 00 C7 36 08 00 BB 00 10 00 B0 57 08 00|"; content:"|81 2D 00 00 82 2D 00 00 83 2D 00 00 84 2D 00 00|"; within:16; distance:130; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2791; reference:url,www.talosintelligence.com/reports/TALOS-2016-0199/; classtype:attempted-user; sid:40490; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Hancom Hangul Hcell cssValFormat checkUnderbar out of bounds write attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|00 1E 04|"; byte_jump:2,0,relative,little,post_offset -3; content:"|00 5F 00 1E 04|"; within:5; metadata:service smtp; reference:cve,2016-4296; reference:url,www.talosintelligence.com/reports/TALOS-2016-0151; classtype:attempted-user; sid:39762; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Hancom Hangul Hcell cssValFormat checkUnderbar out of bounds write attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|00 1E 04|"; byte_jump:2,0,relative,little,post_offset -3; content:"|00 5F 00 1E 04|"; within:5; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4296; reference:url,www.talosintelligence.com/reports/TALOS-2016-0151; classtype:attempted-user; sid:39761; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Hancom Hangul HCell TableStyle record heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|8E 08|"; byte_test:2,>,522,20,relative,little; byte_jump:2,0,relative,little; content:"|60 01 02 00 00 00|"; within:6; metadata:service smtp; reference:cve,2016-4293; reference:url,www.talosintelligence.com/reports/TALOS-2016-0148; classtype:attempted-user; sid:39760; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Hancom Hangul HCell TableStyle record heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|8E 08|"; byte_test:2,>,522,18,relative,little; byte_jump:2,0,relative,little; content:"|60 01 02 00 00 00|"; within:6; metadata:service smtp; reference:cve,2016-4293; reference:url,www.talosintelligence.com/reports/TALOS-2016-0148; classtype:attempted-user; sid:39759; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Hancom Hangul HCell TableStyle record heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|8E 08|"; byte_test:2,>,522,20,relative,little; byte_jump:2,0,relative,little; content:"|60 01 02 00 00 00|"; within:6; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4293; reference:url,www.talosintelligence.com/reports/TALOS-2016-0148; classtype:attempted-user; sid:39758; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Hancom Hangul HCell TableStyle record heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|8E 08|"; byte_test:2,>,522,18,relative,little; byte_jump:2,0,relative,little; content:"|60 01 02 00 00 00|"; within:6; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4293; reference:url,www.talosintelligence.com/reports/TALOS-2016-0148; classtype:attempted-user; sid:39757; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Document Foundation LibreOffice RTF stylesheet use after free attempt"; flow:to_server,established; file_data; content:"{|5C|rt"; depth:4; content:"|5C|stylesheet"; content:"|5C|super"; fast_pattern; content:!"{"; within:5; distance:-10; pcre:"/\x7d[^\x7b]{0,30}\x5csuper/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4324; reference:url,www.talosintelligence.com/reports/TALOS-2016-0126; classtype:attempted-user; sid:39149; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Document Foundation LibreOffice RTF stylesheet use after free attempt"; flow:to_client,established; file_data; content:"{|5C|rt"; depth:4; content:"|5C|stylesheet"; content:"|5C|super"; fast_pattern; content:!"{"; within:5; distance:-10; pcre:"/\x7d[^\x7b]{0,30}\x5csuper/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4324; reference:url,www.talosintelligence.com/reports/TALOS-2016-0126; classtype:attempted-user; sid:39148; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Hancom Hangul Office HCell HncChart out of bounds write attempt"; flow:to_server,established; file_data; content:"|01 00 01 00 0B 00 00 00 00 00 19 04 FF FF 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2016-4295; reference:url,www.talosintelligence.com/reports/TALOS-2016-0150; classtype:attempted-user; sid:39111; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Hancom Hangul Office HCell HncChart out of bounds write attempt"; flow:to_client,established; file_data; content:"|01 00 01 00 0B 00 00 00 00 00 19 04 FF FF 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4295; reference:url,www.talosintelligence.com/reports/TALOS-2016-0150; classtype:attempted-user; sid:39110; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Hancom Hangul Office NXDeleteLineObj memory corruption attempt"; flow:to_server,established; file_data; content:"|F1 FE 25 D6 E6 AF D8 57 BF A5 0F EF A9 C0 60 49 DD BC EC 19 72 13 D3 3B 26 C6 37 4F FD 96 BC 35|"; fast_pattern:only; metadata:service smtp; reference:cve,2016-4290; reference:url,www.talosintelligence.com/reports/TALOS-2016-0145; classtype:attempted-user; sid:39050; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Hancom Hangul Office NXDeleteLineObj memory corruption attempt"; flow:to_client,established; file_data; content:"|F1 FE 25 D6 E6 AF D8 57 BF A5 0F EF A9 C0 60 49 DD BC EC 19 72 13 D3 3B 26 C6 37 4F FD 96 BC 35|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4290; reference:url,www.talosintelligence.com/reports/TALOS-2016-0145; classtype:attempted-user; sid:39049; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt"; flow:to_client,established; file_data; content:"{|5C|rt"; depth:4; content:"ecabafc9-7f19-11d2-978e-0000f8757e2a"; within:500; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6132; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-132; classtype:attempted-user; sid:42198; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt"; flow:to_server,established; file_data; content:"{|5C|rt"; depth:4; content:"ecabafc9-7f19-11d2-978e-0000f8757e2a"; within:500; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-6132; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-132; classtype:attempted-user; sid:42197; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF objautlink url moniker file download attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objautlink"; fast_pattern; content:"0e0c9ea79f9bace118c8200aa004ba90b"; distance:0; content:"68007400740070003a002f002f00"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0199; classtype:misc-activity; sid:42190; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF objautlink url moniker file download attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objautlink"; fast_pattern; content:"0e0c9ea79f9bace118c8200aa004ba90b"; distance:0; content:"68007400740070003a002f002f00"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0199; classtype:misc-activity; sid:42189; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office custom message class security bypass attempt"; flow:to_client,established; file_data; content:"IPM.Document.Outlook.File.msg.12"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service imap, service pop3; reference:cve,2017-0204; classtype:attempted-user; sid:42168; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office custom message class security bypass attempt"; flow:to_server,established; file_data; content:"IPM.Document.Outlook.File.msg.12"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service imap, service pop3, service smtp; reference:cve,2017-0204; classtype:attempted-user; sid:42167; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel out of bounds memory attempt"; flow:to_server,established; file_data; content:"|F0 FE D6 CB 0A 44 CA 9E 06 3F 33 A1 03 62 D8 35 8F 0F F5 90 B6 83 CF 3E 65 5E F0 94 31 8A 22 4C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0194; classtype:attempted-user; sid:42162; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel out of bounds memory attempt"; flow:to_client,established; file_data; content:"|F0 FE D6 CB 0A 44 CA 9E 06 3F 33 A1 03 62 D8 35 8F 0F F5 90 B6 83 CF 3E 65 5E F0 94 31 8A 22 4C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0194; classtype:attempted-user; sid:42161; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF url moniker COM file download attempt"; flow:to_client,established; content:"Content-Type|3A| application/hta"; fast_pattern:only; http_header; file_data; content:"Wscript.Shell"; nocase; metadata:service http; reference:cve,2017-0199; classtype:attempted-admin; sid:42231; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word 2010 Sepx memory corruption attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|32 00 31 90 68 01 3A 70 EA 48 F4 00 1F B0 82 2E 20 B0 C6 41 21 B0 8A 05 22 B0 8A 05 23 90 53 03 24 90 37 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0243; classtype:attempted-user; sid:42756; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word 2010 Sepx memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|32 00 31 90 68 01 3A 70 EA 48 F4 00 1F B0 82 2E 20 B0 C6 41 21 B0 8A 05 22 B0 8A 05 23 90 53 03 24 90 37 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0243; classtype:attempted-user; sid:42755; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office EPS file containing embedded PE"; flow:to_server,established; file_data; content:"%!PS-Adobe-"; depth:11; content:"<4d5a"; content:"50450000"; distance:64; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:policy-violation; sid:42905; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office EPS restore command use after free attempt"; flow:to_server,established; file_data; content:"|B0 74 F9 85 AE 7A 5F BA 18 C7 3F 29 FD 5D 97 47 F4 4E FD FD 8F F7 6D 81 06 8B 5B 77 39 6B F5 56|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0261; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261; classtype:attempted-user; sid:42904; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office EPS restore command use after free attempt"; flow:to_server,established; file_data; content:"%!PS-Adobe-"; depth:11; content:"|20|restore"; content:"array def"; within:50; content:"cvx exec"; within:50; content:"|20|save"; within:100; content:"|20|repeat"; within:100; content:"|20|forall"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0261; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261; classtype:attempted-user; sid:42903; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office EPS restore command use after free attempt"; flow:to_client,established; file_data; content:"|B0 74 F9 85 AE 7A 5F BA 18 C7 3F 29 FD 5D 97 47 F4 4E FD FD 8F F7 6D 81 06 8B 5B 77 39 6B F5 56|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0261; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261; classtype:attempted-user; sid:42902; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office EPS file containing embedded PE"; flow:to_client,established; file_data; content:"%!PS-Adobe-"; depth:11; content:"<4d5a"; content:"50450000"; distance:64; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42901; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office EPS restore command use after free attempt"; flow:to_client,established; file_data; content:"%!PS-Adobe-"; depth:11; content:"|20|restore"; content:"array def"; within:50; content:"cvx exec"; within:50; content:"|20|save"; within:100; content:"|20|repeat"; within:100; content:"|20|forall"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0261; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261; classtype:attempted-user; sid:42900; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|C9 AF AB EC 19 7F D2 11 97 8E 00 00 F8 75 7E 2A 00 00 00 00 A0 F9 39 4F 3A E4 D0 01 A0 F9 39 4F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6132; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-132; classtype:attempted-user; sid:42864; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|C9 AF AB EC 19 7F D2 11 97 8E 00 00 F8 75 7E 2A 00 00 00 00 A0 F9 39 4F 3A E4 D0 01 A0 F9 39 4F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6132; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-132; classtype:attempted-user; sid:42863; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt"; flow:to_server,established; file_data; content:"{|5C|rt"; depth:4; content:"D93CE8B5-3BF8-462C-A03F-DED2730078BA"; within:500; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-6132; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-132; classtype:attempted-user; sid:43805; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt"; flow:to_server,established; file_data; content:"{|5C|rt"; depth:4; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; within:500; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-6132; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-132; classtype:attempted-user; sid:43804; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt"; flow:to_client,established; file_data; content:"{|5C|rt"; depth:4; content:"D93CE8B5-3BF8-462C-A03F-DED2730078BA"; within:500; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6132; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-132; classtype:attempted-user; sid:43803; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt"; flow:to_client,established; file_data; content:"{|5C|rt"; depth:4; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; within:500; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6132; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-132; classtype:attempted-user; sid:43802; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record buffer overflow attempt"; flow:to_server,established; file_data; content:"|D0 CF 11 E0|"; depth:4; content:"|09 08 10 00 00 06 05 00|"; within:8; distance:508; content:"Sheet"; content:"|51 08 00 00|"; within:800; fast_pattern; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-3471; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-057; classtype:attempted-user; sid:43699; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"Sheet"; content:"|51 08 00 00|"; within:800; fast_pattern; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-3471; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-057; classtype:attempted-user; sid:43698; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF parsing remote code execution attempt"; flow:to_server,established; file_data; content:"|7B 0D 74 66 31 7B 20 68 70 7B 20 70 7B 20 6E 20 70 47 75 69 64 65 73 7D 7B 20 76 20 3B 3B|"; depth:30; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:43679; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF parsing remote code execution attempt"; flow:to_client,established; file_data; content:"|7B 0D 74 66 31 7B 20 68 70 7B 20 70 7B 20 6E 20 70 47 75 69 64 65 73 7D 7B 20 76 20 3B 3B|"; depth:30; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:43678; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word SmartTag record code execution attempt"; flow:to_server,established; file_data; content:"|24 08 00 00 07 00 00 00 FF FF 01 00 00 00 00 00 8A 05 2C 00 08 00 02 00 EC 27 0C 03 16 00 00 00 26 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30124; reference:cve,2008-2244; classtype:attempted-user; sid:43675; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word SmartTag record code execution attempt"; flow:to_client,established; file_data; content:"|24 08 00 00 07 00 00 00 FF FF 01 00 00 00 00 00 8A 05 2C 00 08 00 02 00 EC 27 0C 03 16 00 00 00 26 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30124; reference:cve,2008-2244; classtype:attempted-user; sid:43674; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel null pointer dereference attempt"; flow:to_server,established; file_data; content:"|09 08 10 00 00 06 00 01 A0 19 CD 07 C1 C0 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2007-1239; classtype:attempted-user; sid:43641; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel null pointer dereference attempt"; flow:to_server,established; file_data; content:""; content:""; within:25; content:""; within:25; content:""; within:25; metadata:service smtp; reference:cve,2007-1239; classtype:attempted-user; sid:43640; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel null pointer dereference attempt"; flow:to_client,established; file_data; content:"|09 08 10 00 00 06 00 01 A0 19 CD 07 C1 C0 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-1239; classtype:attempted-user; sid:43639; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel null pointer dereference attempt"; flow:to_client,established; file_data; content:""; content:""; within:25; content:""; within:25; content:""; within:25; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-1239; classtype:attempted-user; sid:43638; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word .rtf file double free attempt"; flow:to_server,established; file_data; content:"|7B 5C|rtf"; depth:5; content:"|5C|do"; fast_pattern; content:"|5C|do"; within:5; pcre:"/\x5Cdo[\x20\x7D].{0,5}\x5Cdo[\x20\x7D]/i"; metadata:service smtp; reference:cve,2008-4027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-072; classtype:attempted-user; sid:43450; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word .rtf file integer overflow attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|dppolycount"; nocase; byte_test:5,>,8186,0,relative,string,dec; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-4025; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-072; classtype:misc-attack; sid:43328; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Powerpoint mouseover powershell malware download attempt"; flow:to_server,established; file_data; content:"|77 E3 D0 C3 5F A8 51 3E A2 83 91 AC 45 A0 83 09 E2 8B 2D 9F 7D E4 E3 C7 52 4A CB AC F9 04 87 39|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1086; reference:url,www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bdd05dafa97ee32518921/analysis/; classtype:trojan-activity; sid:43180; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Powerpoint mouseover powershell malware download attempt"; flow:to_client,established; file_data; content:"|77 E3 D0 C3 5F A8 51 3E A2 83 91 AC 45 A0 83 09 E2 8B 2D 9F 7D E4 E3 C7 52 4A CB AC F9 04 87 39|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1086; reference:url,www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bdd05dafa97ee32518921/analysis/; classtype:trojan-activity; sid:43179; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word malformed jpeg remote code execution attempt"; flow:to_server,established; file_data; flowbits:isset,file.rtf; content:"|5C|*|5C|shppict"; content:"|5C|pict"; within:50; content:"|5C|jpegblip"; within:100; fast_pattern; isdataat:500,relative; content:!"|FF D8|"; within:500; content:!"ffd8"; within:500; nocase; content:!"|89|PNG"; within:500; nocase; content:!"89504E47"; within:500; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8510; classtype:attempted-user; sid:43172; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word malformed jpeg remote code execution attempt"; flow:to_client,established; file_data; flowbits:isset,file.rtf; content:"|5C|*|5C|shppict"; content:"|5C|pict"; within:50; content:"|5C|jpegblip"; within:100; fast_pattern; isdataat:500,relative; content:!"|FF D8|"; within:500; content:!"ffd8"; within:500; nocase; content:!"|89|PNG"; within:500; nocase; content:!"89504E47"; within:500; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8510; classtype:attempted-user; sid:43171; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word 2016 use after free attempt"; flow:to_server,established; file_data; content:"|FF 00 00 E3 00 16 24 01 17 24 01 49 66 01 00 00 00 21 76 00 06 68 01 23 76 00 01 12 0B 23 76 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8509; classtype:attempted-user; sid:43160; rev:5;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word 2016 use after free attempt"; flow:to_client,established; file_data; content:"|FF 00 00 E3 00 16 24 01 17 24 01 49 66 01 00 00 00 21 76 00 06 68 01 23 76 00 01 12 0B 23 76 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8509; classtype:attempted-user; sid:43159; rev:5;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE AntennaHouse HTMLFilter DHFSummary remote code execution attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|FE FF|"; content:"|02 D5 CD D5 9C 2E 1B 10 93 97 08 00 2B 2C F9 AE|"; within:16; distance:26; byte_jump:4,0,relative,little,post_offset -48; byte_test:4,<,0x4,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8384; reference:url,www.talosintelligence.com/reports/TALOS-2016-0209/; classtype:attempted-user; sid:40932; rev:5;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE AntennaHouse HTMLFilter DHFSummary remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|FE FF|"; content:"|02 D5 CD D5 9C 2E 1B 10 93 97 08 00 2B 2C F9 AE|"; within:16; distance:26; byte_jump:4,0,relative,little,post_offset -48; byte_test:4,<,0x4,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8384; reference:url,www.talosintelligence.com/reports/TALOS-2016-0209/; classtype:attempted-user; sid:40931; rev:5;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE AntennaHouse HTMLFilter GetFontTable remote code execution attempt"; flow:to_server,established; file_data; content:"|32 00 31 90 68 01 3A 70 6B 7D D4 00 1F B0 7C 2E 20 B0 C8 41 21 B0 08 07 22 B0 08 07 23 90 A0 05|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8383; reference:url,www.talosintelligence.com/reports/TALOS-2016-0208/; classtype:attempted-user; sid:40930; rev:5;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE AntennaHouse HTMLFilter GetFontTable remote code execution attempt"; flow:to_client,established; file_data; content:"|32 00 31 90 68 01 3A 70 6B 7D D4 00 1F B0 7C 2E 20 B0 C8 41 21 B0 08 07 22 B0 08 07 23 90 A0 05|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8383; reference:url,www.talosintelligence.com/reports/TALOS-2016-0208/; classtype:attempted-user; sid:40929; rev:5;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE AntennaHouse HTMLFilter Doc_SetSummary remote code execution attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|03 A7 7F FF 00 00 10 00 03 A7 7F FF 03 A7 7F FF 03 A7 7F FF 03 A7 7F FF 03 A7 7F FF 03 A7 7F FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8382; reference:url,www.talosintelligence.com/reports/TALOS-2016-0207/; classtype:attempted-user; sid:40928; rev:5;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE AntennaHouse HTMLFilter Doc_SetSummary remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|03 A7 7F FF 00 00 10 00 03 A7 7F FF 03 A7 7F FF 03 A7 7F FF 03 A7 7F FF 03 A7 7F FF 03 A7 7F FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8382; reference:url,www.talosintelligence.com/reports/TALOS-2016-0207/; classtype:attempted-user; sid:40927; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Lexmark Perceptive Document Filters malformed XLS information disclosure attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|0B F0|"; content:"|82 C3|"; distance:0; content:"|D0 C9 EA 79 F9 BA CE 11 8C 82 00 AA 00 4B A9 0B|"; distance:0; fast_pattern; content:!"|E0 C9 EA 79 F9 BA CE 11 8C 82 00 AA 00 4B A9 0B|"; within:16; distance:8; content:!"|03 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; within:15; distance:10; byte_test:4,>,500,8,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2806; reference:url,www.talosintelligence.com/reports/TALOS-2017-0302/; classtype:attempted-recon; sid:42138; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Lexmark Perceptive Document Filters malformed XLS information disclosure attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|0B F0|"; content:"|82 C3|"; distance:0; content:"|D0 C9 EA 79 F9 BA CE 11 8C 82 00 AA 00 4B A9 0B|"; distance:0; fast_pattern; content:!"|E0 C9 EA 79 F9 BA CE 11 8C 82 00 AA 00 4B A9 0B|"; within:16; distance:8; content:!"|03 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; within:15; distance:10; byte_test:4,>,500,8,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2806; reference:url,www.talosintelligence.com/reports/TALOS-2017-0302/; classtype:attempted-recon; sid:42137; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE AntennaHouse DMC DHFSummary stack buffer overflow attempt"; flow:to_server,established; file_data; content:"|1E 00 00 00 08 00 00 EC 54 53 45 52 00 00 00 00 1E 00 00 00 08 00 00 00 55 53 45 52 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2794; reference:url,www.talosintelligence.com/reports/TALOS-2017-0286; classtype:attempted-user; sid:41766; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE AntennaHouse DMC DHFSummary stack buffer overflow attempt"; flow:to_client,established; file_data; content:"|1E 00 00 00 08 00 00 EC 54 53 45 52 00 00 00 00 1E 00 00 00 08 00 00 00 55 53 45 52 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2794; reference:url,www.talosintelligence.com/reports/TALOS-2017-0286; classtype:attempted-user; sid:41765; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE AntennaHouse DMC ParseEnvironment heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; content:"|0F 00 D5 07|"; byte_extract:4,0,collectionLen,relative,little; content:"|00 00 B7 0F|"; within:4; byte_test:4,>,collectionLen,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2797; reference:url,www.talosintelligence.com/reports/TALOS-2017-0290; classtype:attempted-user; sid:41760; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE AntennaHouse DMC ParseEnvironment heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; content:"|0F 00 D5 07|"; byte_extract:4,0,collectionLen,relative,little; content:"|00 00 B7 0F|"; within:4; byte_test:4,>,collectionLen,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2797; reference:url,www.talosintelligence.com/reports/TALOS-2017-0290; classtype:attempted-user; sid:41759; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE AntennaHouse DMC GetIndexArray out of bounds write attempt"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; content:"|FD 00 0A 00|"; content:"|FF FF|"; within:2; distance:2; content:"|01 02 06 00|"; within:4; distance:6; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2798; reference:url,www.talosintelligence.com/reports/TALOS-2017-0291; classtype:attempted-user; sid:41754; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE AntennaHouse DMC GetIndexArray out of bounds write attempt"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; content:"|FD 00 0A 00|"; content:"|FF FF|"; within:2; distance:2; content:"|01 02 06 00|"; within:4; distance:6; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2798; reference:url,www.talosintelligence.com/reports/TALOS-2017-0291; classtype:attempted-user; sid:41753; rev:5;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE AntennaHouse DMC HTMLFilter AddSst heap overflow attempt"; flow:to_server,established; file_data; content:"Sheet1|8C 00 04 00 01 00 01 00 FC 00 08 00 00 00 00 00 00 00 00 C8 FF 00 02 00 08 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2799; reference:url,www.talosintelligence.com/reports/TALOS-2017-0292/; classtype:attempted-user; sid:41727; rev:5;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE AntennaHouse DMC HTMLFilter AddSst heap overflow attempt"; flow:to_client,established; file_data; content:"Sheet1|8C 00 04 00 01 00 01 00 FC 00 08 00 00 00 00 00 00 00 00 C8 FF 00 02 00 08 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2799; reference:url,www.talosintelligence.com/reports/TALOS-2017-0292/; classtype:attempted-user; sid:41726; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Ichitaro Office Excel TxO record heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|B6 01 12 00|"; content:"|00 00 00 00 00 00|"; within:6; distance:4; content:!"|00 00|"; within:2; byte_extract:2,0,cchText,relative,little,multiplier 2; content:"|00 00 00 00 3C 00|"; within:6; distance:2; byte_test:2,>,cchText,0,relative,little; byte_test:1,!=,1,2,relative; isdataat:28,relative; content:!"|00 00|"; within:25; distance:3; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2790; reference:cve,2017-2795; reference:url,www.talosintelligence.com/reports/TALOS-2016-0197/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0288/; classtype:attempted-user; sid:41704; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Ichitaro Office Excel TxO record heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|B6 01 12 00|"; content:"|00 00 00 00 00 00|"; within:6; distance:4; content:!"|00 00|"; within:2; byte_extract:2,0,cchText,relative,little,multiplier 2; content:"|00 00 00 00 3C 00|"; within:6; distance:2; byte_test:2,>,cchText,0,relative,little; byte_test:1,!=,1,2,relative; isdataat:28,relative; content:!"|00 00|"; within:25; distance:3; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2790; reference:cve,2017-2795; reference:url,www.talosintelligence.com/reports/TALOS-2016-0197/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0288/; classtype:attempted-user; sid:41703; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE AntennaHouse DMC HTMLFilter iBldDirInfo heap buffer overflow attempt"; flow:to_server,established; file_data; content:"|0F 00 18 00 09 00 07 00 EC 00 72 00 0F 00 04 F0 6A 00 00 00 92 0C 0A F0 08 00 00 00 07 04 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2792; reference:url,www.talosintelligence.com/reports/TALOS-2017-0284/; classtype:attempted-user; sid:41546; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE AntennaHouse DMC HTMLFilter iBldDirInfo heap buffer overflow attempt"; flow:to_client,established; file_data; content:"|0F 00 18 00 09 00 07 00 EC 00 72 00 0F 00 04 F0 6A 00 00 00 92 0C 0A F0 08 00 00 00 07 04 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2792; reference:url,www.talosintelligence.com/reports/TALOS-2017-0284/; classtype:attempted-user; sid:41545; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE AntennaHouse DMC HTMLFilter UnCompressUnicode out of bounds write attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; content:"|06 00|"; content:"|00 00 00 00 00 00 FF FF|"; within:8; distance:8; content:"|00 00 00 00|"; within:4; distance:2; byte_jump:2,0,relative,little; content:"|07 02|"; within:2; content:"|00|"; within:1; distance:4; byte_test:2,>,0x7FFF,-3,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2793; reference:url,www.talosintelligence.com/reports/TALOS-2017-0285/; classtype:attempted-user; sid:41544; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE AntennaHouse DMC HTMLFilter UnCompressUnicode out of bounds write attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; content:"|06 00|"; content:"|00 00 00 00 00 00 FF FF|"; within:8; distance:8; content:"|00 00 00 00|"; within:4; distance:2; byte_jump:2,0,relative,little; content:"|07 02|"; within:2; content:"|00|"; within:1; distance:4; byte_test:2,>,0x7FFF,-3,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2793; reference:url,www.talosintelligence.com/reports/TALOS-2017-0285/; classtype:attempted-user; sid:41543; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE AntennaHouse HTMLFilter FillRowFormat remote code execution attempt"; flow:to_server,established; file_data; content:"|7E 02 0A 00|"; content:"|00|"; within:1; distance:1; content:!"|00|"; within:1; distance:1; content:"|06 00|"; within:2; distance:8; byte_jump:2,0,relative,little; content:"|7E 02 0A 00|"; within:4; content:"|00|"; within:1; distance:1; content:"|00|"; within:1; distance:1; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2783; reference:url,www.talosintelligence.com/reports/TALOS-2017-0279/; classtype:attempted-user; sid:41512; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE AntennaHouse HTMLFilter FillRowFormat remote code execution attempt"; flow:to_client,established; file_data; content:"|7E 02 0A 00|"; content:"|00|"; within:1; distance:1; content:!"|00|"; within:1; distance:1; content:"|06 00|"; within:2; distance:8; byte_jump:2,0,relative,little; content:"|7E 02 0A 00|"; within:4; content:"|00|"; within:1; distance:1; content:"|00|"; within:1; distance:1; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2783; reference:url,www.talosintelligence.com/reports/TALOS-2017-0279/; classtype:attempted-user; sid:41511; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word unpaired RTF dpendgroup buffer overflow attempt"; flow:to_server,established; file_data; content:"{|5C|rtf1 |5C|do |5C|dpendgroup}"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,32642; reference:cve,2008-4030; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-072; classtype:attempted-user; sid:43854; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word unpaired RTF dpendgroup buffer overflow attempt"; flow:to_client,established; file_data; content:"{|5C|rtf1 |5C|do |5C|dpendgroup}"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32642; reference:cve,2008-4030; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-072; classtype:attempted-user; sid:43853; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Access Jet Database Engine integer overflow attempt"; flow:to_server,established; file_data; content:"|7F 2B 03 60 6B 6B 68 5E 01 00 00 00 37 00 7F 2B 03 66 64 6B 6D 55 69 51 6B 01 00 00 00 37 01 7F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0250; classtype:attempted-user; sid:43848; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Access Jet Database Engine integer overflow attempt"; flow:to_client,established; file_data; content:"|7F 2B 03 60 6B 6B 68 5E 01 00 00 00 37 00 7F 2B 03 66 64 6B 6D 55 69 51 6B 01 00 00 00 37 01 7F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0250; classtype:attempted-user; sid:43847; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt"; flow:to_server,established; file_data; content:"|0B F0 28 00 00 00 7F 00 80 00 80 00 04 41 01 00 00 00 05 C1 10 00 00 00 06 01 01 00 00 00 70 00 69|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:44069; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt"; flow:to_client,established; file_data; content:"|0B F0 28 00 00 00 7F 00 80 00 80 00 04 41 01 00 00 00 05 C1 10 00 00 00 06 01 01 00 00 00 70 00 69|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:44068; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word EPS filter PostScript object use after free attempt"; flow:to_server,established; flowbits:isset,file.docx; file_data; content:".eps|EC BD DD AE EC C8 91 1E 7A 3D 03 CC 3B AC 73 A1 CB B1 2A 99 C9 2C D2 30 0E 20 03 F6 F5 C0 F6 0B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2545; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-099; classtype:attempted-user; sid:44052; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|0B F0 30 00 00 00 7F 00 01 00 05 00 80 00 A8 4F 98 02 10 81 FE FF FF FF 83 01 00 00 00 08 BF 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-0121; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-051; classtype:attempted-user; sid:44032; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|0B F0 30 00 00 00 7F 00 01 00 05 00 80 00 A8 4F 98 02 10 81 FE FF FF FF 83 01 00 00 00 08 BF 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0121; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-051; classtype:attempted-user; sid:44031; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word .rtf file integer overflow attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|dpolycount"; nocase; byte_test:5,>,8186,0,relative,string,dec; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-4025; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-072; classtype:misc-attack; sid:44183; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word .rtf file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|dpolycount"; nocase; byte_test:5,>,8186,0,relative,string,dec; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-4025; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-072; classtype:misc-attack; sid:44182; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word rich text format invalid field size memory corruption attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|dpcallout"; nocase; content:"|5C|dppolycount"; within:50; nocase; byte_test:5,>,50,0,string,relative; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-1902; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:44157; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|00 00 00 00 51 10 1D 00 01 02 00 00 00 00 15 00 3B FF FF 00 00 00 00 00 00 01 00 13 00 13 00 01 00 01 00 00 02 51 10 1D 00 02 02 00 00 00 00 15|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:44296; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel BIFF8 formulas from records parsing code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|3B 00 00 01 00 01 00 00 00 02 00|"; content:"|3B 00 00 00 00 00 00 00 00 02 00|"; within:11; distance:12; content:"|3B 00 00 02 00 02 00 00 00 02 00|"; within:11; distance:92; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:44292; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel BIFF5 formulas from records parsing code execution attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|3B FF FF 00 00 00 00 00 00 01 00 00 00 00 00 01 00 01 00 00 02|"; content:"|3B FF FF 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 02|"; within:21; distance:12; content:"|3B FF FF 00 00 00 00 00 00 01 00 00 00 00 00 02 00 02 00 00 02|"; within:21; distance:74; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:44291; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|10 08 00 00 01 00 00 00 00 00 00 51 10 13 00 01 02 00 00 00 00 0B 00 3B 01 00 02 00 02 00 00 00 02 00 51 10 13 00 02 02 00 00 00 00 0B 00 3B 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:44290; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|51 10 0F 00 00 02 00 00 00 00 07 00 3A 00 00 00 00 00 00|"; content:"|51 10 13 00 01 02 00 00 00 00 0B 00 3B 00 00 00 00 00 00 01 00 03 00|"; within:23; distance:16; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:44289; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office PowerPoint invalid TextByteAtom remote code execution attempt"; flow:to_server,established; flowbits:isset,file.ppt; file_data; content:"|00 00 A8 0F|"; byte_test:1,&,0x80,3,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0033; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-004; classtype:attempted-user; sid:44280; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft PowerPoint CString atom overflow attempt"; flow:to_server,established; file_data; content:"|E5 07 00 00|"; byte_extract:4,4,length,relative,little; content:"|BA 0F 00 00|"; within:length; byte_test:4,>,255,4,relative,little; metadata:service smtp; reference:cve,2009-1128; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:44304; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft PowerPoint CString atom overflow attempt"; flow:to_client,established; file_data; content:"|E5 07 00 00|"; byte_extract:4,4,length,relative,little; content:"|BA 0F 00 00|"; within:length; byte_test:4,>,255,4,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-1128; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:44303; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF WRAssembly ASLR bypass download attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"WRAssembly"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:39529; rev:4;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF WRAssembly ASLR bypass download attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"WRAssembly"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:39528; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF hex encoded WRAssembly ASLR bypass download attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"5752417373656d626c79"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:44364; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF hex encoded WRAsembly ASLR bypass download attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"57524173656d626c79"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:44363; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF WSDL file download attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"7700730064006C003D006800740074007000"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8759; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8759; reference:url,virustotal.com/en/file/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684/analysis/; classtype:attempted-user; sid:44372; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF WSDL file download attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"7700730064006C003D006800740074007000"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8759; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8759; reference:url,virustotal.com/en/file/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684/analysis/; classtype:attempted-user; sid:44371; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Fin7 Maldoc campaign exploitation attempt "; flow:to_server,established; file_data; content:"|56 75 59 32 39 6B 5A 57 52 44 62 32 35 30 5A 57 35 30 55 33 52 79 5A 57 46 74 4B 43 6B 37 44 51 6F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:misc-activity; sid:44433; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Fin7 Maldoc campaign exploitation attempt "; flow:to_client,established; file_data; content:"|56 75 59 32 39 6B 5A 57 52 44 62 32 35 30 5A 57 35 30 55 33 52 79 5A 57 46 74 4B 43 6B 37 44 51 6F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:44432; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Fin7 Maldoc campaign exploitation attempt "; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|91 9C B4 9B A0 AA 41 2A A6 80 B4 AC 59 07 E0 04 6F 05 8F CF 09 EF 9D 57 14 10 16 A2 12 5C 71 A5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:misc-activity; sid:44431; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Fin7 Maldoc campaign exploitation attempt "; flow:to_client,established; file_data; flowbits:isset,file.doc; content:"|91 9C B4 9B A0 AA 41 2A A6 80 B4 AC 59 07 E0 04 6F 05 8F CF 09 EF 9D 57 14 10 16 A2 12 5C 71 A5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:44430; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Graphics remote code execution attempt"; flow:to_server,established; file_data; content:"|50 00 50 00 54 00 31 00 30 00 00 00 8B 13 69 00 00 00 00 00 EB 2E 08 00 00 00 60 83 C3 01 D0 BC|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11762; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11762; classtype:attempted-admin; sid:44519; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Graphics remote code execution attempt"; flow:to_client,established; file_data; content:"|50 00 50 00 54 00 31 00 30 00 00 00 8B 13 69 00 00 00 00 00 EB 2E 08 00 00 00 60 83 C3 01 D0 BC|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11762; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11762; classtype:attempted-admin; sid:44518; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office ociw32.dll dll-load exploit attempt"; flow:to_server,established; content:"/ociw32.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,82505; reference:cve,2016-0041; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-014; classtype:attempted-user; sid:44601; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office iasdatastore2.dll dll-load exploit attempt"; flow:to_server,established; content:"/iasdatastore2.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,82505; reference:cve,2016-0041; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-014; classtype:attempted-user; sid:44600; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office oci.dll dll-load exploit attempt"; flow:to_server,established; content:"/oci.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,82505; reference:cve,2016-0041; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-014; classtype:attempted-user; sid:44599; rev:2;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OFFICE Microsoft Office request for ociw32.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"o|00|c|00|i|00|w|00|3|00|2|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,82505; reference:cve,2016-0041; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-014; classtype:attempted-user; sid:44598; rev:2;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OFFICE Microsoft Office request for iasdatastore2.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"i|00|a|00|s|00|d|00|a|00|t|00|a|00|s|00|t|00|o|00|r|00|e|00|2|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,82505; reference:cve,2016-0041; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-014; classtype:attempted-user; sid:44597; rev:2;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OFFICE Microsoft Office request for oci.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"o|00|c|00|i|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,82505; reference:cve,2016-0041; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-014; classtype:attempted-user; sid:44596; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word docx object type confusion attempt"; flow:to_server,established; file_data; content:"|40 AA BF 9A A8 54 31 C4 D5 66 8A 5A 6A 59 8D EF A1 8A 4E A8 06 9B 1A 0B 5C 38 87 D6 75 E7 1C 89|"; fast_pattern:only; metadata:service smtp; reference:cve,2017-11826; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11826; classtype:attempted-admin; sid:44586; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word docx object type confusion attempt"; flow:to_client,established; file_data; content:"|40 AA BF 9A A8 54 31 C4 D5 66 8A 5A 6A 59 8D EF A1 8A 4E A8 06 9B 1A 0B 5C 38 87 D6 75 E7 1C 89|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-11826; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11826; classtype:attempted-admin; sid:44585; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office dde field code execution attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:" $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office dde field code execution attempt"; flow:to_server,established; flowbits:isset,file.xml; file_data; content:" $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office dde field code execution attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|13|dde"; fast_pattern; nocase; content:".exe"; within:250; nocase; metadata:service smtp; reference:url,sensepost.com/blog/2017/macro-less-code-exec-in-msword; classtype:attempted-admin; sid:44695; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office dde field code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|13|DDE"; fast_pattern; nocase; content:".exe"; within:250; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,sensepost.com/blog/2017/macro-less-code-exec-in-msword; classtype:attempted-admin; sid:44694; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Outlook SMB attach by reference code execution attempt"; flow:to_client,established; file_data; content:"|78 9F 3E 22|"; depth:4; content:"|03 00 05 37|"; content:"|0D 37|"; content:".exe?"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,41446; reference:cve,2010-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-045; classtype:attempted-user; sid:44670; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Outlook SMB attach by reference code execution attempt"; flow:to_server,established; file_data; content:"|78 9F 3E 22|"; depth:4; content:"|03 00 05 37|"; content:"|0D 37|"; content:".exe?"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,41446; reference:cve,2010-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-045; classtype:attempted-user; sid:44669; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Hewlett-Packard Autonomy KeyView library stack-based buffer overflow attempt"; flow:to_server,established; file_data; content:"xl/workbook.xml|8D 94 CB 6E DB 46 14 86 5F 45 20 B2 4D 74 E6 C6 21 0D CB C1 AF CA 81 0C DF 93 C0 76 BD 68 CD 48 94 45 F1 32 E4 90 14 29 C1 AB 6E 0B 74 DB 07 28 BA C9 33 B4 9B|"; fast_pattern:only; metadata:service smtp; reference:cve,2012-6277; classtype:attempted-user; sid:44796; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Hewlett-Packard Autonomy KeyView library stack-based buffer overflow attempt"; flow:to_client,established; file_data; content:"xl/workbook.xml|8D 94 CB 6E DB 46 14 86 5F 45 20 B2 4D 74 E6 C6 21 0D CB C1 AF CA 81 0C DF 93 C0 76 BD 68 CD 48 94 45 F1 32 E4 90 14 29 C1 AB 6E 0B 74 DB 07 28 BA C9 33 B4 9B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-6277; classtype:attempted-user; sid:44795; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word RTF memory corruption attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|trbrdrt|5C|brdrnil"; fast_pattern:only; content:"{|5C|shptxt"; content:!"}"; within:200; content:"|5C|trbrdrb|5C|brdrnil"; within:200; content:"|5C|trbrdrl|5C|brdrnil"; content:"|5C|trbrdrr|5C|brdrnil"; pcre:"/\x5c[^\d\W]{100}/"; metadata:service smtp; reference:cve,2017-11854; classtype:attempted-user; sid:44839; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word RTF memory corruption attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|trbrdrt|5C|brdrnil"; fast_pattern:only; content:"{|5C|shptxt"; content:!"}"; within:200; content:"|5C|trbrdrb|5C|brdrnil"; within:200; content:"|5C|trbrdrl|5C|brdrnil"; content:"|5C|trbrdrr|5C|brdrnil"; pcre:"/\x5cbr[^\d\W]{100}/"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-11854; classtype:attempted-user; sid:44838; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel use after free vulnerability exploit attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|FE FE FC 00 44 97 3B 76 B2 FD FF FE B2 C6 E1 01 44 95 A0 BC D4 FF FE FF 00 45 97 3B 76 B2 FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11878; classtype:attempted-user; sid:44822; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel use after free vulnerability exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|FE FE FC 00 44 97 3B 76 B2 FD FF FE B2 C6 E1 01 44 95 A0 BC D4 FF FE FF 00 45 97 3B 76 B2 FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11878; classtype:attempted-user; sid:44821; rev:3;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Equation Editor object with automatic execution embedded in RTF attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; nocase; content:"|5C|objclass Equation.3"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11882; reference:cve,2018-0802; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11882; classtype:attempted-user; sid:44990; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Equation Editor object with automatic execution embedded in RTF attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; nocase; content:"|5C|objclass Equation.3"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11882; reference:cve,2018-0802; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11882; classtype:attempted-user; sid:44989; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt"; flow:to_server,established; file_data; content:"|1C 00 00 00 02 00|"; byte_extract:4,2,obj_len,relative,little; content:"|12 0C 43 00|"; within:obj_len; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11882; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882; classtype:attempted-user; sid:45135; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt"; flow:to_client,established; file_data; content:"|1C 00 00 00 02 00|"; byte_extract:4,2,obj_len,relative,little; content:"|12 0C 43 00|"; within:obj_len; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11882; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882; classtype:attempted-user; sid:45134; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt"; flow:to_client,established; file_data; content:"|5C|objupdate"; nocase; pcre:"/12\s*0C\s*43\s*00/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11882; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882; classtype:attempted-user; sid:45133; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt"; flow:to_server,established; file_data; content:"|5C|objupdate"; nocase; pcre:"/12\s*0C\s*43\s*00/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11882; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882; classtype:attempted-user; sid:45132; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel malformed spreadsheet use-after-free attempt"; flow:to_server,established; file_data; flowbits:isset,file.xls; content:"|5B A9 50 F0 07 7A C8 45 6F 09 54 A3 58 53 94 ED 66 D2 86 C6 BA C6 6A 23 C6 43 69 D2 12 48 2B 34|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11935; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11935; classtype:attempted-admin; sid:45124; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel malformed spreadsheet use-after-free attempt"; flow:to_client,established; file_data; flowbits:isset,file.xls; content:"|5B A9 50 F0 07 7A C8 45 6F 09 54 A3 58 53 94 ED 66 D2 86 C6 BA C6 6A 23 C6 43 69 D2 12 48 2B 34|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11935; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11935; classtype:attempted-admin; sid:45123; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word memory corruption exploit attempt"; flow:to_client,established; file_data; content:"sedon16 |5C|snext16 |5C|styrsid7108836"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-0797; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0797; classtype:attempted-user; sid:45403; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word memory corruption exploit attempt"; flow:to_server,established; file_data; content:"sedon16 |5C|snext16 |5C|styrsid7108836"; fast_pattern:only; metadata:service smtp; reference:cve,2018-0797; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0797; classtype:attempted-user; sid:45402; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word docx subDocument file include attempt"; flow:to_server,established; flowbits:isset,file.doc|file.docx; file_data; content:" $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word docx subDocument file include attempt"; flow:to_client,established; flowbits:isset,file.doc|file.docx; file_data; content:" $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF Composite Moniker object creation attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objautlink"; content:"0903000000000000C000000000000046"; distance:0; fast_pattern; content:"C6AFABEC197FD211978E0000F8757E2A"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8570; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570; classtype:attempted-user; sid:45416; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF Composite Moniker object creation attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objautlink"; content:"0903000000000000c000000000000046"; distance:0; fast_pattern; nocase; content:"C6AFABEC197FD211978E0000F8757E2A"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8570; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570; classtype:attempted-user; sid:45415; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office None type objclass RTF evasion attempt"; flow:to_server,established; file_data; flowbits:isset,file.rtf; content:"|5C|objclass None"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11882; reference:cve,2018-0802; classtype:attempted-user; sid:45467; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office None type objclass RTF evasion attempt"; flow:to_client,established; file_data; flowbits:isset,file.rtf; content:"|5C|objclass None"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11882; reference:cve,2018-0802; classtype:attempted-user; sid:45466; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Word PlfLfo use after free attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|10 DA 06 17 23 5A C9 01 00 00 00 00 00 00 00 00 5C 04 00 00 00 00 00 00 8A 04 00 00 10 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2008-4024; classtype:attempted-user; sid:45492; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Word PlfLfo use after free attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|10 DA 06 17 23 5A C9 01 00 00 00 00 00 00 00 00 5C 04 00 00 00 00 00 00 8A 04 00 00 10 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2008-4024; classtype:attempted-user; sid:45491; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Equation Editor Package objclass RTF evasion attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objclass Package"; nocase; content:"4d5a"; within:250; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11882; reference:cve,2018-0802; classtype:attempted-admin; sid:45512; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Equation Editor Package objclass RTF evasion attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objclass Package"; nocase; content:"4d5a"; within:250; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11882; reference:cve,2018-0802; classtype:attempted-admin; sid:45511; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|0F 00 04 F0|"; content:"|0A F0 08 00 00 00|"; within:6; distance:6; content:"|01 00 09 F0 10 00 00 00|"; within:8; distance:8; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-3334; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:45557; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|0F 00 04 F0|"; content:"|0A F0 08 00 00 00|"; within:6; distance:6; content:"|01 00 09 F0 10 00 00 00|"; within:8; distance:8; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3334; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:45556; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|B0 00 00 00 00 00 00 00 09 08 10 00 00 06 05 00 AA 1F CD 07|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1245; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:45620; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|B0 00 00 00 00 00 00 00 09 08 10 00 00 06 05 00 AA 1F CD 07|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,40523; reference:cve,2010-1245; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:45619; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office remote code execution attempt"; flow:to_server,established; file_data; content:"|05 00 00 00 01 00 20 00 00 48 00 00 00 00 00 00 00 00 C0 20 E0 00 14 00 0A 00 03 00 01 00 22 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0841; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0841; classtype:attempted-admin; sid:45655; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office remote code execution attempt"; flow:to_client,established; file_data; content:"|05 00 00 00 01 00 20 00 00 48 00 00 00 00 00 00 00 00 C0 20 E0 00 14 00 0A 00 03 00 01 00 22 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0841; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0841; classtype:attempted-admin; sid:45654; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Access remote code execution attempt "; flow:to_server,established; file_data; content:"|0F 10 14 1C 32 02 39 01 3D 02 42 03 61 18 00 62 18 00 63 36 1B 65 0B 00 67 06 00 68 56 22 69 A4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0903; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0903; classtype:attempted-user; sid:45884; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Access remote code execution attempt "; flow:to_client,established; file_data; content:"|0F 10 14 1C 32 02 39 01 3D 02 42 03 61 18 00 62 18 00 63 36 1B 65 0B 00 67 06 00 68 56 22 69 A4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0903; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0903; classtype:attempted-user; sid:45883; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF listoverride memory corruption attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"{|5C|listoverride"; content:"|5C|ls"; within:50; byte_extract:4,0,ls,relative,string,dec; content:"}"; within:5; content:"{|5C|listoverride"; distance:0; content:"|5C|ls"; within:50; byte_test:4,=,ls,0,relative,string,dec; content:"}"; within:5; metadata:service smtp; reference:cve,2018-0922; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0922; classtype:attempted-user; sid:45880; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF listoverride memory corruption attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"{|5C|listoverride"; content:"|5C|ls"; within:50; byte_extract:4,0,ls,relative,string,dec; content:"}"; within:5; content:"{|5C|listoverride"; distance:0; content:"|5C|ls"; within:50; byte_test:4,=,ls,0,relative,string,dec; content:"}"; within:5; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-0922; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0922; classtype:attempted-user; sid:45879; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; nocase; content:"0002CE020000000000C000000000000046"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0802; classtype:attempted-user; sid:46107; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; nocase; content:"0002CE020000000000C000000000000046"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0802; classtype:attempted-user; sid:46106; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft JET Database remote code execution attempt"; flow:to_server,established; file_data; flowbits:isset,file.xls; content:"|01 02 06 00 00 00 00 00 3E 00 FD 00 0A 00 00 00 01 00 3F 00 00 00 00 00 FD 00 0A 00 00 00 02 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-1003; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1003; classtype:attempted-user; sid:46234; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft JET Database remote code execution attempt"; flow:to_client,established; file_data; flowbits:isset,file.xls; content:"|01 02 06 00 00 00 00 00 3E 00 FD 00 0A 00 00 00 01 00 3F 00 00 00 00 00 FD 00 0A 00 00 00 02 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1003; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1003; classtype:attempted-user; sid:46233; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt"; flow:to_server,established; file_data; content:"|F0 14 37 01 00 52 00 07 F0 C1 BD 00 00 05 05 64 5C 4A C5 F7 CB 55 16 90 D0 7F 5D BC D8 21 8D FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-1027; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1027; classtype:attempted-user; sid:46209; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt"; flow:to_client,established; file_data; content:"|F0 14 37 01 00 52 00 07 F0 C1 BD 00 00 05 05 64 5C 4A C5 F7 CB 55 16 90 D0 7F 5D BC D8 21 8D FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1027; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1027; classtype:attempted-user; sid:46208; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel named range cell content use-after-free attempt"; flow:to_server,established; flowbits:isset,file.xlsx; file_data; content:"|42 28 F6 2B 22 EC 5F 80 2E 0E 00 55 54 0D 00 07 6E 0D 62 5A 3D EB 65 5A 3D EB 65 5A 50 4B 03 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0920; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0920; classtype:attempted-user; sid:46197; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel named range cell content use-after-free attempt"; flow:to_client,established; flowbits:isset,file.xlsx; file_data; content:"|42 28 F6 2B 22 EC 5F 80 2E 0E 00 55 54 0D 00 07 6E 0D 62 5A 3D EB 65 5A 3D EB 65 5A 50 4B 03 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0920; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0920; classtype:attempted-user; sid:46196; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel drawing cell reuse use-after-free attempt"; flow:to_server,established; file_data; content:"|B8 04 54 B0 91 ED B6 C9 7F BF C3 24 19 AD 52 E0 0C 75 F6 D2 90 E2 BB 4F BE BE 2F F6 39 CA E5 F5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-1011; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1011; classtype:attempted-user; sid:46193; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel drawing cell reuse use-after-free attempt"; flow:to_client,established; file_data; content:"|B8 04 54 B0 91 ED B6 C9 7F BF C3 24 19 AD 52 E0 0C 75 F6 D2 90 E2 BB 4F BE BE 2F F6 39 CA E5 F5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1011; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1011; classtype:attempted-user; sid:46192; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel remote code execution attempt"; flow:to_server,established; file_data; flowbits:isset,file.xls; content:"|67 75 73 74 20 32 30 31 34 0A 41 64 6D 69 6E 20 66 6F 72 20 48 65 61 6C 74 68 55 6E 6C 6F 63 6B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-1026; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1026; classtype:attempted-user; sid:46185; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel remote code execution attempt"; flow:to_client,established; file_data; flowbits:isset,file.xls; content:"|67 75 73 74 20 32 30 31 34 0A 41 64 6D 69 6E 20 66 6F 72 20 48 65 61 6C 74 68 55 6E 6C 6F 63 6B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1026; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1026; classtype:attempted-user; sid:46184; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel graphics remote code execution attempt"; flow:to_server,established; file_data; flowbits:isset,file.xls; content:"|6F 86 AF D2 A2 E4 FD F2 0D 4B 82 60 93 07 C4 E9 36 5A B7 51 CE DA 84 C2 0E 32 35 8F BD 7C 17 75|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-1028; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1028; classtype:attempted-user; sid:46183; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel graphics remote code execution attempt"; flow:to_client,established; file_data; flowbits:isset,file.xls; content:"|6F 86 AF D2 A2 E4 FD F2 0D 4B 82 60 93 07 C4 E9 36 5A B7 51 CE DA 84 C2 0E 32 35 8F BD 7C 17 75|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1028; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1028; classtype:attempted-user; sid:46182; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt"; flow:to_server,established; file_data; content:"|AD 7D 4C DF A3 40 8B DA 8F 97 57 02 5F 1F DC 40 E1 56 AD 40 0C 46 B2 A5 5F 95 AD D8 04 13 FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-1029; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1029; classtype:attempted-user; sid:46181; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt"; flow:to_client,established; file_data; content:"|AD 7D 4C DF A3 40 8B DA 8F 97 57 02 5F 1F DC 40 E1 56 AD 40 0C 46 B2 A5 5F 95 AD D8 04 13 FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1029; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1029; classtype:attempted-user; sid:46180; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Excel out of bounds read attempt"; flow:to_server,established; file_data; content:"|FF 00 C0 17 01 00 20 4C FF FF 00 C0 42 02 52 00 1E 01 00 04 42 02 73 00 07 02 0A 00 07 00 00 41|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-1030; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1030; classtype:attempted-user; sid:46179; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office Excel out of bounds read attempt"; flow:to_client,established; file_data; content:"|FF 00 C0 17 01 00 20 4C FF FF 00 C0 42 02 52 00 1E 01 00 04 42 02 73 00 07 02 0A 00 07 00 00 41|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1030; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1030; classtype:attempted-user; sid:46178; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office Outlook use-after-free vulnerability attempt"; flow:to_server,established; file_data; content:"