snort2-docker/docker/etc/rules/file-other.rules

# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
# 
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
# 
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#------------------
# FILE-OTHER RULES
#------------------

# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Multiple products version.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|version.dll"; fast_pattern:only; http_uri; content:!"User-Agent: Microsoft-Symbol-Server/"; http_header; metadata:service http; reference:cve,2012-0756; reference:cve,2016-0947; reference:cve,2016-1087; reference:cve,2016-4126; reference:cve,2016-6804; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; reference:url,helpx.adobe.com/security/products/reader/apsb16-18.html; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21322; rev:11;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Multiple products request for version.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"v|00|e|00|r|00|s|00|i|00|o|00|n|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2012-0756; reference:cve,2016-0947; reference:cve,2016-1087; reference:cve,2016-4126; reference:cve,2016-6804; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; reference:url,helpx.adobe.com/security/products/reader/apsb16-18.html; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21319; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Windows Uniscribe remote code execution vulnerability attempt"; flow:to_server,established; file_data; content:"|00 01 00 00|"; depth:4; content:"cmap"; byte_test:4,>,0x00FFFFFF,8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0014; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-014; classtype:attempted-user; sid:41598; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Windows Uniscribe remote code execution vulnerability attempt"; flow:to_client,established; file_data; content:"|00 01 00 00|"; depth:4; content:"cmap"; byte_test:4,>,0x00FFFFFF,8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0014; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-014; classtype:attempted-user; sid:41597; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|dwmapi.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,62836; reference:cve,2010-3127; reference:cve,2010-3131; reference:cve,2010-3152; reference:cve,2010-3191; reference:cve,2010-3976; reference:cve,2013-0733; reference:cve,2013-3485; reference:cve,2016-1090; reference:cve,2017-17069; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-14.html; reference:url,www.adobe.com/support/security/bulletins/apsb10-26.html; classtype:attempted-user; sid:19620; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Nullsoft Winamp XM file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xm; file_data; content:"Extended Module|3A 20|"; nocase; byte_test:1,!=,26,20,relative; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2004-1896; reference:url,www.securityfocus.com/bid/10045; classtype:attempted-user; sid:2550; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Video Spirit visprj buffer overflow"; flow:established,to_client; flowbits:isset,file.visprj; file_data; content:"valitem"; nocase; pcre:"/<\s*valitem[^>]*\s(value|name)\s*=\s*([\x22\x27])[^\x22\x27]{104}/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0499; classtype:attempted-user; sid:20889; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Autodesk 3D Studio Maxscript dangerous scripting method attempt"; flow:to_client,established; flowbits:isset,file.autodesk_max; file_data; content:"WriteString"; fast_pattern:only; content:"fopen"; nocase; pcre:"/^\s+(\w+)\s+\x22wb?\x22/R"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36634; reference:cve,2009-3577; classtype:attempted-user; sid:20870; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Autodesk Maya dangerous scripting method attempt"; flow:to_client,established; flowbits:isset,file.autodesk_ma; file_data; content:"requires maya"; fast_pattern:only; content:"fopen"; nocase; content:"fwrite"; distance:0; nocase; pcre:"/(?P<q1>\x24\w+)\s*=\s*\x60\s*fopen[^\x60]*[\x22\x27]wb?.+?fwrite\s+(?P=q1)/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36636; reference:cve,2009-3578; classtype:attempted-user; sid:20861; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER DAZ Studio dangerous scripting method attempt"; flow:to_client,established; flowbits:isset,file.daz_ds; file_data; content:"DzFile"; fast_pattern:only; pcre:"/var\s+(?P<q1>\w+)\s+=\s+new\s+DzFile.+?(?P=q1)\.open\(\s*2\s*\)/ms"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,37176; reference:cve,2009-4148; classtype:attempted-user; sid:20853; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"muhT|9B 00 00 00 00 04 00 00|FCRD|A8 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2874; classtype:attempted-user; sid:17193; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"EyeL|04 00 00 00 01 00 00 00 42 00 00 00 70 00 00 00 99 00 00 00 56 55 55 15|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2871; classtype:attempted-user; sid:17190; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director file exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|32 02 30 82 02 31 30 02 38 38 02 30 82 02 31 30 02 38 38 03 30 30 30 41 30 30 30 30 30 30 31 33 00 00 30 30 30 30 30 32 02 30 82 02 31 30 02 38|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2879; classtype:attempted-user; sid:17197; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|00 23 6F 98 00 00 00 00 00 00 00 62 00 00 00 01 00 0F FF FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2873; classtype:attempted-user; sid:17192; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director file exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|01 36 01 00 00 00 80 80 00 00 00 15 00 00 00 03 00 00 00 27 00 00 00 24 00 00 00 02 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 06 00 01 00 00 00 0F E1 FD|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2877; classtype:attempted-user; sid:17196; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director file exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|6D 9E 54 65 78 74 00 00 00 00 00 00 00 00 00 00 00 00 0F 00 00 01 1A 3A 36 23 16 3A 37 0C 29 47 72 65 67 20 42 61 72 6E 65 74 74 00 80 80 00 04 74 65 78 74 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2878; classtype:attempted-user; sid:17198; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave Flash arbitrary memory access attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"BB|00 00 03|PAA|00 00 03|P|00 05 00 00 03|h"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-3465; reference:url,www.adobe.com/support/security/bulletins/apsb09-16.html; classtype:attempted-user; sid:16225; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Visual Studio .addin file access"; flow:to_client,established; flowbits:isset,file.addin; file_data; content:"<Assembly>"; fast_pattern; nocase; content:".dll"; distance:1; nocase; content:"</Assembly>"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-0008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-021; classtype:attempted-user; sid:21576; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Visual Studio PKP file handling buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pkp; file_data; content:"|22|projectname|22| = |22|"; nocase; content:!"|22|"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-1043; reference:url,www.securityfocus.com/bid/16953; classtype:attempted-user; sid:22030; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Visual Studio DBP file handling buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.dbp; file_data; content:"dataproject = |22|"; nocase; content:!"|22|"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-1043; reference:url,www.securityfocus.com/bid/16953; classtype:attempted-user; sid:22029; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Visual Studio SLN file handling buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.sln; file_data; content:"Project"; nocase; pcre:"/^\x28\x22[^\x22]+\x22\x29\s*\x3d\s*\x22[^\x22]{200}/iR"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-1043; reference:url,www.securityfocus.com/bid/16953; classtype:attempted-user; sid:22031; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Visual Studio VAP file handling buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.vap; file_data; content:"|22|projectname|22| = |22|"; nocase; content:!"|22|"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-1043; reference:url,www.securityfocus.com/bid/16953; classtype:attempted-user; sid:22032; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows True Type Font maxComponentPoints overflow attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|00 01 00 00|"; depth:4; content:"maxp"; depth:250; byte_jump:4,4,relative,from_beginning, post_offset 10,big; byte_test:2,>,0x8000,0,relative,big; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0159; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-034; classtype:attempted-user; sid:22087; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER OpenType Font file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"OTTO"; depth:4; content:"cmap"; within:200; content:"name"; within:200; byte_test:4,>=,0x80000000,4,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2741; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-078; classtype:attempted-user; sid:23154; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER OpenType Font file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"OTTO"; depth:4; content:"cmap"; within:200; content:"head"; within:200; byte_test:4,>=,0x80000000,8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2741; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-078; classtype:attempted-user; sid:23153; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER OpenType Font file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"OTTO"; depth:4; content:"cmap"; within:200; content:"name"; within:200; byte_test:4,>=,0x80000000,8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2741; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-078; classtype:attempted-user; sid:23155; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER ELF multiple antivirus evasion attempts"; flow:to_client,established; file_data; content:"|7F|ELF"; depth:4; content:"ustar"; depth:5; offset:257; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1429; classtype:attempted-user; sid:23318; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; file_data; content:"|4A 46 49 46|"; depth:4; offset:6; content:"ustar"; depth:5; offset:257; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1428; classtype:attempted-user; sid:23358; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER ACDSee FotoSlate PLP file buffer overflow attempt"; flow:established,to_client; flowbits:isset,file.plp; file_data; content:"<int"; fast_pattern:only; pcre:"/<int[^>]*?id\s*=\s*(\x22|\x27)[^\x22\x27]{50}/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,49558; reference:cve,2011-2595; classtype:attempted-user; sid:23479; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.tar; file_data; content:"|19 04 00 10|"; depth:4; offset:8; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1424; classtype:attempted-user; sid:23326; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER ACDSee FotoSlate PLP file buffer overflow attempt"; flow:established,to_client; flowbits:isset,file.plp; file_data; content:"<string"; fast_pattern:only; pcre:"/<string[^>]*?id\s*=\s*(\x22|\x27)[^\x22\x27]{50}/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,49558; reference:cve,2011-2595; classtype:attempted-user; sid:23478; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.tar; file_data; content:"|50 4B 03 04|"; depth:4; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1425; classtype:attempted-user; sid:23325; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.tar; file_data; content:"MZ"; depth:2; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1423; classtype:attempted-user; sid:23327; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.tar; file_data; content:"[aliases]"; depth:9; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1419; classtype:attempted-user; sid:23351; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; file_data; content:"|7F|ELF"; depth:4; content:"ustar"; depth:5; offset:257; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1420; classtype:attempted-user; sid:23323; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; file_data; content:"ITSF"; depth:4; content:"ustar"; depth:5; offset:257; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1422; classtype:attempted-user; sid:23328; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.tar; file_data; content:"BZh"; depth:3; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1426; classtype:attempted-user; sid:23324; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER ELF multiple antivirus evasion attempts"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"|19 04 00 10|"; depth:4; offset:8; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1430; classtype:attempted-user; sid:23357; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; file_data; content:"MSCF"; depth:4; content:"ustar"; depth:5; offset:257; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1421; classtype:attempted-user; sid:23329; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Apple Quicktime TeXML sampleData attribute overflow attempt"; flow:to_server,established; flowbits:isset,file.xml; file_data; content:"text3GTrack"; nocase; content:"sampleData"; distance:0; content:"highlightColor|3A|"; pcre:"/^\s*[^\x3e]{62}/Rsmi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0663; classtype:attempted-user; sid:23584; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows malformed ASF voice codec memory corruption attempt"; flow:to_server,established; file_data; content:"@|9E|i|F8|M[|CF 11 A8 FD 00 80|_|5C|D+"; isdataat:46,relative; pcre:"/^.{38}\x0a\x00..(?!(\x40\x1f|\x11\x2b|\x80\x3e|\x22\x56)\x00\x00)/R"; metadata:service smtp; reference:cve,2009-0555; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-051; classtype:attempted-user; sid:23578; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Task Scheduler buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.job; file_data; content:"|00 14 73 0F|"; depth:4; offset:36; content:"|00 3A 00 5C|"; within:4; distance:33; byte_test:2,>,260,-7,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,10708; reference:cve,2004-0212; classtype:attempted-user; sid:23489; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft MHTML XSS attempt"; flow:to_server,established; flowbits:isset,file.mht; file_data; content:"MIME-Version"; fast_pattern:only; pcre:"/(\x3C\s*script|onload|onclick|onmouseover)/ims"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-026; classtype:attempted-user; sid:23562; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Apple Quicktime TeXML Style attribute overflow attempt"; flow:to_server,established; flowbits:isset,file.xml; file_data; content:"text3GTrack"; nocase; content:"style"; distance:0; content:"color|3A|"; pcre:"/^\s*[^\x7d]{62}/Rsmi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0663; classtype:attempted-user; sid:23583; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows MHTML XSS attempt"; flow:to_server,established; file_data; content:"mhtml|3A|"; pcre:"/(location\x2ereplace\x28|window\x2elocation\x2ehref\s*?=|iframe\s*?src\s*?=|a\s*?href\s*?=)\s*?[\x22\x27]mhtml\x3a(http|file)\x3a\x2f\x2f/Rsmi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-026; classtype:attempted-user; sid:23563; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Apple Quicktime TeXML Transform attribute overflow attempt"; flow:to_server,established; flowbits:isset,file.xml; file_data; content:"text3GTrack"; nocase; content:"transform"; distance:0; pcre:"/^\s*\x3d\s*[\x27\x22](translate|matrix)[^\x27\x22]{62}/Rsmi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0663; classtype:attempted-user; sid:23582; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Illustrator DSC comment overflow attempt"; flow:to_server,established; file_data; content:"%!PS-Adobe-"; nocase; content:"EPSF-"; within:10; pcre:"/%[^\x0d\x0a]{1000}/smiR"; metadata:service smtp; reference:bugtraq,37192; reference:cve,2009-4195; classtype:attempted-user; sid:23564; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt"; flow:to_server,established; flowbits:isset,file.xml; file_data; content:"text3GTrack"; nocase; content:"description"; distance:0; content:"backgroundColor|3A|"; pcre:"/^\s*[^\x3e]{62}/Rsmi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0663; classtype:attempted-user; sid:23585; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows Embedded Open Type Font malformed name table overflow attempt"; flow:to_server,established; flowbits:isset,file.eot; file_data; content:"|00 01 00 01 00 00 00 01 FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-0231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-029; classtype:attempted-user; sid:23566; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Apple Quicktime TeXML Style attribute overflow attempt"; flow:to_server,established; flowbits:isset,file.xml; file_data; content:"text3GTrack"; nocase; content:"karaoke"; distance:0; content:"color|3A|"; pcre:"/^\s*[^\x7d]{62}/Rsmi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0663; classtype:attempted-user; sid:23586; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER PeaZip command injection attempt"; flow:established,to_client; flowbits:isset,file.zip; content:"README.TXT"; nocase; pcre:"/^\s*\x22?\s+\x22\s*\x7C[^\x7C]+\x7C\s*\.txt/R"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2261; classtype:attempted-user; sid:21413; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER RealNetworks RealPlayer compressed skin overflow attempt"; flow:established,to_client; flowbits:isset,file.zip; file_data; content:"PK|01 02|"; depth:4; byte_test:4,>,33412,24,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,11555; reference:cve,2004-1094; classtype:attempted-user; sid:21420; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Apple OSX ZIP archive shell script execution attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"__MACOSX/._"; pcre:"/^[A-Za-z0-9\\x2b-]+?\.(mov|jpg)\x55/Ri"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,16736; reference:cve,2006-0848; reference:url,docs.info.apple.com/article.html?artnum=303382 ; classtype:attempted-user; sid:21557; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Winamp skin file arbitrary code execution attempt"; flow:established,to_server; flowbits:isset,file.zip; flowbits:isset,file.winampskin; file_data; content:"PK|03 04|"; depth:4; content:".exe"; metadata:service smtp; reference:bugtraq,11053; reference:cve,2004-0820; classtype:attempted-user; sid:24052; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Winamp skin file arbitrary code execution attempt"; flow:established,to_client; flowbits:isset,file.zip; flowbits:isset,file.winampskin; file_data; content:"PK|03 04|"; depth:4; content:".exe"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,11053; reference:cve,2004-0820; classtype:attempted-user; sid:24051; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"FILE-OTHER technote main.cgi file directory traversal attempt"; flow:to_server,established; content:"/technote/main.cgi"; fast_pattern; nocase; http_uri; content:"filename="; nocase; content:"../../"; metadata:ruleset community, service http; reference:bugtraq,2156; reference:cve,2001-0075; reference:nessus,10584; classtype:web-application-attack; sid:1051; rev:23;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER F-Secure AntiVirus library heap overflow attempt"; flow:to_client,established; flowbits:isset,file.arj; file_data; content:"|0A|`|EA|"; pcre:"/\x0a\x0d?\x0a\x60\xea(.{36}[^\x00]{256}|.+\x60\xea.{32}[^\x00]{256})/s"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,12515; reference:cve,2005-0350; classtype:attempted-user; sid:15583; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave Flash memory corruption attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|FF FF FF FF 01 1F 02|H|00 00 00|6|00 00 FF FF 01 1F 1F EE|"; content:!"|FF FF FF FF|"; within:4; distance:-24; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-3463; classtype:attempted-user; sid:16293; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director file tSAC record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"tSAC|B7 00 00 00 00 00 00 01 00 00 00 8F|"; content:"|00 16 00 00 00 00 00 00 00 00 00 00 00 45 00 00|"; within:16; distance:24; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17183; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director file rcsL record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"rcsL|0E 05 00 00 00 00 00 00 00 00 00 00|"; content:"|01 17 00 C0 FF FF 00 00 00 C1 00 00 01 84 00 00|"; within:16; distance:84; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17186; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director file tSAC record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"tSAC|B7 00 00 00 00 00 00 01 00 00 00 8F|"; content:"|00 00 00 00 00 16 00 00 00 00 00 00 00 3F 00 00|"; within:16; distance:20; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17182; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director file rcsL record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|8F 41 01 45 C2 AE 00 FF 45 B0 41 24 43 46 1F 42|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17187; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director file LsCM overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"LsCM"; byte_test:4,>,4211081214,0,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2864; classtype:attempted-user; sid:17200; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director file rcsL record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"rcsL|0E 05 00 00 00 00 00 00 00 00 00 00 00 00 05 0E 00 00 05 0E 00 5C 00 40|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17185; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director file rcsL record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"rcsL|0E 05 00 00 00 00 00 00 00 00 00 00 00 00 05 0E|"; content:"|0A 08 19 1E 1C 1E 1F 1E 44 00 43 01 57 6E A1 9C|"; within:16; distance:512; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17188; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director file LsCM record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"LsCM|3A 00 00 00 00 00 00 0C 00 00 00 01 00 04 00 00 40 05 00 00|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2864; classtype:attempted-user; sid:17181; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director file tSAC record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"tSAC|B7 00 00 00 00 00 00 01 00 00 00 8F|"; content:"|00 00 00 00 00 00 00 00 00 06 00 00 00 45 00 00|"; within:16; distance:28; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17184; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director file file rcsL overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"Shockwave 3D"; fast_pattern:only; content:"rcsL"; byte_test:1,>,127,76,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2867; classtype:attempted-user; sid:17203; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director file mmap overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"RIFX"; depth:4; content:"mmap"; byte_test:4,>,32768,0,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2870; classtype:attempted-user; sid:17204; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director file LsCM record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"LsCM|3A 00 00 00 00 00 00 0C 00 00 40 01|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2864; reference:cve,2010-2881; classtype:attempted-user; sid:17180; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director file rcsL record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|52 02 4C 00 61 46 43 01 57 C9 41 01 06 52 43 4C|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2868; reference:cve,2010-2869; reference:cve,2010-2882; classtype:attempted-user; sid:17189; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave director file malformed lcsr block memory corruption attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"p|00 00 00 01 00 00 00 A8 FF FB|m|10|http|3A|//www."; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-3466; reference:url,www.adobe.com/support/security/bulletins/apsb09-16.html; classtype:attempted-user; sid:16220; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave tSAC pointer overwrite attempt"; flow:to_client,established; flowbits:isset, file.dir; file_data; content:"tSAC<|04 00 00 00 04 00 00 04|2|0B 00 00 01 00 00 00 14 0C 0C 0C 0C|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-3464; reference:url,www.adobe.com/support/security/bulletins/apsb09-16.html; classtype:attempted-user; sid:16223; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.csv; file_data; content:"OPC_TAG_NAME,OBJECT_TYPE,INSTANCE,OBJECT_NAME"; fast_pattern:only; pcre:"/^\x5c[^\x5c\x2c]{600,}\x5Cscada,0,0,$/m"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:21317; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER ELF file parsing in different antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"|19 04 00 10|"; depth:4; offset:8; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1430; reference:url,securityfocus.com/archive/1/522005; classtype:bad-unknown; sid:21630; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER ELF file parsing in different antivirus evasion attempt"; flow:to_client,established; file_data; content:"|7F|ELF"; depth:4; content:"|4A 46 49 46|"; within:4; distance:2; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1431; reference:url,securityfocus.com/archive/1/522005; classtype:bad-unknown; sid:21629; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director file file Shockwave 3D overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"Shockwave 3D"; fast_pattern:only; content:"XFIR"; nocase; content:"tSAC"; distance:0; nocase; byte_test:2,>,32767,40,relative; content:"shockwave3d"; distance:0; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2866; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:23371; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows HLP File Handling heap overflow attempt"; flow:to_client,established; file_data; content:"|3F 5F 03 00|"; depth:4; content:"TTLBTREE|00 2E 06 00 00 7C 62|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23382; reference:cve,2007-1912; classtype:attempted-user; sid:17374; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Help File Heap Buffer Overflow attempt"; flow:to_client,established; file_data; content:"|80 80 00 00 C0 C0 C0 00 80 80 80 00 00 00 FF 00 00 FF 00 00 00 FF FF 00 FF 00 00 00 FF 00 FF 00 FF FF 00 00 FF FF FF 00 00 41 41 41 41 41 41 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,17325; reference:cve,2006-1591; classtype:attempted-user; sid:17489; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Pagemaker Font Name Buffer Overflow attempt"; flow:to_client,established; flowbits:isset,file.pmd; file_data; content:"|61 61 61 61 61 61 61 61 61 61 61 61 0F 42 01 05 41 41 41 41 41 41 41 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,25989; reference:cve,2007-5169; classtype:attempted-user; sid:17735; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Server 2003 update service principal name spn dos executable attempt"; flow:to_client,established; file_data; content:"|62 00 61 00 64 00 2E 00 44 00 4E 00 53 00 65 00 6E 00 74 00 72 00 79 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-005; classtype:attempted-admin; sid:18406; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Data Access Components library attempt"; flow:to_client,established; file_data; content:"|33 C0 66 89 45 F4 6A FD 8D 85 BC FF FE FF 50 6A FD 8D 8D D8 FF FE FF 51 6A FD 8D 95 F4 FF FE FF 52 8B 85 A4 FF FE FF 50 E8 9B FB FF FF 33 C0 52 8B CD 50 8D 15 14 15 41 00 E8 9E FB FF FF 58 5A 5F 5E 5B 8B 4D FC 33 CD E8 12 FB|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-002; classtype:attempted-user; sid:18276; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows OpenType Fonts CompactFontFormat FontMatrix tranform memory corruption attempt"; flow:to_client,established; file_data; content:"|04 FB 61 0C 03 F1 0C 04 8C 8B 8B 8C 8B 8B 0C 07 1C F7 E9 FD|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-032; classtype:attempted-admin; sid:18644; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"FILE-OTHER Microsoft Windows Server 2003 update service principal name spn dos attempt"; flow:to_server,established; content:"|62 00 61 00 64 00 2E 00 44 00 4E 00 53 00 65 00 6E 00 74 00 72 00 79 00 00 00|"; fast_pattern:only; metadata:service netbios-ns; reference:cve,2011-0040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-005; classtype:attempted-admin; sid:18407; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe malicious IFF memory corruption attempt"; flow:to_client,established; file_data; content:"|2F 33 44 41 37 3C 39 3B 34 2F 42 41 3A 2B 33 3A 2E 2C 30|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0587; reference:cve,2011-0590; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-admin; sid:18452; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|00 00 00 00 00 01 00 03 48 0A 01 01 00 00 00 80 01 FF 00 00 00 00 00 01 00 03 40 52 00 02 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-3402; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-087; classtype:attempted-user; sid:20735; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows ATMFD font driver malicious font file remote code execution attempt"; flow:to_client,established; file_data; content:"VFRPAAsAgAADADBDRkYgDBtVwQAADFQAAKzyR1BPU1UZ4R4AAMFQAAAsHEdT"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-041; classtype:attempted-admin; sid:20771; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows ATMFD font driver malicious font file remote code execution attempt"; flow:to_server,established; file_data; content:"|4F 54 54 4F 00 0B 00 80 00 03 00 30 43 46 46 20 0C 1B 55 C1 00 00 0C 54 00 00 AC F2 47 50 4F 53 55 19 E1 1E 00 00 C1 50 00 00 2C 1C 47 53 55 42|"; fast_pattern:only; metadata:service smtp; reference:cve,2011-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-041; classtype:attempted-admin; sid:20776; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows ATMFD font driver malicious font file remote code execution attempt"; flow:to_client,established; file_data; content:"VE8ACwCAAAMAMENGRiAMG1XBAAAMVAAArPJHUE9TVRnhHgAAwVAAACwcR1NV"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-041; classtype:attempted-admin; sid:20772; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows ATMFD font driver malicious font file remote code execution attempt"; flow:to_server,established; content:"VFRPAAsAgAADADBDRkYgDBtVwQAADFQAAKzyR1BPU1UZ4R4AAMFQAAAsHEdT"; fast_pattern:only; metadata:service smtp; reference:cve,2011-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-041; classtype:attempted-admin; sid:20774; rev:7;)
# alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows ATMFD font driver malicious font file remote code execution attempt"; flow:to_client,established; file_data; content:"|4F 54 54 4F 00 0B 00 80 00 03 00 30 43 46 46 20 0C 1B 55 C1 00 00 0C 54 00 00 AC F2 47 50 4F 53 55 19 E1 1E 00 00 C1 50 00 00 2C 1C 47 53 55 42|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2011-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-041; classtype:attempted-admin; sid:20768; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows ATMFD font driver malicious font file remote code execution attempt"; flow:to_client,established; file_data; content:"T1RUTwALAIAAAwAwQ0ZGIAwbVcEAAAxUAACs8kdQT1NVGeEeAADBUAAALBxHU1VC"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-041; classtype:attempted-admin; sid:20770; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows ATMFD font driver malicious font file remote code execution attempt"; flow:to_server,established; content:"T1RUTwALAIAAAwAwQ0ZGIAwbVcEAAAxUAACs8kdQT1NVGeEeAADBUAAALBxHU1VC"; fast_pattern:only; metadata:service smtp; reference:cve,2011-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-041; classtype:attempted-admin; sid:20773; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows ATMFD font driver malicious font file remote code execution attempt"; flow:to_server,established; file_data; content:"|00 01 00 00 0E B7 AD 87 5F 0F 3C F5 00 03 03 E8 00 00 00 00 C9 D2 5F 76 00 00 00 00 C9 D2 5F 76 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2011-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-041; classtype:attempted-user; sid:20769; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows ATMFD font driver malicious font file remote code execution attempt"; flow:to_server,established; content:"VE8ACwCAAAMAMENGRiAMG1XBAAAMVAAArPJHUE9TVRnhHgAAwVAAACwcR1NV"; fast_pattern:only; metadata:service smtp; reference:cve,2011-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-041; classtype:attempted-admin; sid:20775; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows OpenType font parsing stack overflow attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"|04 FB 61 0C 03 F1 0C 04 8C 8B 8B 8C 8B 8B 0C 07 1C F7 E9 FD|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-032; classtype:attempted-admin; sid:20902; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows OpenType font parsing stack overflow attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"|03 00 01 04 09 00 0E 00 36 05 0E 00 03 00 01 04 09 00 11 00 18 05 44 43 6F 70|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-032; classtype:attempted-admin; sid:20904; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Java Applet Rhino script engine remote code execution attempt"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"this.toString = function|28|"; nocase; content:"java.lang.System.setSecurityManager|28|null|29|"; distance:0; nocase; content:"return String.fromCharCode|28|97"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-3544; classtype:attempted-user; sid:21057; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows chm file malware related exploit"; flow:to_client,established; flowbits:isset,file.chm; file_data; content:"|78 07 2F 6D 79 2E 68 74 6D 01 84 A0 00 81 5C 0C 2F 73 65 72 76 69 63 65 2E 65 78 65 01 00 84 A0|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1223; reference:url,www.virustotal.com/file/508508b8105d7d9b5289813b385f9be233d76e09a2ad3c647e8dc5078db8eff1/analysis/; classtype:trojan-activity; sid:21489; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Expat xml UTF-8 buffer over-read attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"<?xml version|C2 85|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36097; reference:cve,2009-3720; classtype:denial-of-service; sid:24069; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Expat xml UTF-8 buffer over-read attempt"; flow:to_server,established; flowbits:isset,file.xml; file_data; content:"<?xml version|C2 85|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,36097; reference:cve,2009-3720; classtype:denial-of-service; sid:24070; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Expat xml UTF-8 bufer over-read attempt"; flow:to_server,established; flowbits:isset,file.xml; file_data; content:"<?xml |D8 B6|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,36097; reference:cve,2009-3720; classtype:denial-of-service; sid:24068; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Expat xml UTF-8 buffer over-read attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"<?xml |D8 B6|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36097; reference:cve,2009-3720; classtype:denial-of-service; sid:24067; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.mime; file_data; content:"Content-Type"; fast_pattern:only; content:"name"; nocase; content:"="; within:5; isdataat:300,relative; content:!"|3B|"; within:300; content:!"|0A|"; within:302; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-1336; classtype:attempted-user; sid:24083; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER ACD Systems ACDSee Products XPM values section buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xpm; file_data; content:"static"; content:"char"; within:50; pcre:"/^static\s+(\w+\s+)?char\s*\x2A\s*\w+\s*\x5B\x5D\s*\x3D\s*\x7B.*\x22[^\x22]{200}/smiH"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,26554; reference:cve,2007-6009; classtype:attempted-user; sid:16062; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft SQL Server Backup Database File integer overflow attempt"; flow:to_client,established; flowbits:isset,file.bak; file_data; content:"MQCI"; content:"SFIN"; within:4; distance:18; fast_pattern; byte_test:4,<,8,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0107; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-040; classtype:attempted-admin; sid:13888; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft SQL Server Backup Database File integer overflow attempt"; flow:to_client,established; flowbits:isset,file.bak; file_data; content:"MQCI"; content:"SCIN"; within:4; distance:18; fast_pattern; byte_test:4,<,8,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0107; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-040; classtype:attempted-admin; sid:13889; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft SQL Server Backup Database File integer overflow attempt"; flow:to_client,established; flowbits:isset,file.bak; file_data; content:"MQCI"; content:"SFGI"; within:4; distance:18; fast_pattern; byte_test:4,<,8,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0107; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-040; classtype:attempted-admin; sid:13890; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft HTML help workshop buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.hlp; file_data; content:"["; depth:1; content:"]"; within:12; content:"file"; distance:0; nocase; content:"="; distance:0; pcre:"/\x5B(OPTIONS|WINDOWS|MERGE FILES|MAP|ALIAS|TEXT\x20POPUPS|INFOTYPES|SUBSETS)\x5D.*?(Contents|Index|Compiled|Sample List|Full text search stop list)\x20file\s*\x3D[^\r\n]{200}/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0564; reference:cve,2009-0133; reference:url,users.pandora.be/bratax/advisories/b008.html; reference:url,www.frsirt.com/english/advisories/2006/0446; classtype:attempted-user; sid:5741; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER multiple products malformed CUE file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.cue; file_data; content:"FILE"; depth:4; content:"|22|"; within:5; isdataat:512,relative; content:!"|22|"; within:512; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,24140; reference:bugtraq,33960; reference:cve,2007-2888; classtype:attempted-user; sid:16734; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER MHTML XSS attempt"; flow:to_client,established; flowbits:isset,file.mht; file_data; content:"MIME-Version"; fast_pattern:only; pcre:"/(\x3C\s*script|onload|onclick|onmouseover)/ims"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0096; reference:cve,2014-1747; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-026; classtype:attempted-user; sid:20133; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Embedded Open Type Font malformed name table platform type 3 integer overflow attempt"; flow:to_client,established; flowbits:isset,file.eot; file_data; content:"|00 01 00 00|"; content:"|00 01|"; within:2; distance:2; content:"|00 03 00|"; within:100; content:"|00 04|"; within:2; distance:3; byte_test:2,>,0xffc1,0,relative; byte_test:1,<,2,-5,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0232; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-029; classtype:attempted-user; sid:15695; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Nullsoft Winamp AMF file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.amf; file_data; content:"AMF"; depth:3; byte_test:1,>,12,3; byte_test:1,>,32,40; metadata:service ftp-data, service http, service imap, service pop3; reference:url,forums.winamp.com/showthread.php?t=332010; classtype:attempted-user; sid:20566; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Nullsoft Winamp AMF file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.amf; file_data; content:"AMF"; depth:3; byte_test:1,<,12,3; byte_test:1,>,16,40; metadata:service ftp-data, service http, service imap, service pop3; reference:url,forums.winamp.com/showthread.php?t=332010; classtype:attempted-user; sid:20565; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Cytel Studio USE command overflow attempt"; flow:to_client,established; flowbits:isset,file.cyb; file_data; content:"USE"; isdataat:512,relative; content:!")|3B|"; within:512; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49924; reference:url,aluigi.altervista.org/adv/cytel_1-adv.txt; classtype:attempted-user; sid:21021; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Cytel Studio row overflow attempt"; flow:to_client,established; flowbits:isset,file.cy3; file_data; content:"90"; depth:2; content:"|0A|"; within:2; pcre:"/90\x0D?\x0A\w{8}/s"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49924; reference:url,aluigi.altervista.org/adv/cytel_1-adv.txt; classtype:attempted-user; sid:21020; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Cytel Studio string stack overflow attempt"; flow:to_client,established; flowbits:isset,file.cy3; file_data; content:"90"; depth:2; content:"|0A|"; within:2; isdataat:512,relative; pcre:"/\w{512}/Rs"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49924; reference:url,aluigi.altervista.org/adv/cytel_1-adv.txt; classtype:attempted-user; sid:21019; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER VisiWave VWR file parsing code execution attempt"; flow:to_client,established; flowbits:isset,file.vwr; file_data; content:"Type|3A|"; nocase; isdataat:500,relative; content:!"|0A|"; within:500; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,47948; reference:cve,2011-2386; classtype:attempted-user; sid:21587; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows CUR file parsing overflow attempt"; flow:to_client,established; flowbits:isset,file.cur; file_data; content:"|00 00 02 00|"; depth:4; byte_test:4,>,0xfffffffc,10,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,12095; reference:cve,2004-1049; classtype:attempted-user; sid:23499; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER Multiple vendor Antivirus magic byte detection evasion attempt"; flow:to_client,established; flowbits:isset,file.eml; content:"Content|2D|Type:"; nocase; http_header; content:"message|2F|rfc822"; within:30; fast_pattern; nocase; http_header; file_data; pcre:"/(MZ|PK|BZh|BZ|GIF8|BM|IC|PI|CI|CP)/R"; metadata:service http; reference:cve,2005-3370; reference:cve,2005-3371; reference:cve,2005-3372; reference:cve,2005-3373; reference:cve,2005-3374; reference:cve,2005-3375; reference:cve,2005-3376; reference:cve,2005-3377; reference:cve,2005-3378; reference:cve,2005-3379; reference:cve,2005-3380; reference:cve,2005-3381; reference:cve,2005-3382; classtype:attempted-user; sid:17277; rev:13;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER Multiple vendor Antivirus magic byte detection evasion attempt"; flow:to_client,established; flowbits:isset,file.bat; content:"Content|2D|Type|3A|"; nocase; http_header; content:"application|2F|bat"; within:30; fast_pattern; nocase; http_header; file_data; pcre:"/(MZ|PK|BZh|BZ|GIF8|BM|IC|PI|CI|CP)/R"; metadata:service http; reference:cve,2005-3370; reference:cve,2005-3371; reference:cve,2005-3372; reference:cve,2005-3373; reference:cve,2005-3374; reference:cve,2005-3375; reference:cve,2005-3376; reference:cve,2005-3377; reference:cve,2005-3378; reference:cve,2005-3379; reference:cve,2005-3380; reference:cve,2005-3381; reference:cve,2005-3382; classtype:attempted-user; sid:17278; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Font Library file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.fon; file_data; content:"MZ"; depth:2; nocase; byte_test:4,>,50,120,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2003; reference:url,secunia.com/advisories/46405/; reference:url,www.exploit-db.com/exploits/17978/; reference:url,www.kb.cert.org/vuls/id/619281; classtype:attempted-user; sid:20572; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER AOL Desktop RTX file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtx; file_data; content:"<meta"; nocase; isdataat:2000,relative; content:!">"; within:2000; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,46129; reference:url,www.exploit-db.com/exploits/16107; classtype:attempted-user; sid:24165; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER AOL Desktop RTX file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtx; file_data; content:"<html"; nocase; isdataat:2000,relative; content:!">"; within:2000; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,46129; reference:url,www.exploit-db.com/exploits/16107; classtype:attempted-user; sid:24161; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER AOL Desktop RTX file parsing buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.rtx; file_data; content:"<meta"; nocase; isdataat:2000,relative; content:!">"; within:2000; metadata:service smtp; reference:bugtraq,46129; reference:url,www.exploit-db.com/exploits/16107; classtype:attempted-user; sid:24166; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER AOL Desktop RTX file parsing buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.rtx; file_data; content:"<html"; nocase; isdataat:2000,relative; content:!">"; within:2000; metadata:service smtp; reference:bugtraq,46129; reference:url,www.exploit-db.com/exploits/16107; classtype:attempted-user; sid:24162; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER AOL Desktop RTX file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtx; file_data; content:"<base"; nocase; isdataat:2000,relative; content:!">"; within:2000; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,46129; reference:url,www.exploit-db.com/exploits/16107; classtype:attempted-user; sid:24163; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER AOL Desktop RTX file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtx; file_data; content:"<a "; nocase; isdataat:2000,relative; content:!">"; within:2000; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,46129; reference:url,www.exploit-db.com/exploits/16107; classtype:attempted-user; sid:24159; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER AOL Desktop RTX file parsing buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.rtx; file_data; content:"<base"; nocase; isdataat:2000,relative; content:!">"; within:2000; metadata:service smtp; reference:bugtraq,46129; reference:url,www.exploit-db.com/exploits/16107; classtype:attempted-user; sid:24164; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER AOL Desktop RTX file parsing buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.rtx; file_data; content:"<a "; nocase; isdataat:2000,relative; content:!">"; within:2000; metadata:service smtp; reference:bugtraq,46129; reference:url,www.exploit-db.com/exploits/16107; classtype:attempted-user; sid:24160; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER eZip Wizard stack overflow attempt"; flow:established,to_client; file_data; content:"|61 61 7A 04 10 07 02 10 61|"; content:"|58 58 41|"; within:31; distance:28; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,34044; reference:cve,2009-1028; classtype:attempted-user; sid:24176; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER eZip Wizard stack overflow attempt"; flow:established,to_client; file_data; content:"|BB 21 F4 DB C9 CA 1B 10 86 71 E0 4C 27 71 D0 58 D4 92 1E 1E 84 16 C0 AF 5C 9C C3 36 E2 C9 A2 38|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,34044; reference:cve,2009-1028; classtype:attempted-user; sid:24177; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER eZip Wizard stack overflow attempt"; flow:established,to_client; file_data; content:"|74 70 54 70 56 69 6F 68 57 69 6F 68 50 41 2E 74 78 74 50 4B 01 02 14 00 14 00 00 00 00 00 B7 AC|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,34044; reference:cve,2009-1028; classtype:attempted-user; sid:24178; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER eZip Wizard stack overflow attempt"; flow:established,to_server; file_data; content:"|74 70 54 70 56 69 6F 68 57 69 6F 68 50 41 2E 74 78 74 50 4B 01 02 14 00 14 00 00 00 00 00 B7 AC|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,34044; reference:cve,2009-1028; classtype:attempted-user; sid:24181; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER eZip Wizard stack overflow attempt"; flow:established,to_server; file_data; content:"|61 61 7A 04 10 07 02 10 61|"; content:"|58 58 41|"; within:31; distance:28; metadata:service smtp; reference:bugtraq,34044; reference:cve,2009-1028; classtype:attempted-user; sid:24179; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER IBM Lotus Notes LZH Attachment Viewer buffer overflow"; flow:to_client,established; flowbits:isset,file.lzh; file_data; byte_test:1,<,19,0; content:"-lh"; depth:3; offset:2; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,48018; reference:cve,2011-1213; classtype:attempted-user; sid:24209; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER eZip Wizard stack overflow attempt"; flow:established,to_server; file_data; content:"|BB 21 F4 DB C9 CA 1B 10 86 71 E0 4C 27 71 D0 58 D4 92 1E 1E 84 16 C0 AF 5C 9C C3 36 E2 C9 A2 38|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,34044; reference:cve,2009-1028; classtype:attempted-user; sid:24180; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER RealNetworks Netzip Classic zip archive long filename buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"|50 4B 03 04|"; depth:4; byte_test:2,>,256,22,little,relative; metadata:service smtp; reference:bugtraq,46059; classtype:attempted-user; sid:24230; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER RealNetworks Netzip Classic zip archive long filename buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"|50 4B 03 04|"; depth:4; byte_test:2,>,256,22,little,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,46059; classtype:attempted-user; sid:24229; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk memory corruption attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"|FF FF FF FF 00 00|rcsL"; isdataat:484,relative; content:"|00 00 00 80 00 00 F0 00 6B 2B 2B 45 46 AB 41 05 43 01 57 17|"; within:20; distance:484; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,44291; reference:cve,2010-3653; reference:url,www.adobe.com/support/security/advisories/apsa10-04.html; classtype:attempted-user; sid:24278; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Director file file Shockwave 3D overflow attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"Shockwave 3D"; fast_pattern:only; content:"XFIR"; nocase; content:"tSAC"; distance:0; nocase; byte_test:2,>,32767,40,relative; content:"shockwave3d"; distance:0; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-2866; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:24272; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk remote code execution attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"|FF FF 00 00|rcsL"; isdataat:192,relative; content:"|01 02 4C 00 00 00 00 80 00 00 F0 FF F0 02 67 25 A2 01 33 41|"; within:20; distance:192; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,44291; reference:cve,2010-3653; reference:url,www.adobe.com/support/security/advisories/apsa10-04.html; classtype:attempted-user; sid:24280; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk memory corruption attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|FF FF FF FF 00 00|rcsL"; isdataat:484,relative; content:"|00 00 00 80 00 00 F0 00 6B 2B 2B 45 46 AB 41 05 43 01 57 17|"; within:20; distance:484; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,44291; reference:cve,2010-3653; reference:url,www.adobe.com/support/security/advisories/apsa10-04.html; classtype:attempted-user; sid:24277; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Director file file Shockwave 3D overflow attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"Shockwave 3D"; fast_pattern:only; content:"XFIR"; nocase; content:"tSAC"; distance:0; nocase; byte_test:2,>,32767,36,relative; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-2866; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:24273; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk remote code execution attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"|FF FF FF FF FF FF FF 00 00|rcsL"; isdataat:484,relative; content:"|00 00 00 80 00 00 F0 41 41 41 41 41 41 AB 41 05 43 01 57 17|"; within:20; distance:484; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,44291; reference:cve,2010-3653; reference:url,www.adobe.com/support/security/advisories/apsa10-04.html; classtype:attempted-user; sid:24279; rev:5;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Adobe Photoshop request for wintab32.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"w|00|i|00|n|00|t|00|a|00|b|00|3|00|2|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2010-3127; classtype:attempted-user; sid:18489; rev:10;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Adobe Audition assist.dll dll-load exploit attempt"; flow:to_server,established; content:"a|00|s|00|s|00|i|00|s|00|t|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:19617; rev:5;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Multiple products request for dwmapi.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"d|00|w|00|m|00|a|00|p|00|i|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,62836; reference:cve,2010-3127; reference:cve,2010-3131; reference:cve,2010-3152; reference:cve,2010-3191; reference:cve,2010-3976; reference:cve,2013-0733; reference:cve,2013-3485; reference:cve,2016-1090; reference:cve,2017-17069; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-14.html; reference:url,www.adobe.com/support/security/bulletins/apsb10-26.html; classtype:attempted-user; sid:19618; rev:13;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Adobe Acrobat Reader d3dref9.dll dll-load exploit attempt"; flow:to_server,established; content:"d|00|3|00|d|00|r|00|e|00|f|00|9|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2011-0588; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18433; rev:10;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Adobe Acrobat Reader plugin cooltype.dll dll-load exploit attempt"; flow:to_server,established; content:"c|00|o|00|o|00|l|00|t|00|y|00|p|00|e|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2011-0570; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18437; rev:11;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Adobe Acrobat Reader plugin bibutils.dll dll-load exploit attempt"; flow:to_server,established; content:"b|00|i|00|b|00|u|00|t|00|i|00|l|00|s|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2011-0570; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18436; rev:11;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Adobe Acrobat Reader plugin agm.dll dll-load exploit attempt"; flow:to_server,established; content:"a|00|g|00|m|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2011-0570; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18435; rev:11;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Adobe Acrobat Reader plugin sqlite.dll dll-load exploit attempt"; flow:to_server,established; content:"s|00|q|00|l|00|i|00|t|00|e|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2011-0570; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18426; rev:11;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Adobe Acrobat Reader plugin ace.dll dll-load exploit attempt"; flow:to_server,established; content:"a|00|c|00|e|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2011-0570; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18434; rev:11;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Adobe Acrobat Reader plugin cryptocme2.dll dll-load exploit attempt"; flow:to_server,established; content:"c|00|r|00|y|00|p|00|t|00|o|00|c|00|m|00|e|00|2|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2011-0570; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18438; rev:11;)
# alert tcp $HOME_NET 445 -> $HOME_NET any (msg:"FILE-OTHER Adobe Premier Pro ibfs32.dll dll-load exploit attempt"; flow:to_client,established; content:"i|00|b|00|f|00|s|00|3|00|2|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2010-3150; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:18530; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Multiple vendor malformed ZIP archive Antivirus detection bypass attempt"; flow:to_client,established; file_data; content:"|73 74 07 1B 5B 32 4A 1B 5B 32 3B 35 6D 1B 5B 31 3B 33 31 6D 48 41 43 4B 45 52 20 41 54 54 41 43|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,12793; reference:url,ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/unfiltered-escape-sequences.txt; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2005-March/032530.html; classtype:attempted-user; sid:17267; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe CFF font storage memory corruption attempt"; flow:to_client,established; file_data; content:"|00 01 00 12 00 01 00 1C 00 81 00 00 00 1A 00 02 00 01 01 D4 01 D4 00 00 00 02 00 23 00 82 00 83 00 00 00 85 00 86 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2417; reference:url,www.adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:19684; rev:11;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows Embedded Open Type Font malformed name table integer overflow attempt"; flow:to_server,established; flowbits:isset,file.eot; file_data; content:"|00 01 00 00|"; content:"|00 01|"; within:2; distance:2; content:"|00 01 00 00|"; within:100; content:"|00 04|"; within:2; distance:2; byte_test:2,>,0xffc1,0,relative; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-0232; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-029; classtype:attempted-user; sid:24535; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft LNK shortcut arbitrary dll load attempt"; flow:to_server,established; file_data; content:"|4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; content:"|20 20 EC 21 EA 3A 69 10 A2 DD 08 00 2B 30 30 9D|"; distance:0; pcre:"/\x2E\x00?d\x00?l\x00?l\x00?/Ri"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2010-2568; reference:cve,2015-0096; reference:cve,2017-8464; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-046; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-020; classtype:attempted-user; sid:24500; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"cmap"; content:"|00 04|"; distance:0; content:"|00 02|"; within:2; distance:4; content:"|FF FF 00 00 00 00|"; within:6; distance:6; metadata:policy security-ips drop, service smtp; reference:cve,2012-2897; reference:cve,2012-4786; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-078; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-075; classtype:attempted-admin; sid:24650; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft proxy autoconfig script system library import attempt"; flow:to_client,established; file_data; content:"FindProxyForURL|28|"; fast_pattern:only; content:"import "; nocase; pcre:"/import\s+[\w\x2f\x2e]+?\x3b/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,56463; reference:cve,2012-4776; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-074; classtype:policy-violation; sid:24652; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"cmap"; content:"|00 04|"; distance:0; content:"|00 02|"; within:2; distance:4; content:"|FF FF 00 00 00 00|"; within:6; distance:6; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2897; reference:cve,2012-4786; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-078; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-075; classtype:attempted-admin; sid:24649; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Cisco WebEx recording format buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.wrf; content:"|1F|"; content:"|14 00 00 00 02|"; within:5; distance:4; byte_jump:4,25,relative,little; content:"|01|"; within:1; content:"|00 00|"; within:2; distance:7; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1335; classtype:attempted-user; sid:24684; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Cisco WebEx recording format buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.wrf; content:"|1F|"; content:"|14 00 00 00 02|"; within:5; distance:4; byte_jump:4,25,relative,little; content:"|01|"; within:1; content:"|00 00|"; within:2; distance:5; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1335; classtype:attempted-user; sid:24685; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Director rcsL chunk parsing denial of service attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"|2C 52 02 4C 00 4C 33 4C 02 4C 01 61|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-2030; classtype:denial-of-service; sid:24703; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Cisco WebEx recording format buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.wrf; content:"|1F|"; content:"|14 00 00 00 02|"; within:5; distance:4; content:"|01|"; within:1; distance:24; content:"|00 00|"; within:2; distance:5; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1335; classtype:attempted-user; sid:24682; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Cisco WebEx recording format buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.wrf; content:"|1F|"; content:"|14 00 00 00 02|"; within:5; distance:4; byte_jump:4,25,relative,little; content:"|01|"; within:1; content:"|00 00|"; within:2; distance:7; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1335; classtype:attempted-user; sid:24681; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Cisco WebEx recording format buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.wrf; content:"|1F|"; content:"|14 00 00 00 02|"; within:5; distance:4; content:"|01|"; within:1; distance:24; content:"|00 00|"; within:2; distance:7; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1335; classtype:attempted-user; sid:24683; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Director rcsL chunk parsing denial of service attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"|42 00 57 C6 42 DD 57 C0 43 00 66 BD 42 01 57 BE|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-2031; classtype:denial-of-service; sid:24762; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Cain & Abel Remote Desktop Protocol file handling buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rdp; file_data; pcre:"/^[a-z0-9]{500}/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,32543; reference:cve,2008-5405; reference:url,attack.mitre.org/techniques/T1076; classtype:attempted-user; sid:16743; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Cisco WebEx recording format buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.wrf; file_data; content:"|14 00 00 00 00 00 00 00 00 02|"; byte_test:1,=,0xBB,-15,relative; content:"|CC 7C 01 00 00 00 00 00 FD|"; within:9; distance:8; content:"|01|"; within:1; distance:6; byte_test:1,>=,0x2d,10,relative; byte_test:1,>=,0x58,11,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1337; classtype:attempted-user; sid:25000; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Cisco WebEx recording format buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.wrf; file_data; content:"|14 00 00 00 00 00 00 00 00 02|"; byte_test:1,=,0xBB,-15,relative; content:"|CC 7C 01 00 00 00 00 00 FD|"; within:9; distance:8; content:"|01|"; within:1; distance:6; byte_test:1,>=,0x2d,8,relative; byte_test:1,>=,0x58,9,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1337; classtype:attempted-user; sid:24999; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Cisco WebEx recording format buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.wrf; file_data; content:"|14 00 00 00 00 00 00 00 00 02|"; byte_test:1,=,0xBB,-15,relative; content:"|CC 7C 01 00 00 00 00 00 FD|"; within:9; distance:8; content:"|01|"; within:1; distance:6; byte_test:1,>=,0x2d,8,relative; byte_test:1,>=,0x58,9,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1337; classtype:attempted-user; sid:24997; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Sophos CAB CFDATA cbData overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.cab; content:"|E7 59 20 00 77 65 6C 63 6F 6D 65 2E 63 00 BD 5A A6 30 FF FF 97 00 23 69 6E 63 6C 75 64 65 20 3C|"; fast_pattern:only; metadata:service smtp; reference:url,lock.cmpxchg8b.com/sophailv2.pdf; classtype:attempted-user; sid:25013; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Sophos CAB CFDATA cbData overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.cab; content:"|E7 59 20 00 77 65 6C 63 6F 6D 65 2E 63 00 BD 5A A6 30 FF FF 97 00 23 69 6E 63 6C 75 64 65 20 3C|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,lock.cmpxchg8b.com/sophailv2.pdf; classtype:attempted-user; sid:25012; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Lattice PAC Designer symbol value buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"<PacDesignData>"; depth:29; offset:15; content:"<SymbolicSchematicData>"; distance:0; content:"<Symbol>"; distance:0; content:"<Value>"; distance:0; isdataat:96,relative; content:!"</Value>"; within:96; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-2915; classtype:attempted-user; sid:25247; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Lattice PAC Designer symbol value buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xml; file_data; content:"<PacDesignData>"; depth:29; offset:15; content:"<SymbolicSchematicData>"; distance:0; content:"<Symbol>"; distance:0; content:"<Value>"; distance:0; isdataat:96,relative; content:!"</Value>"; within:96; metadata:service smtp; reference:cve,2012-2915; classtype:attempted-user; sid:25248; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER MSXML dynamic pointer casting arbitrary code execution attempt"; flow:to_client,established; file_data; content:"//doesnotexist[position|28 29| != 3]"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-002; classtype:attempted-user; sid:25275; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER overly large XML file MSXML heap overflow attempt"; flow:to_client,established; content:"Content-Length: 900000000"; fast_pattern:only; content:"<?xml version=|22|1.0|22|?>|0A|<catalog>"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0006; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-002; classtype:attempted-user; sid:25270; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER CoolPlayer Playlist File Handling Buffer Overflow"; flow:to_client,established; content:"AAAAAAAAAAAAA|EB 06|u|F5 95 7C|AAAA|81 C4|T|F2 FF FF|j"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,30418; reference:cve,2008-3408; classtype:attempted-user; sid:18591; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-OTHER Adobe RoboHelp Server Arbitrary File Upload"; flow:to_server,established; content:"POST"; http_method; content:"/robohelp/server?PUBLISH"; fast_pattern; nocase; http_uri; content:"Content-Disposition"; nocase; content:"filename="; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36245; reference:cve,2009-3068; classtype:attempted-admin; sid:18800; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Apple QuickTime TeXML style sub-element buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xml; file_data; content:"<text3GTrack"; fast_pattern:only; content:"<style"; nocase; content:"line-height|3A|"; distance:0; nocase; content:!"|7D|"; within:16; pcre:"/line-height\x3a\s*?\d{16}/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,56557; reference:cve,2012-3752; reference:url,support.apple.com/kb/HT5581; classtype:attempted-user; sid:25649; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER ELF file parsing in different antivirus evasion attempt"; flow:to_server,established; file_data; content:"|7F|ELF"; depth:4; content:"|4A 46 49 46|"; within:4; distance:2; metadata:service smtp; reference:cve,2012-1431; reference:url,securityfocus.com/archive/1/522005; classtype:bad-unknown; sid:25633; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER cSounds.com Csound hetro audio file buffer overflow attempt"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"filename="; within:50; nocase; content:".csd"; within:75; fast_pattern; nocase; file_data; content:!"<CsoundSynthesizer"; depth:19; metadata:service smtp; reference:cve,2012-0270; classtype:attempted-user; sid:25608; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER cSounds.com Csound hetro audio file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.csd; file_data; content:"|46 54 95 6E|"; depth:4; offset:132; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-0270; classtype:attempted-user; sid:25607; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft EMF+ GpFont.SetData buffer overflow attempt"; flow:to_client,established; file_data; content:"|01 00 00 00|"; content:" EMF"; within:4; distance:36; byte_jump:4,-40,relative,little; content:"F|00 00 00|,|00 00 00| |00 00 00|"; within:12; distance:-8; content:"F|00 00 00|"; distance:0; content:"|08|@|00 06|"; within:4; distance:12; byte_test:4,>,4261412864,28,relative,little; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34250; reference:cve,2009-1217; classtype:attempted-user; sid:15430; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Apple Mac OS X installer package filename format string vulnerability"; flow:to_server,established; content:".distz"; nocase; http_uri; pcre:"/GET\s+[^\x0D\x0A]*\x25[^\x0D\x0A]*\x2Edistz/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0465; classtype:attempted-admin; sid:16003; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Apple Mac OS X installer package filename format string vulnerability"; flow:to_server,established; content:".pkg"; nocase; http_uri; pcre:"/GET\s+[^\x0D\x0A]*\x25[^\x0D\x0A]*\x2Epkg/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0465; classtype:attempted-admin; sid:16002; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER VMWare OVF Tool format string exploit attempt"; flow:to_server,established; file_data; content:"ovf:name"; nocase; content:"%"; within:50; pcre:"/<Description>[^<]*?\x25(\d+\x24)?(\d+)?[nxcsd]/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,56468; reference:cve,2012-3569; reference:url,www.vmware.com/security/advisories/VMSA-2012-0015; classtype:attempted-user; sid:25813; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER VMWare OVF Tool format string exploit attempt"; flow:to_server,established; file_data; content:"ovf:diskId"; nocase; content:"%"; within:75; distance:-75; pcre:"/^(\d+\x24)?(\d+)?[nxcsd]/iR"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,56468; reference:cve,2012-3569; reference:url,www.vmware.com/security/advisories/VMSA-2012-0015; classtype:attempted-user; sid:25812; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Director remote code execution attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"|00 23 6F 98 00 00 00 00 00 00 00 62 00 00 00 01 00 0F FF FF|"; fast_pattern:only; metadata:service smtp; reference:cve,2010-2873; classtype:attempted-user; sid:26029; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER Known malicious jar archive download attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"ImAlpha$MyColorSpace.classPK"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,58238; reference:cve,2013-1493; classtype:attempted-admin; sid:26030; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk memory corruption attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"rcsL"; isdataat:203,relative; content:"|FF F0 02 67|"; within:4; distance:203; metadata:service smtp; reference:bugtraq,42682; reference:cve,2010-2873; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:26028; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Director file file rcsL overflow attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"Shockwave 3D"; fast_pattern:only; content:"rcsL"; nocase; byte_test:1,>,127,76,relative; metadata:service smtp; reference:cve,2010-2867; classtype:attempted-user; sid:26027; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Lattice Semiconductor ispXCF version attribute overflow attempt"; flow:to_server,established; flowbits:isset,file.xml; file_data; content:"<ispXCF version=|22|"; isdataat:512,relative; content:!"</ispXCF>"; within:512; metadata:service smtp; reference:bugtraq,53562; classtype:attempted-user; sid:26123; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Lattice Semiconductor ispXCF version attribute overflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"<ispXCF version=|22|"; isdataat:512,relative; content:!"</ispXCF>"; within:512; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,53562; classtype:attempted-user; sid:26122; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER CyberLink Power2Go name parameter overflow attempt"; flow:to_server,established; flowbits:isset,file.p2g; file_data; content:"<File"; content:"name=|22|"; within:10; isdataat:200,relative; content:!"|22|"; within:200; metadata:service smtp; reference:bugtraq,50997; reference:cve,2011-5171; classtype:attempted-user; sid:26210; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER CyberLink Power2Go name parameter overflow attempt"; flow:to_client,established; flowbits:isset,file.p2g; file_data; content:"<File"; content:"name=|22|"; within:10; isdataat:200,relative; content:!"|22|"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,50997; reference:cve,2011-5171; classtype:attempted-user; sid:26209; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Watering Hole Campaign applet download"; flow:established,to_server; content:"/AppletLow.jar"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2011-3544; classtype:trojan-activity; sid:26295; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Watering Hole Campaign applet download"; flow:established,to_server; content:"/AppletHigh.jar"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; classtype:trojan-activity; sid:26294; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Corel WordPerfect document parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"|FF|WPC"; depth:4; content:"|01 0A 02|"; within:3; distance:4; content:"|DD 0A|"; distance:0; content:"|01|"; within:1; distance:3; content:!"|03 00|"; within:2; distance:2; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-4900; classtype:misc-activity; sid:26340; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"FILE-OTHER SMI file download request"; flow:to_server,established; content:"|FF|SMB|A2|"; content:"s|00|m|00|i|00|"; distance:0; flowbits:set,smb.smi; flowbits:noalert; metadata:service netbios-ssn; reference:bugtraq,49149; classtype:misc-activity; sid:20225; rev:7;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"FILE-OTHER MPlayer SMI file buffer overflow attempt"; flow:to_client,established; flowbits:isset,smb.smi; content:"|3C|SAMI|3E|"; content:"Start|3D|"; distance:0; nocase; isdataat:500,relative; content:!"Start|3D|"; within:500; nocase; metadata:service netbios-ssn; reference:bugtraq,49149; classtype:attempted-user; sid:20226; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER readme.eml autoload attempt"; flow:to_client,established; file_data; content:"window.open|28 22|readme.eml|22|"; nocase; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1290; rev:16;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER local resource redirection attempt"; flow:to_client,established; content:"Location|3A|"; nocase; http_header; pcre:"/^Location\x3a(\s*|\s*\r?\n\s+)*URL\s*\x3a/smiH"; metadata:ruleset community, service http; reference:cve,2004-0549; reference:url,www.kb.cert.org/vuls/id/713878; classtype:attempted-user; sid:2577; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER HCP URI uplddrvinfo access"; flow:to_client,established; file_data; content:"hcp|3A|"; nocase; content:"uplddrvinfo.htm?"; distance:0; nocase; content:"file|3A|"; distance:0; nocase; pcre:"/hcp\x3A[^\r\n]+uplddrvinfo\x2Ehtm\x3F[^\r\n]*file\x3A/smi"; metadata:service http; reference:bugtraq,5478; reference:cve,2002-0974; reference:url,technet.microsoft.com/en-us/security/bulletin/ms02-060; classtype:misc-activity; sid:8413; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER Gnu gv buffer overflow attempt"; flow:to_client,established; file_data; content:"%%DocumentMedia|3A|"; nocase; isdataat:257,relative; content:!"|0A|"; within:257; metadata:service http; reference:bugtraq,20978; reference:cve,2006-5864; classtype:attempted-user; sid:9619; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER fCreateShellLink function use - potential attack"; flow:to_client,established; file_data; content:"fCreateShellLink|28|"; fast_pattern:only; metadata:service http; reference:bugtraq,29792; reference:cve,2008-2959; classtype:misc-activity; sid:15893; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER GNU tar PAX extended headers handling overflow attempt"; flow:to_client,established; file_data; content:"GNU.sparse.numblocks=0|0A|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,16764; reference:cve,2006-0300; classtype:attempted-dos; sid:16053; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Kaspersky antivirus library heap buffer overflow - with optional fields"; flow:to_client,established; file_data; content:"MSCF"; depth:4; byte_test:2,&,0x0003,26,relative,little; byte_test:2,&,0x0004,26,relative,little; byte_jump:2,32,relative,little; pcre:"/^.{2}([^\x00]*\x00)?[^\x00]{256}/sR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,14998; reference:cve,2005-3142; classtype:attempted-user; sid:16296; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER IBM Informix Client SDK NFX file InformixServerList processing stack buffer overflow attempt"; flow:to_client,established; file_data; content:"[Setnet32]"; fast_pattern; nocase; content:"ServerSize="; distance:0; byte_test:4,>,293,0,relative,dec,string; pcre:"/InformixServerList=([^\r\n\x3B]{,293}\x3B)*[^\r\n\x3B]{294}/i"; metadata:service http; reference:bugtraq,36588; reference:cve,2009-3691; classtype:attempted-user; sid:16346; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER IBM Informix Client SDK NFX file HostList processing stack buffer overflow attempt"; flow:to_client,established; file_data; content:"[Setnet32]"; fast_pattern; nocase; content:"HostSize="; distance:0; byte_test:4,>,296,0,relative,dec,string; pcre:"/HostList=([^\r\n\x3B]{,296}\x3B)*[^\r\n\x3B]{297}/i"; metadata:service http; reference:bugtraq,36588; reference:cve,2009-3691; classtype:attempted-user; sid:16345; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle JRE Java Platform SE and Java Deployment Toolkit plugins code execution attempt - java-deployment-toolkit"; flow:to_client,established; content:"application/java-deployment-toolkit"; nocase; http_header; file_data; content:"-J-jar"; pcre:"/http\x3A\s+-J-jar\s+-J[^\s]+\x2Ejar/i"; metadata:service http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16550; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER Un4seen Developments XMPlay crafted ASX file buffer overflow attempt"; flow:to_client,established; file_data; content:"<ASX VERSION=|22|3|22|>"; nocase; content:"<Entry>"; distance:0; nocase; content:"<ref href=|22|file|3A|//"; distance:0; nocase; pcre:"/^\S{501}/R"; metadata:service http; reference:bugtraq,21206; reference:cve,2006-6063; classtype:attempted-user; sid:16582; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER Amaya web editor XML and HTML Parser Buffer overflow attempt"; flow:to_client,established; file_data; content:"<bdo"; nocase; pcre:"/^.*?dir\s*=\s*(\x22[^\x22]{500}|\x27[^\x27]{500}|[^\s\>]{500})/isR"; metadata:service http; reference:bugtraq,33047; reference:cve,2009-0323; classtype:attempted-user; sid:16601; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER Astonsoft Deepburner db file path buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C|DeepBurner_record"; nocase; content:"|3C|data_cd"; distance:0; nocase; content:"|3C|file"; distance:0; nocase; content:"path|3D|"; nocase; isdataat:272,relative; content:!"imp|3D 22 30 22 20 2F 3E|"; within:272; metadata:service http; reference:bugtraq,21657; reference:cve,2006-6665; classtype:attempted-user; sid:16696; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER gAlan malformed file stack overflow attempt"; flow:to_client,established; file_data; content:"Mjik"; depth:4; pcre:"/^[^\s\x00]{512}/R"; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:16726; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER UltraISO CCD file handling overflow attempt"; flow:to_client,established; file_data; content:"[CloneCD]"; depth:9; content:"INDEX 1="; distance:0; isdataat:256,relative; content:!"|0A|"; within:256; metadata:service http; reference:cve,2009-1260; classtype:attempted-user; sid:16733; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER IDEAL Administration IPJ file handling stack overflow attempt"; flow:to_client,established; file_data; content:"|0D 0A|[Group,Export,Yes]|0D 0A|"; depth:22; content:"Computer="; distance:0; pcre:"/^[^\s\x00]{512}/R"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-4265; classtype:attempted-user; sid:16727; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER SafeNet SoftRemote multiple policy file local overflow attempt"; flow:to_client,established; file_data; content:"|5B|HKEY_LOCAL_MACHINE|5C|SOFTWARE|5C|IRE|5C|SafeNet|2F|Soft-PK|5C|ACL|5C|GROUPDEFS|5C|_SafeNet_Default_Group|5D|"; content:"|22|GROUPNAME|22 3D 22|"; distance:0; isdataat:256,relative; content:!"|22|"; within:256; metadata:service http; reference:cve,2009-3861; classtype:attempted-user; sid:16732; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER VariCAD multiple products DWB file handling overflow attempt"; flow:to_client,established; file_data; content:"|34 87 01 00 00 00 00 00 25 5C 1F 85|"; depth:12; pcre:"/^[^\x0a\x3d]{512}/R"; metadata:service http; reference:bugtraq,38815; classtype:attempted-user; sid:16736; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER ProShow Gold PSH file handling overflow attempt"; flow:to_client,established; file_data; content:"Photodex|28|R|29| ProShow|28|TM|29| Show File"; depth:33; content:"cell[0].images[0].image="; distance:0; isdataat:512,relative; content:!"|0A|"; within:512; metadata:service http; reference:cve,2009-3214; classtype:attempted-user; sid:16730; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER FeedDemon OPML file handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C|opml"; nocase; content:"|3C|outline"; distance:0; nocase; pcre:"/[^\x3E]*?text\s*\x3D\s*(\x27[^\x27]{500}|\x22[^\x22]{500}|\S{500})/iR"; metadata:service http; reference:bugtraq,33630; reference:cve,2009-0546; classtype:attempted-user; sid:17104; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER FeedDemon unicode OPML file handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C 00|o|00|p|00|m|00|l|00|"; nocase; content:"|3C 00|o|00|u|00|t|00|l|00|i|00|n|00|e|00|"; distance:0; nocase; pcre:"/[^\x3E]*?t\x00e\x00x\x00t\x00(\s\x00)*\x3D\x00(\s\x00)*(\x27\x00(?!(..){0,500}\x27\x00)|\x22\x00(?!(..){0,500}\x22\x00)|(?!(..){0,500}\s\x00))/isOR"; metadata:service http; reference:bugtraq,33630; reference:cve,2009-0546; classtype:attempted-user; sid:17105; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER BitDefender Internet Security script code execution attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"PK|01 02|"; byte_test:2,<,99,6; byte_extract:2,24,name_len,relative,little; content:">"; within:name_len; distance:16; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0850; classtype:attempted-user; sid:17459; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER BitDefender Internet Security script code execution attempt"; flow:to_client,established; content:"gzip"; http_header; content:"|0D 0A 0D 0A 1F 8B|"; byte_test:1,&,0x08,1,relative; content:"<"; within:20; distance:8; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0850; classtype:attempted-user; sid:17460; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Adobe Photoshop wintab32.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|wintab32.dll"; nocase; http_uri; metadata:service http; reference:cve,2010-3127; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:18488; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Adobe Premiere Pro ibfs32.dll dll-load exploit attempt"; flow:to_server,established; content:"ibfs32.dll"; nocase; http_uri; metadata:service http; reference:cve,2010-3150; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:18529; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Adobe Audition assist.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|assist.dll"; nocase; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:19619; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Wireshark DECT packet dissector overflow attempt"; flow:to_client,established; file_data; content:"|D4 C3 B2 A1 02 00 04 00|"; depth:8; byte_test:4,>,1499,36,little; content:"|FF FF FF FF FF FF 00 00 00 00 00 00 23 23|"; depth:14; offset:40; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,47392; reference:cve,2011-1591; classtype:attempted-user; sid:20431; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER Telnet protocol specifier command injection attempt"; flow:to_client,established; file_data; content:"telnet|3A 2F 2F|"; nocase; pcre:"/(src|href)\s*=\s*(\x22|\x27|)telnet\x3a\x2f\x2f\x2D/i"; metadata:service http; reference:bugtraq,10358; reference:cve,2004-0411; reference:cve,2004-0473; classtype:attempted-user; sid:20698; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER multiple products GeckoActiveX COM object recon attempt"; flow:to_client,established; file_data; content:"GeckoActiveXObject"; fast_pattern; nocase; content:"COM"; pcre:"/var\s*?\w+?\s*\x3D\s*new\s*GeckoActiveXObject[^\x7B]*?catch\s*\x28(?P<exceptionname>\w+?)\x29.*?var\s*?(?P<errormessage>\w+?)\s*\x3D\s*(?P=exceptionname)\x2EtoString\x28\x29.[^\x7B]*?(?P=errormessage)\x2Ematch\x28.*?COM/smi"; metadata:service http; reference:bugtraq,37360; reference:cve,2009-3987; classtype:attempted-recon; sid:21165; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER WordPerfect WP3TablesGroup heap overflow attempt"; flow:to_client,established; file_data; content:"|FF|WPC"; depth:4; pcre:"/^.{5}\x2C[\x02\x03\x04]/R"; content:"|E2 01|"; byte_extract:2,0,test,relative; byte_jump:2,-2,relative,post_offset -4; byte_test:2,=,test,0,relative; content:"|01 E2|"; within:2; distance:2; byte_test:1,>,32,79,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-0002; classtype:attempted-user; sid:21437; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER IBM Installation Manager iim uri code execution attempt"; flow:established,to_client; file_data; content:"iim|3A 2F 2F|"; nocase; pcre:"/^\x22(%20|\s)-vm/Ri"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36549; reference:cve,2009-3518; classtype:attempted-user; sid:21607; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER zlib Denial of Service"; flow:to_client,established; file_data; content:"x|9C 85 C1 B9 11 80|0|10 04|A|EC A9 9A A0 C4|+|1E 91 7F FE D8 EB|p|DD AD FD 93 B9| KA|D6 82|l|05 D9 0B|r|14 A4|'9|93 5C|I|EE 24|O|92 91 E4|M2}yw[|86|"; metadata:service http; reference:bugtraq,11051; reference:cve,2004-0797; classtype:attempted-user; sid:15981; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER McAfee LHA file handling overflow attempt"; flow:to_client,established; file_data; content:"testfile|F8 1B|U|05 00|P|B4 81 94 01 01|AAAA"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,10243; reference:cve,2005-0643; classtype:attempted-user; sid:15949; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Trend Micro Products Antivirus Library overflow attempt"; flow:to_client,established; file_data; content:"NEKP2E|00 00 00|E|00 00 00 DB|+|D0 1D 00 00| |00 00 00|AAAA"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,12643; reference:cve,2005-0533; classtype:attempted-user; sid:15992; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER F-Secure Anti-Virus LHA processing buffer overflow attempt"; flow:to_client,established; file_data; content:"!|C3|-lh0-|18 00 00 00 05 00 00 00 FA BB|m0 |01 08|testfile|F8 1B|U|05 00|P|B4 81 94 01 01|UUUU"; metadata:service http; reference:bugtraq,10243; reference:cve,2004-0234; classtype:attempted-user; sid:15966; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER 2imaegshack/lmageshack IM worm get request attempt"; flow:to_server,established; content:"/s/im.php"; nocase; http_uri; flowbits:set,lmageshack.request; flowbits:noalert; metadata:service http; reference:url,anubis.iseclab.org/?action=result&task_id=1d4d78a7507bb63143d45d2a5898fe3bf&format=html; classtype:misc-activity; sid:16556; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER 2imaegshack/lmageshack IM worm inbound communication attempt"; flow:to_client,established; flowbits:isset,lmageshack.request; file_data; content:"lmageshack"; nocase; metadata:service http; reference:url,anubis.iseclab.org/?action=result&task_id=1d4d78a7507bb63143d45d2a5898fe3bf&format=html; classtype:misc-activity; sid:16557; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER URSoft W32Dasm Import/Export function buffer overflow attempt"; flow:to_client,established; file_data; content:"|D4 30 00 00 00 00 00 00 00 00 00 00 E0 30 00 00 F0 30 00 00 F8 30 00 00 00 31 00 00 00 00 00 00 78 02|"; isdataat:256,relative; content:!"|00|"; within:256; metadata:service http; reference:bugtraq,12352; reference:cve,2005-0308; classtype:attempted-user; sid:16735; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER ProShow Gold PSH file handling overflow attempt"; flow:to_client,established; file_data; content:"ProShow Gold - Built-In Content/Backgrounds/Abstract_02.jpgAAAAAAAAAAAAAAA"; fast_pattern:only; metadata:service http; reference:cve,2009-3214; classtype:attempted-user; sid:16731; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER Symantec multiple products AeXNSConsoleUtilities RunCMD buffer overflow attempt"; flow:to_client,established; file_data; content:"|2E|RunCMD|28|"; fast_pattern:only; content:"catch|28| e |29 20 7B| window|2E|location|20 3D|"; metadata:service http; reference:bugtraq,37092; reference:cve,2009-3033; classtype:attempted-user; sid:16787; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER Orbit Downloader long URL buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|3F1D494B-0CEF-4468-96C9-386E2E4DEC90|27|"; content:"String|28 27|http|3A 2F 2F|"; distance:0; content:!"|27|"; within:255; metadata:policy max-detect-ips drop, service http; reference:cve,2008-1602; reference:cve,2009-0187; classtype:attempted-user; sid:16798; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER probable multi-mesh injection attack"; flow:to_client,established; flowbits:isset,http.multimesh; file_data; content:"document.createElement|28|"; depth:50; metadata:service http; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:attempted-user; sid:19300; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER Ultra Shareware Office HttpUpload buffer overflow attempt"; flow:to_client,established; file_data; content:".HttpUpload"; fast_pattern; nocase; isdataat:10,relative; content:!"|29|"; within:10; metadata:service http; reference:bugtraq,30861; reference:cve,2008-3878; classtype:attempted-user; sid:21759; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Cisco WebEx recording integer overflow attempt"; flow:to_server,established; flowbits:isset,file.wrf; file_data; content:"|14 00 00 00 02|"; depth:2000; fast_pattern; content:"|01 00 00 00|"; within:4; distance:15; byte_test:2,>=,0x8000,0,relative,little; metadata:service smtp; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-webex; classtype:attempted-user; sid:26432; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Shadow Stream Recorder asx file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.asx; file_data; content:"<asx "; depth:5; content:"href=|22|"; distance:0; isdataat:500,relative; content:!"|22|"; within:500; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,34864; reference:cve,2009-1641; reference:cve,2009-1642; reference:cve,2009-1645; classtype:attempted-user; sid:26459; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Shadow Stream Recorder asx file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.asx; file_data; content:"http|3A 2F 2F|"; depth:7; isdataat:500,relative; content:!"|22|"; within:500; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,34864; reference:cve,2009-1641; reference:cve,2009-1642; reference:cve,2009-1645; classtype:attempted-user; sid:26460; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Cisco WebEx recording integer overflow attempt"; flow:to_server,established; flowbits:isset,file.wrf; file_data; content:"|14 00 00 00 02|"; depth:2000; fast_pattern; content:"|01 00 00 00|"; within:4; distance:15; byte_test:2,>=,0x8000,2,relative,little; metadata:service smtp; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-webex; classtype:attempted-user; sid:26433; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Shadow Stream Recorder asx file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.asx; file_data; content:"http|3A 2F 2F|"; depth:7; isdataat:200; content:!"|22|"; within:200; metadata:service smtp; reference:bugtraq,34864; reference:cve,2009-1641; reference:cve,2009-1642; reference:cve,2009-1645; classtype:attempted-user; sid:26462; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Shadow Stream Recorder asx file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.asx; file_data; content:"<asx "; depth:5; content:"href=|22|"; distance:0; isdataat:200,relative; content:!"|22|"; within:200; metadata:service smtp; reference:bugtraq,34864; reference:cve,2009-1641; reference:cve,2009-1642; reference:cve,2009-1645; classtype:attempted-user; sid:26461; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER CoolPlayer playlist file handling buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u; file_data; content:"|28 B0 9F 7C|"; depth:20; offset:215; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30418; reference:cve,2008-3408; classtype:attempted-user; sid:26476; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER CoolPlayer playlist file handling buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"|28 B0 9F 7C|"; depth:20; offset:215; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30418; reference:cve,2008-3408; classtype:attempted-user; sid:26475; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER CoolPlayer playlist file handling buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"|40 69 83 7C|"; depth:20; offset:215; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30418; reference:cve,2008-3408; classtype:attempted-user; sid:26473; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER CoolPlayer playlist file handling buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"|32 4C 3C 7E|"; depth:20; offset:215; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30418; reference:cve,2008-3408; classtype:attempted-user; sid:26477; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER CoolPlayer playlist file handling buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u; file_data; content:"|32 4C 3C 7E|"; depth:20; offset:215; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30418; reference:cve,2008-3408; classtype:attempted-user; sid:26478; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER CoolPlayer playlist file handling buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u; file_data; content:"|40 69 83 7C|"; depth:20; offset:215; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30418; reference:cve,2008-3408; classtype:attempted-user; sid:26474; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Maple Maplet File Creation and Command Execution attempt"; flow:to_client,established; flowbits:isset,file.maplet|file.maplet.bin; file_data; content:"writebytes("; nocase; content:"system[launch]("; distance:0; nocase; pcre:"/(?P<q1>(\x22|\x27|))[^\n]\x2eexe(?P=q1)/Ri"; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:26520; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Maple Maplet File Creation and Command Execution attempt"; flow:to_server,established; flowbits:isset,file.maplet|file.maplet.bin; file_data; content:"writebytes("; nocase; content:"system[launch]("; distance:0; nocase; pcre:"/(?P<q1>(\x22|\x27|))[^\n]\x2eexe(?P=q1)/Ri"; metadata:service smtp; classtype:attempted-user; sid:26521; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER .tar multiple antivirus evasion attempt"; flow:to_client,established; file_data; content:"|57 69 6E 5A 69 70|"; depth:6; offset:29; content:"ustar"; depth:5; offset:257; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1427; classtype:attempted-user; sid:26598; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows uniscribe fonts parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|00 43 FF F1 02 3B 02 D8 00 25 00 00 01 32 35 34 26 23 22|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43068; reference:cve,2010-2738; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-063; classtype:attempted-user; sid:26649; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows uniscribe fonts parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 47 3E 34 CB 58 A7 A2 F5 3F D0 B9 1B CA 20 05 7E 6D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43068; reference:cve,2010-2738; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-063; classtype:attempted-user; sid:26648; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Multiple products ZIP archive virus detection bypass attempt"; flow:to_client,established; file_data; content:"|50 4B 03 04|"; content:"|00 00 00 00|"; within:4; distance:18; content:!"|00 00 00 00|"; within:4; distance:-8; content:!"META-INF"; content:!"class.pk"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,11448; reference:cve,2004-0932; classtype:bad-unknown; sid:26926; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Multiple products ZIP archive virus detection bypass attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"|50 4B 01 02|"; content:"|00 00 00 00|"; within:4; distance:20; content:!"|00 00 00 00|"; within:4; distance:-8; content:!"META-INF"; content:!"class.pk"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,11448; reference:cve,2004-0932; classtype:bad-unknown; sid:26989; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER XML exponential entity expansion attack attempt"; flow:to_client,established; file_data; content:"<?xml"; content:"<!DOCTYPE "; fast_pattern:only; content:"<!ENTITY"; pcre:"/<!ENTITY\s*(?P<entity1>[&\x3b\w]+)\s.*?<!ENTITY\s*(?P<entity2>[&\x3b\w]+)\s*[\x22\x27].*?&\s*(?P=entity1)\s*\x3b\s*&\s*(?P=entity1).*?<!ENTITY\s*[&\x3b\w]+\s*[\x22\x27].*?&\s*(?P=entity2)\s*\x3b\s*&\s*(?P=entity2)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1664; reference:cve,2013-1665; reference:cve,2013-1821; classtype:attempted-user; sid:27096; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows HLP File Handling heap overflow attempt"; flow:to_server,established; flowbits:isset,file.hlp; file_data; content:"TTLBTREE|00 5B 21 00 00 7C 56|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,23382; reference:cve,2007-1912; classtype:attempted-user; sid:27168; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows HLP File Handling heap overflow attempt"; flow:to_server,established; file_data; content:"|3F 5F 03 00|"; depth:4; content:"TTLBTREE|00 2E 06 00 00 7C 62|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,23382; reference:cve,2007-1912; classtype:attempted-user; sid:27167; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows HLP File Handling heap overflow attempt"; flow:to_client,established; file_data; content:"|3F 5F 03 00|"; depth:4; content:"TTLBTREE|00 5B 21 00 00 7C 56|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23382; reference:cve,2007-1912; classtype:attempted-user; sid:27166; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows Embedded Open Type Font malformed name table platform type 3 integer overflow attempt"; flow:to_server,established; flowbits:isset,file.eot; file_data; content:"|00 01 00 00|"; content:"|00 01|"; within:2; distance:2; content:"|00 03 00|"; within:100; content:"|00 04|"; within:2; distance:3; byte_test:2,>,0xffc1,0,relative; byte_test:1,<,2,-5,relative; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-0232; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-029; classtype:attempted-user; sid:27251; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Trimble SketchUp PICT color entries buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.skp; file_data; content:"|12 00 01|"; offset:524; byte_test:2,>,256,60,relative,big; metadata:service smtp; reference:bugtraq,60248; reference:cve,2013-3664; classtype:attempted-user; sid:27281; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Trimble SketchUp PICT color entries buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pct|file.skp; file_data; content:"|12 00 01|"; content:"|00 00 00 00|"; within:4; distance:50; byte_test:2,>,255,6,relative,big; metadata:service smtp; reference:bugtraq,60248; reference:cve,2013-3664; classtype:attempted-user; sid:27280; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Trimble SketchUp PICT color entries buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pct|file.skp; file_data; content:"|12 00 01|"; offset:524; content:"|00 00 00 00|"; within:4; distance:50; byte_test:2,>,255,6,relative,big; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,60248; reference:cve,2013-3664; classtype:attempted-user; sid:27279; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Trimble SketchUp PICT color entries buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.skp; file_data; content:"|12 00 01|"; offset:524; byte_test:2,>,256,60,relative,big; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,60248; reference:cve,2013-3664; classtype:attempted-user; sid:27278; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER BitDefender Internet Security script code execution attempt"; flow:to_server,established; flowbits:isset,file.rar; file_data; content:"|74|"; byte_test:1,<,4,12,relative; byte_extract:2,23,name_len,relative,little; content:">"; within:name_len; distance:4; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-0850; classtype:attempted-user; sid:27591; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER BitDefender Internet Security script code execution attempt"; flow:to_server,established; flowbits:isset,file.rar; file_data; content:"|74|"; byte_test:1,<,4,12,relative; byte_extract:2,23,name_len,relative,little; content:"<"; within:name_len; distance:4; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-0850; classtype:attempted-user; sid:27590; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER BitDefender Internet Security script code execution attempt"; flow:to_server,established; content:"gzip"; http_header; content:"|0D 0A 0D 0A 1F 8B|"; byte_test:1,&,0x10,1,relative; byte_jump:2,8,relative,little; content:">"; within:20; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-0850; classtype:attempted-user; sid:27589; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER BitDefender Internet Security script code execution attempt"; flow:to_server,established; content:"gzip"; http_header; content:"|0D 0A 0D 0A 1F 8B|"; byte_test:1,&,0x10,1,relative; byte_jump:2,8,relative,little; content:"<"; within:20; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-0850; classtype:attempted-user; sid:27588; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER BitDefender Internet Security script code execution attempt"; flow:to_server,established; content:"gzip"; http_header; content:"|0D 0A 0D 0A 1F 8B|"; byte_test:1,&,0x10,1,relative; content:">"; within:20; distance:8; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-0850; classtype:attempted-user; sid:27587; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER BitDefender Internet Security script code execution attempt"; flow:to_server,established; content:"gzip"; http_header; content:"|0D 0A 0D 0A 1F 8B|"; byte_test:1,&,0x10,1,relative; content:"<"; within:20; distance:8; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-0850; classtype:attempted-user; sid:27586; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER BitDefender Internet Security script code execution attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"PK|01 02|"; byte_extract:2,24,name_len,relative,little; content:">"; within:name_len; distance:16; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-0850; classtype:attempted-user; sid:27585; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER BitDefender Internet Security script code execution attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"PK|01 02|"; byte_extract:2,24,name_len,relative,little; content:"<"; within:name_len; distance:16; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-0850; classtype:attempted-user; sid:27584; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER BitDefender Internet Security script code execution attempt"; flow:to_client,established; content:"gzip"; http_header; content:"|0D 0A 0D 0A 1F 8B|"; byte_test:1,&,0x10,1,relative; byte_jump:2,8,relative,little; content:"<"; within:20; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0850; classtype:attempted-user; sid:27581; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER BitDefender Internet Security script code execution attempt"; flow:to_client,established; content:"gzip"; http_header; content:"|0D 0A 0D 0A 1F 8B|"; byte_test:1,&,0x10,1,relative; byte_jump:2,8,relative,little; content:">"; within:20; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0850; classtype:attempted-user; sid:27580; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows True Type Font maxComponentPoints overflow attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"|00 01 00 00|"; depth:4; content:"maxp"; depth:250; byte_jump:4,4,relative,from_beginning, post_offset 10,big; byte_test:2,>,0x8000,0,relative,big; metadata:policy security-ips drop, service smtp; reference:cve,2012-0159; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-034; classtype:attempted-user; sid:27576; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER PCRE character class heap buffer overflow attempt"; flow:to_client,established; file_data; content:"RegExp"; content:"[[**]][[**]][[**]]"; within:50; fast_pattern; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25002; reference:cve,2007-3944; classtype:attempted-user; sid:28124; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER ATMFD Adobe font driver reserved command denial of service attempt"; flow:to_server,established; flowbits:isset,file.otf; file_data; content:"|F7 1B DF 30 61 61 0D 8B 86 8A 85 8B 85 08 F7 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3128; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-082; classtype:denial-of-service; sid:28203; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER ATMFD Adobe font driver reserved command denial of service attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"|F7 1B DF 30 61 61 0D 8B 86 8A 85 8B 85 08 F7 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3128; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-082; classtype:denial-of-service; sid:28202; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft .NET XML digital signature denial of service attempt"; flow:to_server,established; file_data; content:"<SignedInfo>"; fast_pattern:only; content:"<Transform"; content:"Algorithm="; within:32; content:!"/>"; within:32; content:"base64"; within:56; content:"<?xml"; nocase; content:"<root>"; distance:0; nocase; base64_decode:bytes 953, offset 0, relative; base64_data; content:"<!DOCTYPE "; content:"<!ENTITY"; distance:0; pcre:"/<!ENTITY\s*(?P<entity1>[&\x3b\w]+)\s.*?<!ENTITY\s*(?P<entity2>[&\x3b\w]+)\s*[\x22\x27].*?&\s*(?P=entity1)\s*\x3b\s*&\s*(?P=entity1).*?<!ENTITY\s*[&\x3b\w]+\s*[\x22\x27].*?&\s*(?P=entity2)\s*\x3b\s*&\s*(?P=entity2)/smi"; metadata:service smtp; reference:cve,2013-3860; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-082; classtype:attempted-user; sid:28162; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft .NET XML digital signature denial of service attempt"; flow:to_client,established; file_data; content:"<SignedInfo>"; fast_pattern:only; content:"<Transform"; content:"Algorithm="; within:32; content:!"/>"; within:32; content:"base64"; within:56; content:"<?xml"; nocase; content:"<root>"; distance:0; nocase; base64_decode:bytes 953, offset 0, relative; base64_data; content:"<!DOCTYPE "; content:"<!ENTITY"; distance:0; pcre:"/<!ENTITY\s*(?P<entity1>[&\x3b\w]+)\s.*?<!ENTITY\s*(?P<entity2>[&\x3b\w]+)\s*[\x22\x27].*?&\s*(?P=entity1)\s*\x3b\s*&\s*(?P=entity1).*?<!ENTITY\s*[&\x3b\w]+\s*[\x22\x27].*?&\s*(?P=entity2)\s*\x3b\s*&\s*(?P=entity2)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-3860; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-082; classtype:attempted-user; sid:28161; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER overly large XML file MSXML heap overflow attempt"; flow:to_client,established; content:"var doc = new ActiveXObject('Msxml2.DOMDocument')|3B|"; fast_pattern:only; content:"while (longstr.length < 0x40000000) {"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0006; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-002; classtype:attempted-user; sid:28286; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Cisco WebEx recording integer overflow attempt"; flow:to_server,established; flowbits:isset,file.wrf; file_data; content:"|14 00 00 00 00 00 00 00 00 02|"; fast_pattern; content:"|BB|"; within:1; distance:-15; content:"|01|"; within:1; distance:50; byte_test:4,>=,0x15555555,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,52882; reference:cve,2012-1336; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120404-webex; classtype:attempted-user; sid:28263; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Office Image filter BMP overflow attempt"; flow:to_server,established; file_data; content:"BM"; depth:2; content:"|04|"; within:1; distance:26; byte_test:4,>,16,22,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-3020; classtype:attempted-user; sid:28322; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Office Image filter BMP overflow attempt"; flow:to_client,established; file_data; content:"BM"; depth:2; content:"|04|"; within:1; distance:26; byte_test:4,>,16,22,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-3020; classtype:attempted-user; sid:28321; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Office Image filter BMP overflow attempt"; flow:to_server,established; file_data; content:"BM"; depth:2; content:"|01|"; within:1; distance:26; byte_test:4,>,2,22,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-3020; classtype:attempted-user; sid:28320; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Office Image filter BMP overflow attempt"; flow:to_client,established; file_data; content:"BM"; depth:2; content:"|01|"; within:1; distance:26; byte_test:4,>,2,22,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-3020; classtype:attempted-user; sid:28319; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Office Image filter BMP overflow attempt"; flow:to_client,established; file_data; content:"BM"; depth:2; content:"|08|"; within:1; distance:26; byte_test:4,>,256,18,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-3020; classtype:attempted-user; sid:28318; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Office Image filter BMP overflow attempt"; flow:to_server,established; file_data; content:"BM"; depth:2; content:"|08|"; within:1; distance:26; byte_test:4,>,256,18,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-3020; classtype:attempted-user; sid:28317; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Office Image filter BMP overflow attempt"; flow:to_server,established; file_data; content:"BM"; depth:2; content:"|08|"; within:1; distance:26; byte_test:4,>,256,22,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-3020; classtype:attempted-user; sid:28316; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Office Image filter BMP overflow attempt"; flow:to_server,established; file_data; content:"BM"; depth:2; content:"|04|"; within:1; distance:26; byte_test:4,>,16,18,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-3020; classtype:attempted-user; sid:28314; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Office Image filter BMP overflow attempt"; flow:to_client,established; file_data; content:"BM"; depth:2; content:"|04|"; within:1; distance:26; byte_test:4,>,16,18,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-3020; classtype:attempted-user; sid:28313; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Office Image filter BMP overflow attempt"; flow:to_server,established; file_data; content:"BM"; depth:2; content:"|01|"; within:1; distance:26; byte_test:4,>,2,18,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-3020; classtype:attempted-user; sid:28312; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Office Image filter BMP overflow attempt"; flow:to_client,established; file_data; content:"BM"; depth:2; content:"|01|"; within:1; distance:26; byte_test:4,>,2,18,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-3020; classtype:attempted-user; sid:28311; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt"; flow:to_client,established; flowbits:isset,file.wri; file_data; content:"|07 F0 65 08 00 00 07 07 A5 8A 88 29 45 68 51 89 93 1C B0 5D C1 F0 4B B8 FF 00 41 08 00 00 09 00 00 00 44 00 00 00|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3940; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-089; classtype:attempted-user; sid:28521; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt"; flow:to_server,established; flowbits:isset,file.wri|file.doc; file_data; content:"|28 00 00 00|"; fast_pattern; content:"|01 00 08 00|"; within:4; distance:8; byte_test:4,>,256,16,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2013-3940; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-089; classtype:attempted-user; sid:28517; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt"; flow:to_server,established; flowbits:isset,file.doc|file.wri; file_data; content:"|28 00 00 00|"; fast_pattern; content:"|01 00 04 00|"; within:4; distance:8; byte_test:4,>,16,16,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2013-3940; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-089; classtype:attempted-user; sid:28516; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt"; flow:to_server,established; flowbits:isset,file.wri|file.doc; file_data; content:"|28 00 00 00|"; fast_pattern; content:"|01 00 01 00|"; within:4; distance:8; byte_test:4,>,2,16,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2013-3940; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-089; classtype:attempted-user; sid:28515; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt"; flow:to_client,established; flowbits:isset,file.doc|file.wri; file_data; content:"|28 00 00 00|"; fast_pattern; content:"|01 00 04 00|"; within:4; distance:8; byte_test:4,>,16,16,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3940; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-089; classtype:attempted-user; sid:28511; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt"; flow:to_client,established; flowbits:isset,file.wri|file.doc; file_data; content:"|28 00 00 00|"; fast_pattern; content:"|01 00 01 00|"; within:4; distance:8; byte_test:4,>,2,16,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3940; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-089; classtype:attempted-user; sid:28510; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt"; flow:to_client,established; flowbits:isset,file.wri|file.doc; file_data; content:"|28 00 00 00|"; fast_pattern; content:"|01 00 08 00|"; within:4; distance:8; byte_test:4,>,256,16,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3940; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-089; classtype:attempted-user; sid:28509; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt"; flow:to_server,established; flowbits:isset,file.corel; file_data; content:"|DC 01|"; byte_extract:2,0,rowLength,relative,little; content:"|03 00 00 88 00 00 00 00 00 00 00 00 03 00 00 88|"; within:rowLength; byte_test:2,>,32,0,relative,little; content:"|01 DC|"; within:rowLength; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1324; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-091; classtype:attempted-user; sid:28503; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt"; flow:to_client,established; flowbits:isset,file.corel; file_data; content:"|DC 01|"; byte_extract:2,0,rowLength,relative,little; content:"|03 00 00 88 00 00 00 00 00 00 00 00 03 00 00 88|"; within:rowLength; byte_test:2,>,32,0,relative,little; content:"|01 DC|"; within:rowLength; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1324; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-091; classtype:attempted-user; sid:28502; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER WordPerfect file magic with .doc extension"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"|FF|WPC"; depth:4; metadata:service smtp; reference:cve,2013-0082; reference:cve,2013-1324; reference:cve,2013-1325; reference:url,www.magicdb.org/magic.db; classtype:misc-activity; sid:28501; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER WordPerfect file magic with .doc extension"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|FF|WPC"; depth:4; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-0082; reference:cve,2013-1324; reference:cve,2013-1325; reference:url,www.magicdb.org/magic.db; classtype:misc-activity; sid:28500; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt"; flow:to_server,established; flowbits:isset,file.corel; file_data; content:"|DC 01|"; byte_extract:2,0,rowLength,relative,little; content:"|03 00 00 88 00 00 00 00 00 00 00 00 03 00 00 88|"; within:rowLength; byte_test:2,>,32,2,relative,little; content:"|01 DC|"; within:rowLength; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1325; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-091; classtype:attempted-user; sid:28499; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt"; flow:to_client,established; flowbits:isset,file.corel; file_data; content:"|DC 01|"; byte_extract:2,0,rowLength,relative,little; content:"|03 00 00 88 00 00 00 00 00 00 00 00 03 00 00 88|"; within:rowLength; byte_test:2,>,32,2,relative,little; content:"|01 DC|"; within:rowLength; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1325; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-091; classtype:attempted-user; sid:28498; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt"; flow:to_server,established; flowbits:isset,file.xml; file_data; content:"text3GTrack"; fast_pattern:only; content:"textBox "; nocase; pcre:"/text3Gtrack.*?textBox.*?[xy]\s*\x3D*[\x22\x27\s]*\x2d\d/smi"; metadata:policy security-ips drop, service smtp; reference:bugtraq,60110; reference:cve,2013-1015; reference:url,support.apple.com/kb/HT5770; classtype:attempted-user; sid:28537; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt"; flow:to_server,established; flowbits:isset,file.xml; file_data; content:"text3GTrack"; fast_pattern:only; content:"textBox "; nocase; pcre:"/textBox.*?[xy]\s*\x3D[\x22\x27\s]+\d{5}/smi"; metadata:policy security-ips drop, service smtp; reference:bugtraq,60110; reference:cve,2013-1015; reference:url,support.apple.com/kb/HT5770; classtype:attempted-user; sid:28536; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"text3GTrack"; fast_pattern:only; content:"textBox "; nocase; pcre:"/text3Gtrack.*?textBox.*?[xy]\s*\x3D*[\x22\x27\s]*\x2d\d/smi"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60110; reference:cve,2013-1015; reference:url,support.apple.com/kb/HT5770; classtype:attempted-user; sid:28535; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"text3GTrack"; fast_pattern:only; content:"textBox "; nocase; pcre:"/textBox.*?[xy]\s*\x3D[\x22\x27\s]+\d{5}/smi"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60110; reference:cve,2013-1015; reference:url,support.apple.com/kb/HT5770; classtype:attempted-user; sid:28534; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Reader FDF submitForm cross-site scripting attempt"; flow:to_server,established; flowbits:isset,file.fdf; file_data; content:"/JavaScript"; nocase; content:"submitForm"; distance:0; fast_pattern; nocase; content:"|3A|//"; within:15; content:"|23|FDF"; within:100; nocase; pcre:"/\x2fF(?i)\s*?\(\s*?http\x3a\x2f\x2f(?P<domain>[^\x2f]+)\x2f[^\x29]*?\x2epdf[^>]*?submitForm\s*?\(\s*?[\x22\x27]?\s*?http\x3a\x2f\x2f(?!(?P=domain))[^\x29]*?\x2efdf\x23FDF/"; metadata:policy balanced-ips alert, policy security-ips alert, service smtp; reference:bugtraq,62888; reference:cve,2013-5325; reference:url,www.adobe.com/support/security/bulletins/apsb13-25.html; classtype:misc-attack; sid:28576; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Reader FDF submitForm cross-site scripting attempt"; flow:to_client,established; flowbits:isset,file.fdf; file_data; content:"/JavaScript"; nocase; content:"submitForm"; distance:0; fast_pattern; nocase; content:"|3A|//"; within:15; content:"|23|FDF"; within:100; nocase; pcre:"/\x2fF(?i)\s*?\(\s*?http\x3a\x2f\x2f(?P<domain>[^\x2f]+)\x2f[^\x29]*?\x2epdf[^>]*?submitForm\s*?\(\s*?[\x22\x27]?\s*?http\x3a\x2f\x2f(?!(?P=domain))[^\x29]*?\x2efdf\x23FDF/"; metadata:policy balanced-ips alert, policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:bugtraq,62888; reference:cve,2013-5325; reference:url,www.adobe.com/support/security/bulletins/apsb13-25.html; classtype:misc-attack; sid:28575; rev:2;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Corel PaintShop Pro wintab32.dll dll-load exploit attempt"; flow:to_server,established; content:"w|00|i|00|n|00|t|00|a|00|b|00|3|00|2|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:bugtraq,62836; reference:cve,2013-0733; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:28842; rev:3;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Corel PaintShop Pro uvipl.dll dll-load exploit attempt"; flow:to_server,established; content:"u|00|v|00|i|00|p|00|l|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:bugtraq,62836; reference:cve,2013-0733; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:28841; rev:3;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Corel PaintShop Pro uipl.dll dll-load exploit attempt"; flow:to_server,established; content:"u|00|i|00|p|00|l|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:bugtraq,62836; reference:cve,2013-0733; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:28840; rev:3;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Corel PaintShop Pro ipl.dll dll-load exploit attempt"; flow:to_server,established; content:"i|00|p|00|l|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:bugtraq,62836; reference:cve,2013-0733; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:28839; rev:3;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Corel PaintShop Pro d2d1.dll dll-load exploit attempt"; flow:to_server,established; content:"d|00|2|00|d|00|1|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:bugtraq,62836; reference:cve,2013-0733; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:28837; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro wintab32.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|wintab32.dll"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,62836; reference:cve,2013-0733; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:28836; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro uvipl.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|uvipl.dll"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,62836; reference:cve,2013-0733; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:28835; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro uipl.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|uipl.dll"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,62836; reference:cve,2013-0733; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:28834; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro ipl.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|ipl.dll"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,62836; reference:cve,2013-0733; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:28833; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro d2d1.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|d2d1.dll"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,62836; reference:cve,2013-0733; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:28831; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER 7-Zip ARJ archive handling buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.arj; file_data; content:"|60 EA|"; byte_test:2,>,2600,0,relative,little; metadata:service smtp; reference:bugtraq,14925; reference:bugtraq,21208; reference:cve,2005-3051; classtype:attempted-user; sid:28819; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER 7-Zip ARJ archive handling buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.arj; file_data; content:"|60 EA|"; byte_test:2,>,2600,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14925; reference:bugtraq,21208; reference:cve,2005-3051; classtype:attempted-user; sid:28818; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Interactive Data eSignal stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.esignal; file_data; content:"|00 00 00|"; depth:3; offset:1; byte_test:1,<,12,0; byte_test:1,>,20,13; metadata:service smtp; reference:cve,2011-3494; classtype:attempted-user; sid:28907; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Interactive Data eSignal stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.esignal; file_data; content:"<StyleTemplate>|0A|aaaaaaaaaaaaaaaa"; fast_pattern:only; metadata:service smtp; reference:cve,2011-3494; classtype:attempted-user; sid:28906; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Interactive Data eSignal stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.esignal; file_data; content:"<StyleTemplate>"; fast_pattern; nocase; isdataat:512,relative; content:!"</StyleTemplate>"; within:512; nocase; metadata:service smtp; reference:cve,2011-3494; classtype:attempted-user; sid:28905; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Interactive Data eSignal stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.esignal; file_data; content:"<Font>|0A|<FaceName>aaaaaaaaaaaaaaaa"; fast_pattern:only; metadata:service smtp; reference:cve,2011-3494; classtype:attempted-user; sid:28904; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Interactive Data eSignal stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.esignal; file_data; content:"<Font>"; fast_pattern; nocase; isdataat:512,relative; content:!"</Font>"; within:512; nocase; metadata:service smtp; reference:cve,2011-3494; classtype:attempted-user; sid:28903; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Interactive Data eSignal stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.esignal; file_data; content:"<Font>"; fast_pattern; nocase; isdataat:512,relative; content:!"</Font>"; within:512; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-3494; classtype:attempted-user; sid:28902; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER CHM LZX compression reset interval anti-virus evasion attempt"; flow:to_server,established; flowbits:isset,file.chm; content:"LZXC"; byte_test:4,<,3,0,relative,little; byte_extract:4,4,reset_interval,relative,little; byte_test:4,>,reset_interval,0,relative,little; metadata:service smtp; reference:cve,2012-1458; reference:url,attack.mitre.org/techniques/T1223; classtype:trojan-activity; sid:28979; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER CHM LZX compression reset interval anti-virus evasion attempt"; flow:to_client,established; flowbits:isset,file.chm; content:"LZXC"; byte_test:4,<,3,0,relative,little; byte_extract:4,4,reset_interval,relative,little; byte_test:4,>,reset_interval,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1458; reference:url,attack.mitre.org/techniques/T1223; classtype:trojan-activity; sid:28978; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER GIMP XWD file heap buffer overflow attempt"; flow:to_server,established; file_data; content:"|00 00 00 07 00 00 00 02|"; depth:12; offset:4; byte_extract:4,72,colormap_entries; byte_test:4,>,colormap_entries,76; metadata:service smtp; reference:cve,2013-1978; classtype:attempted-user; sid:29010; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER GIMP XWD file heap buffer overflow attempt"; flow:to_client,established; file_data; content:"|00 00 00 07 00 00 00 02|"; depth:12; offset:4; byte_extract:4,72,colormap_entries; byte_test:4,>,colormap_entries,76; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1978; classtype:attempted-user; sid:29009; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER RealNetworks RealPlayer RMP stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.rmp; file_data; content:"version="; isdataat:1024,relative; pcre:"/version\x3D[\x22\x27][^\x22\x27]{1024}/"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,64398; reference:cve,2013-6877; classtype:attempted-admin; sid:29185; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER RealNetworks RealPlayer RMP stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.rmp; file_data; content:"encoding="; isdataat:1024,relative; pcre:"/encoding\x3D[\x22\x27][^\x22\x27]{1024}/"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,64398; reference:cve,2013-6877; classtype:attempted-admin; sid:29184; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER RealNetworks RealPlayer RMP stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rmp; file_data; content:"version="; isdataat:1024,relative; pcre:"/version\x3D[\x22\x27][^\x22\x27]{1024}/"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64398; reference:cve,2013-6877; classtype:attempted-admin; sid:29183; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER RealNetworks RealPlayer RMP stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rmp; file_data; content:"encoding="; isdataat:1024,relative; pcre:"/encoding\x3D[\x22\x27][^\x22\x27]{1024}/"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64398; reference:cve,2013-6877; classtype:attempted-admin; sid:29182; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt"; flow:to_server, established; flowbits:isset,file.rmp; file_data; content:"|3C|ACTION|3E|"; content:"import"; distance:0; content:"|3C 2F|ACTION|3E|"; distance:0; content:"|3C|TRACK|3E|"; content:"|3C|LOCATION|3E|"; content:"|25|fid"; distance:0; content:"|3C 2F|LOCATION|3E|"; distance:0; content:"|3C|TRACKID|3E|"; isdataat:255,relative; content:!"|3C 2F|TRACKID|3E|"; within:255; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,64398; reference:cve,2013-6877; classtype:attempted-admin; sid:29212; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt"; flow:to_server, established; flowbits:isset,file.rmp; file_data; content:"|3C|ACTION|3E|"; content:"import"; distance:0; content:"|3C 2F|ACTION|3E|"; distance:0; content:"|3C|TRACK|3E|"; content:"|3C|LOCATION|3E|"; content:"|25|f"; distance:0; content:!"id"; within:2; content:"|3C 2F|LOCATION|3E|"; distance:0; content:"|3C|FILENAME|3E|"; isdataat:255,relative; content:!"|3C 2F|FILENAME|3E|"; within:255; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,64398; reference:cve,2013-6877; classtype:attempted-admin; sid:29211; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.rmp; file_data; content:"|3C|ACTION|3E|"; content:"import"; distance:0; content:"|3C 2F|ACTION|3E|"; distance:0; content:"|3C|TRACK|3E|"; content:"|3C|LOCATION|3E|"; isdataat:255,relative; content:!"|3C 2F|LOCATION|3E|"; within:255; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,64398; reference:cve,2013-6877; classtype:attempted-admin; sid:29210; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rmp; file_data; content:"|3C|ACTION|3E|"; content:"import"; distance:0; content:"|3C 2F|ACTION|3E|"; distance:0; content:"|3C|TRACK|3E|"; content:"|3C|LOCATION|3E|"; content:"|25|fid"; distance:0; content:"|3C 2F|LOCATION|3E|"; distance:0; content:"|3C|TRACKID|3E|"; isdataat:255,relative; content:!"|3C 2F|TRACKID|3E|"; within:255; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64398; reference:cve,2013-6877; classtype:attempted-admin; sid:29209; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rmp; file_data; content:"|3C|ACTION|3E|"; content:"import"; distance:0; content:"|3C 2F|ACTION|3E|"; distance:0; content:"|3C|TRACK|3E|"; content:"|3C|LOCATION|3E|"; content:"|25|f"; distance:0; content:!"id"; within:2; content:"|3C 2F|LOCATION|3E|"; distance:0; content:"|3C|FILENAME|3E|"; isdataat:255,relative; content:!"|3C 2F|FILENAME|3E|"; within:255; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64398; reference:cve,2013-6877; classtype:attempted-admin; sid:29208; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rmp; file_data; content:"|3C|ACTION|3E|"; content:"import"; distance:0; content:"|3C 2F|ACTION|3E|"; distance:0; content:"|3C|TRACK|3E|"; content:"|3C|LOCATION|3E|"; isdataat:255,relative; content:!"|3C 2F|LOCATION|3E|"; within:255; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64398; reference:cve,2013-6877; classtype:attempted-admin; sid:29207; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Interactive Data eSignal stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.esignal; file_data; content:"|02 4F 10 1C 00 66 57 48 43 30 35 44 6B 53 9D 57|"; fast_pattern:only; metadata:service smtp; reference:cve,2011-3494; classtype:attempted-user; sid:29527; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Interactive Data eSignal stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.esignal; file_data; content:"|02 4F 10 1C 00 66 57 48 43 30 35 44 6B 53 9D 57|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-3494; classtype:attempted-user; sid:29526; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Norton Anti-Virus decompression bomb denial of service attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"|08 00 FD 86 E9 30 8B 5B|"; fast_pattern:only; content:"PK|01 02|"; content:"PK|05 06|"; within:80; metadata:service smtp; reference:url,archives.neohapsis.com/archives/fulldisclosure/2004-07/0364.html; classtype:attempted-dos; sid:29661; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Norton Anti-Virus decompression bomb denial of service attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"|08 00 FD 86 E9 30 8B 5B|"; fast_pattern:only; content:"PK|01 02|"; content:"PK|05 06|"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,archives.neohapsis.com/archives/fulldisclosure/2004-07/0364.html; classtype:attempted-dos; sid:29660; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"FILE-OTHER XML exponential entity expansion attack attempt"; flow:to_server,established; content:"<!DOCTYPE "; fast_pattern:only; content:"<!ENTITY"; pcre:"/<!ENTITY\s*(?P<entity1>[&\x3b\w]+)\s.*?<!ENTITY\s*(?P<entity2>[&\x3b\w]+)\s*[\x22\x27].*?&\s*(?P=entity1)\s*\x3b\s*&\s*(?P=entity1).*?<!ENTITY\s*[&\x3b\w]+\s*[\x22\x27].*?&\s*(?P=entity2)\s*\x3b\s*&\s*(?P=entity2)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2076; reference:cve,2013-1664; reference:cve,2013-1665; reference:cve,2013-1821; reference:cve,2015-0677; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa; classtype:attempted-user; sid:29800; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Clam Anti-Virus TNEF file handling denial of service attempt"; flow:to_server,established; flowbits:isset,file.tnef; file_data; content:"|02|"; depth:1; offset:6; byte_test:4,>,0x7FFFFFFF,5,relative; content:"IPM.Microsoft Mail.Note"; fast_pattern:only; metadata:service smtp; reference:bugtraq,15316; reference:cve,2005-3500; classtype:attempted-dos; sid:29889; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Clam Anti-Virus TNEF file handling denial of service attempt"; flow:to_client,established; flowbits:isset,file.tnef; file_data; content:"|02|"; depth:1; offset:6; byte_test:4,>,0x7FFFFFFF,5,relative; content:"IPM.Microsoft Mail.Note"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,15316; reference:cve,2005-3500; classtype:attempted-dos; sid:29888; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"FILE-OTHER ftpchk3.php malicious script upload attempt"; flow:to_server,established; content:"STOR ftpchk3.php"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp; reference:url,www.jexanalytics.com/2012/02/wordpress-sites-all-hacked; classtype:trojan-activity; sid:30101; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 20 (msg:"FILE-OTHER ftpchk3.php malicious script upload attempt"; flow:to_client,established; content:"function detect_cms()"; content:"array('JFactory::', 'Joomla!'),"; fast_pattern:only; content:"array('wp-blog-header.php', 'Wordpress'),"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp; reference:url,www.jexanalytics.com/2012/02/wordpress-sites-all-hacked; classtype:trojan-activity; sid:30100; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER ATMFD Adobe font driver reserved command denial of service attempt"; flow:to_server,established; flowbits:isset,file.otf; file_data; content:"|19 B3 FA 00 A4 1F 8C 8C 0D 0E FC 0B FB 28 15 5E 0A 13 2C 5F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3128; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-082; classtype:denial-of-service; sid:30241; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER ATMFD Adobe font driver reserved command denial of service attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"|19 B3 FA 00 A4 1F 8C 8C 0D 0E FC 0B FB 28 15 5E 0A 13 2C 5F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3128; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-082; classtype:denial-of-service; sid:30240; rev:1;)
# alert tcp $EXTERNAL_NET [139,445,80] -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Briefcase integer underflow"; flow:to_client,established; content:"DDSH|02 05 01 14|"; fast_pattern; content:"C:|5C 00 00|"; within:500; distance:20; byte_test:4,<,4,4,relative,little; metadata:policy security-ips drop; reference:cve,2012-1527; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-072; classtype:attempted-user; sid:30898; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"|50 4B 03 04|"; depth:4; content:"|00 00|"; within:2; distance:24; content:".exe"; within:64; flowbits:set,file.zip.winrar.spoof; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; reference:bugtraq,66383; reference:url,an7isec.blogspot.co.il/2014/03/winrar-file-extension-spoofing-0day.html; classtype:attempted-user; sid:30909; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"|50 4B 03 04 0A 00 00 00 00 00 96 5E 81 44|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,66383; reference:url,an7isec.blogspot.co.il/2014/03/winrar-file-extension-spoofing-0day.html; classtype:attempted-user; sid:30908; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt"; flow:to_server,established; flowbits:isset,file.zip.winrar.spoof; file_data; content:"|50 4B 01 02|"; content:!".exe"; within:64; distance:42; content:"|50 4B 05 06|"; distance:0; content:"|01 00|"; within:2; distance:6; metadata:service smtp; reference:bugtraq,66383; reference:url,an7isec.blogspot.co.il/2014/03/winrar-file-extension-spoofing-0day.html; classtype:attempted-user; sid:30907; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"|50 4B 03 04|"; depth:4; content:"|00 00|"; within:2; distance:24; content:".exe"; within:64; flowbits:set,file.zip.winrar.spoof; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66383; reference:url,an7isec.blogspot.co.il/2014/03/winrar-file-extension-spoofing-0day.html; classtype:attempted-user; sid:30906; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"|50 4B 03 04 0A 00 00 00 00 00 96 5E 81 44|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66383; reference:url,an7isec.blogspot.co.il/2014/03/winrar-file-extension-spoofing-0day.html; classtype:attempted-user; sid:30905; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt"; flow:to_client,established; flowbits:isset,file.zip.winrar.spoof; file_data; content:"|50 4B 01 02|"; content:!".exe"; within:64; distance:42; content:"|50 4B 05 06|"; distance:0; content:"|01 00|"; within:2; distance:6; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,66383; reference:url,an7isec.blogspot.co.il/2014/03/winrar-file-extension-spoofing-0day.html; classtype:attempted-user; sid:30904; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|5F 00 00 00|"; byte_test:4,>,0xFFFF,24,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,67632; reference:cve,2014-0529; reference:cve,2017-3052; reference:cve,2018-15987; reference:cve,2018-15998; reference:cve,2018-16021; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; reference:url,helpx.adobe.com/security/products/reader/apsb14-15.html; classtype:attempted-user; sid:31030; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|26 00 00 00|"; byte_test:4,>,0xFFFF,8,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,67632; reference:cve,2014-0529; reference:cve,2017-16395; reference:cve,2017-3052; reference:cve,2018-15987; reference:cve,2018-15998; reference:cve,2018-16021; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; reference:url,helpx.adobe.com/security/products/reader/apsb14-15.html; classtype:attempted-user; sid:31029; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|5F 00 00 00|"; byte_test:4,>,0xFFFF,24,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,67632; reference:cve,2014-0529; reference:cve,2017-16395; reference:cve,2017-3052; reference:cve,2018-15987; reference:cve,2018-15998; reference:cve,2018-16021; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; reference:url,helpx.adobe.com/security/products/reader/apsb14-15.html; classtype:attempted-user; sid:31028; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|26 00 00 00|"; byte_test:4,>,0xFFFF,8,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,67632; reference:cve,2014-0529; reference:cve,2017-3052; reference:cve,2018-15987; reference:cve,2018-15998; reference:cve,2018-16021; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; reference:url,helpx.adobe.com/security/products/reader/apsb14-15.html; classtype:attempted-user; sid:31027; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER invalid ELF padding field value attempt"; flow:to_server,established; file_data; content:"|7F|ELF"; depth:4; content:!"|00|"; within:1; distance:11; metadata:service smtp; reference:cve,2012-1439; classtype:trojan-activity; sid:30993; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER invalid ELF padding field value attempt"; flow:to_client,established; file_data; content:"|7F|ELF"; depth:4; content:!"|00|"; within:1; distance:11; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1439; classtype:trojan-activity; sid:30992; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Sophos RAR virtual machine filters memory corruption attempt"; flow:to_server,established; file_data; content:"|69 60 00 80 00 01 A6 60 32 B8 A0 33 48 32 B9 34 C9 B7 49 62 81 5E 93 70 09 80 02 B4 D5 00 E4 C5|"; fast_pattern:only; metadata:service smtp; reference:url,www.sophos.com/en-us/support/knowledgebase/118424.aspx; classtype:attempted-user; sid:31088; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Sophos RAR virtual machine filters memory corruption attempt"; flow:to_client,established; file_data; content:"|69 60 00 80 00 01 A6 60 32 B8 A0 33 48 32 B9 34 C9 B7 49 62 81 5E 93 70 09 80 02 B4 D5 00 E4 C5|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.sophos.com/en-us/support/knowledgebase/118424.aspx; classtype:attempted-user; sid:31087; rev:1;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Autodesk AutoCAD insecure acad.fas file load attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"a|00|c|00|a|00|d|00|.|00|f|00|a|00|s|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:bugtraq,65745; reference:cve,2014-0818; classtype:attempted-user; sid:31086; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Autodesk AutoCAD insecure acad.fas file load attempt"; flow:to_server,established; content:"GET"; http_method; content:"|2F|acad.fas"; nocase; http_uri; metadata:service http; reference:bugtraq,65745; reference:cve,2014-0818; classtype:attempted-user; sid:31085; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows C Run-Time Library remote code execution attempt"; flow:to_server,established; flowbits:isset,file.asx; file_data; content:"<ASX"; fast_pattern; nocase; content:"VERSION"; within:50; nocase; pcre:"/<ASX[^>]*?VERSION\s*=\s*[0-9\x22\x27][0-9\x2e]{20}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0150; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-013; classtype:attempted-user; sid:31427; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Symantec Endpoint Protection Sysplant kernel pool overflow exploit attempt"; flow:to_server,established; file_data; content:"sysfer.dll"; fast_pattern:only; content:"sysplant"; nocase; content:"222084"; content:"DeviceIoControl"; nocase; content:"IoCompletionReserve"; nocase; metadata:service smtp; reference:bugtraq,68946; reference:cve,2014-3434; classtype:attempted-user; sid:31671; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Symantec Endpoint Protection Sysplant kernel pool overflow exploit attempt"; flow:to_client,established; file_data; content:"sysfer.dll"; fast_pattern:only; content:"sysplant"; nocase; content:"222084"; content:"DeviceIoControl"; nocase; content:"IoCompletionReserve"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,68946; reference:cve,2014-3434; classtype:attempted-user; sid:31670; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Free Download Manager .torrent parsing path overflow attempt"; flow:to_server,established; flowbits:isset,file.torrent; file_data; content:"4:pathl"; nocase; byte_test:6,>,10000,0,relative,dec,string; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:31780; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Free Download Manager .torrent parsing name overflow attempt"; flow:to_server,established; flowbits:isset,file.torrent; file_data; content:"4:name"; nocase; byte_test:6,>,10000,0,relative,dec,string; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:31779; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Free Download Manager .torrent parsing comment overflow attempt"; flow:to_server,established; flowbits:isset,file.torrent; file_data; content:"7:comment"; nocase; byte_test:6,>,100000,0,relative,dec,string; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:31778; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Free Download Manager .torrent parsing announce overflow attempt"; flow:to_server,established; flowbits:isset,file.torrent; file_data; content:"8:announce"; nocase; byte_test:6,>,100000,0,relative,dec,string; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:31777; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Mozilla products clipPath element stroke-width buffer overflow attempt"; flow:to_server,established; file_data; content:"clipPath"; content:"stroke-width=|22|"; byte_test:10,>,0xFFFF,0,relative,string; metadata:service smtp; reference:cve,2007-0776; classtype:attempted-user; sid:31822; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Mozilla products clipPath element stroke-width buffer overflow attempt"; flow:to_client,established; file_data; content:"clipPath"; content:"stroke-width=|22|"; byte_test:10,>,0xFFFF,0,relative,string; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-0776; classtype:attempted-user; sid:31821; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Wireshark MPEG dissector stack buffer overflow attempt"; flow:to_server,established; file_data; content:"|2A 3C 86 61 7C 02 D9 62 69 09 97 61 F6 8C 98 61 2A 0A 9C 61 98 1E 84 61 1A D1 91 61 01 02 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,66066; reference:cve,2014-2299; classtype:attempted-user; sid:31987; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Wireshark MPEG dissector stack buffer overflow attempt"; flow:to_client,established; file_data; content:"|2A 3C 86 61 7C 02 D9 62 69 09 97 61 F6 8C 98 61 2A 0A 9C 61 98 1E 84 61 1A D1 91 61 01 02 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66066; reference:cve,2014-2299; classtype:attempted-user; sid:31986; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER GNU tar PAX extended headers handling overflow attempt"; flow:to_server,established; file_data; content:"GNU.sparse.numblocks=0|0A|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,16764; reference:cve,2006-0300; classtype:attempted-dos; sid:32089; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER GNU tar PAX extended headers handling overflow attempt"; flow:to_server,established; file_data; content:"GNU.sparse.numblocks="; byte_test:5,>,65535,0,relative,string,dec; metadata:service smtp; reference:bugtraq,16764; reference:cve,2006-0300; classtype:attempted-dos; sid:32088; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER GNU tar PAX extended headers handling overflow attempt"; flow:to_client,established; file_data; content:"GNU.sparse.numblocks="; byte_test:5,>,65535,0,relative,string,dec; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,16764; reference:cve,2006-0300; classtype:attempted-dos; sid:32087; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Flash Player integer overflow out-of-bounds read attempt"; flow:to_server,established; content:"|D6 46 3E 23 96 E5 C8 6F 1C D7 D2 97 45 CE 83 7D 78 1E C3 BA 5E 6D 9B 96 3E 76 E0 77 64 2F A4 7A 25 59 0A A6 B1 6B 20 6A 11 FB 94 B6 97 AF 8A 7D|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,69695; reference:cve,2014-0547; classtype:attempted-user; sid:32100; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Flash Player integer overflow out-of-bounds read attempt"; flow:to_client,established; content:"|D6 46 3E 23 96 E5 C8 6F 1C D7 D2 97 45 CE 83 7D 78 1E C3 BA 5E 6D 9B 96 3E 76 E0 77 64 2F A4 7A 25 59 0A A6 B1 6B 20 6A 11 FB 94 B6 97 AF 8A 7D|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,69695; reference:cve,2014-0547; classtype:attempted-user; sid:32099; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER GNU gzip LZH decompression make_table overflow attempt"; flow:to_server,established; file_data; content:"|1F A0 AB CD FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-4335; reference:url,secunia.com/advisories/21996/; classtype:attempted-user; sid:32136; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Internet Explorer SVG heap corruption attempt"; flow:to_server,established; flowbits:isset,file.svg; file_data; content:"execCommand"; content:"SelectAll"; within:11; content:"execCommand"; distance:0; content:"Copy"; within:6; content:"execCommand"; distance:0; content:"Paste"; within:7; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4138; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-056; classtype:attempted-user; sid:32167; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Internet Explorer SVG heap corruption attempt"; flow:to_client,established; flowbits:isset,file.svg; file_data; content:"execCommand"; content:"SelectAll"; within:11; content:"execCommand"; distance:0; content:"Copy"; within:6; content:"execCommand"; distance:0; content:"Paste"; within:7; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4138; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-056; classtype:attempted-user; sid:32166; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft System.Uri heap corruption attempt"; flow:to_server,established; content:"|00 26 00 69 00 65 00 3D 00 55 00 54 00 46 00 2D 00 38 00|"; fast_pattern:only; content:"|00 26 00 71 00 3D 00 25 00 46 00 34 00 25 00 38 00 30 00 25 00 38 00 30|"; content:".NETFramework,Version=v4."; pcre:"/\x00&\x00q\x00=(\x00%\x00F\x004\x00%\x008\x000\x00%\x008\x000\x00%\x00[89AB]\x00[0-9A-F]){2}/"; metadata:service smtp; reference:bugtraq,70351; reference:cve,2014-4121; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-057; classtype:attempted-user; sid:32152; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft System.Uri heap corruption attempt"; flow:to_client,established; content:"|00 26 00 69 00 65 00 3D 00 55 00 54 00 46 00 2D 00 38 00|"; fast_pattern:only; content:"|00 26 00 71 00 3D 00 25 00 46 00 34 00 25 00 38 00 30 00 25 00 38 00 30|"; content:".NETFramework,Version=v4."; pcre:"/\x00&\x00q\x00=(\x00%\x00F\x004\x00%\x008\x000\x00%\x008\x000\x00%\x00[89AB]\x00[0-9A-F]){2}/"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,70351; reference:cve,2014-4121; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-057; classtype:attempted-user; sid:32151; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft System.Uri heap corruption attempt"; flow:to_server,established; content:"|00 26 00 69 00 65 00 3D 00 55 00 54 00 46 00 2D 00 38 00|"; fast_pattern:only; content:"|00 26 00 71 00 3D 00|"; content:".NETFramework,Version=v4."; pcre:"/\x00&\x00q\x00\=(\x00%\x00E\x00D\x00%\x00A\x00[0-9A-D]\x00%\x00[89AB]\x00[0-9A-F]){2}/i"; metadata:service smtp; reference:bugtraq,70351; reference:cve,2014-4121; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-057; classtype:attempted-user; sid:32150; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft System.Uri heap corruption attempt"; flow:to_client,established; content:"|00 26 00 69 00 65 00 3D 00 55 00 54 00 46 00 2D 00 38 00|"; fast_pattern:only; content:"|00 26 00 71 00 3D 00|"; content:".NETFramework,Version=v4."; pcre:"/\x00&\x00q\x00\=(\x00%\x00E\x00D\x00%\x00A\x00[0-9A-D]\x00%\x00[89AB]\x00[0-9A-F]){2}/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,70351; reference:cve,2014-4121; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-057; classtype:attempted-user; sid:32149; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Office ole object external file loading attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"ppt/embeddings/"; content:"ppt/embeddings/"; distance:0; content:"|75 FD 41 63 B2 CF 01 E3 02 89 60 63 B2 CF 01 E3|"; within:50; content:"ppt/embeddings/"; distance:0; content:"|75 FD 41 63 B2 CF 01 E3 02 89 60 63 B2 CF 01 E3|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4114; reference:cve,2014-6352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-060; classtype:attempted-admin; sid:32187; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Office ole object external file loading attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"ppt/embeddings/"; content:"ppt/embeddings/"; distance:0; content:"|75 FD 41 63 B2 CF 01 E3 02 89 60 63 B2 CF 01 E3|"; within:50; content:"ppt/embeddings/"; distance:0; content:"|75 FD 41 63 B2 CF 01 E3 02 89 60 63 B2 CF 01 E3|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4114; reference:cve,2014-6352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-060; classtype:attempted-admin; sid:32186; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER GE Cimplicity CimView load remote file attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|53 00 63 00 72 00 65 00 65 00 6E 00 4F 00 70 00 65 00 6E 00 44 00 69 00 73 00 70 00 61 00 74 00 63 00 68 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/71264a32c22e2778a1942bb8c7b0ee08a73ffdfab6b7cc890bc4598c1ee9bdf5/analysis/; classtype:attempted-admin; sid:32258; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER GE Cimplicity CimView load remote file attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|22 00 25 00 43 00 49 00 4D 00 50 00 41 00 54 00 48 00 25 00 5C 00 43 00 69 00 6D 00 43 00 4D 00 53 00 61 00 66 00 65 00 67 00 73 00 2E 00 65 00 78 00 65 00 22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/71264a32c22e2778a1942bb8c7b0ee08a73ffdfab6b7cc890bc4598c1ee9bdf5/analysis/; classtype:attempted-admin; sid:32257; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER GE Cimplicity bcl file loading external file attempt"; flow:to_client,established; flowbits:isset,file.bcl; file_data; content:"|22|cmd /C start "; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/c97edaa725602f9f349d0dac8b50f45cdec687eb15606f82d1fcdce193cfe02f/analysis/; classtype:attempted-admin; sid:32256; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER GE Cimplicity CimView load remote file attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|53 00 63 00 72 00 65 00 65 00 6E 00 4F 00 70 00 65 00 6E 00 44 00 69 00 73 00 70 00 61 00 74 00 63 00 68 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/71264a32c22e2778a1942bb8c7b0ee08a73ffdfab6b7cc890bc4598c1ee9bdf5/analysis/; classtype:attempted-admin; sid:32255; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER GE Cimplicity CimView load remote file attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|22 00 25 00 43 00 49 00 4D 00 50 00 41 00 54 00 48 00 25 00 5C 00 43 00 69 00 6D 00 43 00 4D 00 53 00 61 00 66 00 65 00 67 00 73 00 2E 00 65 00 78 00 65 00 22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/71264a32c22e2778a1942bb8c7b0ee08a73ffdfab6b7cc890bc4598c1ee9bdf5/analysis/; classtype:attempted-admin; sid:32254; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Office ole object external file loading attempt"; flow:to_server,established; file_data; content:"ppt/embeddings/"; content:"PK|01 02|"; distance:0; content:"ppt/embeddings/"; distance:0; content:".bin"; within:40; content:"PK|01 02|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4114; reference:cve,2014-6352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-060; classtype:attempted-admin; sid:32316; rev:2;)
alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"FILE-OTHER Microsoft Office ole object external file loading attempt"; flow:to_client,established; content:"PK|03 04|"; content:"ppt/slides/_rels/"; distance:0; content:"|DF 05 BF 43 B8 77 93 B6 13 11 59 BA 97 21 0C 06|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2014-4114; reference:cve,2014-6352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-060; classtype:attempted-admin; sid:32315; rev:2;)
alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"FILE-OTHER Microsoft Office ole object external file loading attempt"; flow:to_client,established; content:"PK|03 04|"; content:"_rels/.rels"; distance:0; content:"|6F 64 FA C9 80 66 C2 14 5B A3 20 6D CD 15 88 F6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2014-4114; reference:cve,2014-6352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-060; classtype:attempted-admin; sid:32314; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Office ole object external file loading attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"|09 00 03 9A D1 3E 54 BF C8 3E 54 55 78 04 00 ED 03 64 00 BB 70 5E F0 C1 C2 8D 52 0F 19 D0 80 1D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4114; reference:cve,2014-6352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-060; classtype:attempted-admin; sid:32313; rev:3;)
# alert tcp $EXTERNAL_NET [139,445,80] -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Briefcase integer overflow"; flow:to_client,established; content:"DDSH|02 05 01 14|"; fast_pattern; content:"C:|5C 00 00|"; within:500; distance:20; byte_test:4,>,0x2000000,4,relative,little; metadata:policy security-ips drop; reference:cve,2012-1528; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-072; classtype:attempted-user; sid:32361; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Internet Explorer registry symbolic link attack attempt"; flow:to_server,established; file_data; content:"n|00|e|00|t|00| |00|E|00|x|00|p|00|l|00|o|00|r|00|e|00|r|00 5C 00|L|00|o|00|w|00| |00|R|00|i|00|g|00|h|00|t|00|s|00 00 00|Open Class"; fast_pattern:only; metadata:service smtp; reference:cve,2014-6322; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-071; classtype:attempted-user; sid:32519; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Internet Explorer registry symbolic link attack attempt"; flow:to_client,established; file_data; content:"n|00|e|00|t|00| |00|E|00|x|00|p|00|l|00|o|00|r|00|e|00|r|00 5C 00|L|00|o|00|w|00| |00|R|00|i|00|g|00|h|00|t|00|s|00 00 00|Open Class"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-6322; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-071; classtype:attempted-user; sid:32518; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Oracle Java SE GSUB FeatureCount Buffer Overflow attempt"; flow:to_server, established; file_data; content:"|01 74 61 6D 6C 00 08 00 04 00 00 00 00 FF FF 82 66 00 00 00 01 00 02 00 04 00 03 00 05 00 06 61|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:32509; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle Java SE GSUB FeatureCount Buffer Overflow attempt"; flow:to_client, established; file_data; flowbits:isset,file.ttf; content:"|01 74 61 6D 6C 00 08 00 04 00 00 00 00 FF FF 82 66 00 00 00 01 00 02 00 04 00 03 00 05 00 06 61|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:32508; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft XML invalid priority in xsl template"; flow:to_server,established; file_data; content:"xsl|3A|template"; content:"priority"; within:100; pcre:"/xsl\x3Atemplate[^\x3E]*priority\s*\x3D[\s\x22\x27]*[\d\x2D]*[^\s\x22\x27\d\x2d]/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4118; reference:url,attack.mitre.org/techniques/T1220; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-067; classtype:attempted-user; sid:32502; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft XML invalid priority in xsl template"; flow:to_client,established; file_data; content:"xsl|3A|template"; content:"priority"; within:100; pcre:"/xsl\x3Atemplate[^\x3E]*priority\s*\x3D[\s\x22\x27]*[\d\x2D]*[^\s\x22\x27\d\x2d]/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4118; reference:url,attack.mitre.org/techniques/T1220; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-067; classtype:attempted-user; sid:32501; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Internet Explorer EPM sandbox escape attempt"; flow:to_server,established; file_data; content:"|F8 70 F6 53 00 00 00 00 0C 00 00 00 14 00 00 00 E0 8A 01 00 E0 7C 01 00 00 20 00 80 01 00 00 00 22 05 93 19 04 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-6350; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-065; classtype:attempted-user; sid:32500; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Internet Explorer EPM sandbox escape attempt"; flow:to_client,established; file_data; content:"|F8 70 F6 53 00 00 00 00 0C 00 00 00 14 00 00 00 E0 8A 01 00 E0 7C 01 00 00 20 00 80 01 00 00 00 22 05 93 19 04 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-6350; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-065; classtype:attempted-user; sid:32499; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle Java awt_setPixels out-of-bounds read attempt"; flow:to_client, established; file_data; content:"|CA FE BA BE|"; fast_pattern; content:"|19 05 19 08 B6 00 10|"; within:7; distance:1103; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#AppendixJAVA; classtype:attempted-user; sid:32562; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER MostGear EasyLanFolderShare serial key overflow attempt"; flow:to_server,established; flowbits:isset,file.reg; file_data; content:"|5B|HKEY_LOCAL_MACHINE|5C|SOFTWARE|5C|MostGear|5C|EasyLanFolderShare_V1|5C|License|5D|"; fast_pattern:only; content:"|22|Serial|22|=|22|"; isdataat:550,relative; content:!"|22|"; within:550; metadata:service smtp; reference:cve,2013-6079; classtype:attempted-user; sid:32620; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER MostGear EasyLanFolderShare serial key overflow attempt"; flow:to_client,established; flowbits:isset,file.reg; file_data; content:"|5B|HKEY_LOCAL_MACHINE|5C|SOFTWARE|5C|MostGear|5C|EasyLanFolderShare_V1|5C|License|5D|"; fast_pattern:only; content:"|22|Serial|22|=|22|"; isdataat:550,relative; content:!"|22|"; within:550; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-6079; classtype:attempted-user; sid:32619; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER fCreateShellLink function use - potential attack"; flow:to_server, established; file_data; content:"fCreateShellLink|28|"; fast_pattern:only; metadata:impact_flag red, service smtp; reference:cve,2008-2959; classtype:misc-activity; sid:32636; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt"; flow:to_client,established; file_data; content:"--- !"; fast_pattern:only; content:"%"; content:"%"; within:2; distance:2; content:"%"; within:2; distance:2; content:"%"; within:2; distance:2; pcre:"/(%[A-Z0-9]{2,3}){16}/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-2525; classtype:attempted-user; sid:32671; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows XP .theme file remote code execution attempt"; flow:to_server,established; file_data; content:"[Theme]"; fast_pattern:only; content:"SCRNSAVE.EXE="; content:!"C|3A 5C|"; within:3; content:!"%"; within:1; content:!"|0D|"; within:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0010; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-071; classtype:attempted-admin; sid:32730; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-OTHER Adobe Reader MoveFileEx arbitrary file write attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|43 94 24 98 00 00 00 83 BC 24 94 00 00 00 08 52 0F 43 8C 24 84 00 00 00 51 68 70 15 00 10 FF D0|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-9150; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:misc-attack; sid:32884; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Reader MoveFileEx arbitrary file write attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|43 94 24 98 00 00 00 83 BC 24 94 00 00 00 08 52 0F 43 8C 24 84 00 00 00 51 68 70 15 00 10 FF D0|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-9150; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:misc-attack; sid:32883; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft SYmbolic LinK stack overflow attempt"; flow:to_server,established; file_data; content:"ID|3B|"; depth:3; content:"|0D 0A|P|3B|"; content:!"|0D 0A|"; within:200; metadata:service smtp; reference:bugtraq,48161; reference:cve,2011-1276; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:32943; rev:2;)
# alert tcp $EXTERNAL_NET $ORACLE_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle Database Server XML stack buffer overflow attempt"; flow:to_server, established; content:"|00 00|"; depth:2; offset:2; content:"|00 00|"; within:2; distance:2; content:"xmltype"; content:"<"; within:5; isdataat:256,relative; content:!">"; within:256; metadata:policy security-ips drop; reference:cve,2013-3751; reference:url,www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html; classtype:attempted-user; sid:32904; rev:2;)
# alert tcp $EXTERNAL_NET $ORACLE_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle Database Server XML stack buffer overflow attempt"; flow:to_server, established; content:"select xml"; fast_pattern:only; content:"|00 00|"; depth:2; offset:2; content:"|00 00|"; within:2; distance:2; pcre:"/xml(element|forest|concat|agg|pi|comment|root|serialize|parse|type)\s*\x28\s*\w+\s*\x27<[^>]{256}/smi"; metadata:policy security-ips drop; reference:cve,2013-3751; reference:url,www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html; classtype:attempted-user; sid:32903; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Advantech ADAMView GeniDAQ display designer stack buffer overflow attempt"; flow:to_server,established; file_data; content:"AGNI"; depth:4; content:"ETSKPWPL"; byte_test:2,>,0x38,55,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,71191; reference:cve,2014-8386; classtype:attempted-admin; sid:32902; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Advantech ADAMView GeniDAQ display designer stack buffer overflow attempt"; flow:to_client,established; file_data; content:"AGNI"; depth:4; content:"ETSKPWPL"; byte_test:2,>,0x38,55,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,71191; reference:cve,2014-8386; classtype:attempted-admin; sid:32901; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER BulletProof FTP Client BPS file buffer overflow attempt"; flow:established,to_server; file_data; content:"This is a BulletProof FTP Client Session-File"; depth:45; content:"|98 6A C8 74|"; depth:4; offset:177; content:"w00t"; within:4; distance:18; metadata:policy security-ips drop, service smtp; reference:cve,2008-5753; reference:url,www.rapid7.com/db/modules/exploit/windows/fileformat/bpftp_client_bps_bof; classtype:attempted-user; sid:33063; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER BulletProof FTP Client BPS file buffer overflow attempt"; flow:established,to_client; file_data; content:"This is a BulletProof FTP Client Session-File"; depth:45; content:"|98 6A C8 74|"; depth:4; offset:177; content:"w00t"; within:4; distance:18; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-5753; reference:url,www.rapid7.com/db/modules/exploit/windows/fileformat/bpftp_client_bps_bof; classtype:attempted-user; sid:33062; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER libxml2 entity reference name heap buffer overflow attempt"; flow:to_server,established; file_data; content:"|3C|!ENTITY "; content:"|22 26|"; within:150; content:!"|22|"; within:700; pcre:"/\x3C\x21ENTITY\s+.*\s+\x22\x26[^\x22]{700}/sm"; metadata:service smtp; reference:cve,2011-3919; classtype:attempted-user; sid:33310; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER libxml2 entity reference name heap buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C|!ENTITY "; content:"|22 26|"; within:150; content:!"|22|"; within:700; pcre:"/\x3C\x21ENTITY\s+.*\s+\x22\x26[^\x22]{700}/sm"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-3919; classtype:attempted-user; sid:33309; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Visio packed object parsing memory corruption attempt"; flow:to_server,established; file_data; content:"fff|00|MMM|00|333|00 1A 1A 1A 00 99 CC FF 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 04 00 18 00 FF FF 00 D2 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2007-0936; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-030; classtype:attempted-user; sid:33308; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Visio packed object parsing memory corruption attempt"; flow:to_client,established; file_data; content:"fff|00|MMM|00|333|00 1A 1A 1A 00 99 CC FF 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 04 00 18 00 FF FF 00 D2 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-0936; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-030; classtype:attempted-user; sid:33307; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows True Type Font integer overflow attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"|03 03 1B 2D 39 00 00 02 01 D5 03 38 03 FD 05 4D 00 21 00 3E 00 09 40 02 37 07 00 2F 2F 30 31 01|"; metadata:service smtp; reference:cve,2015-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-010; classtype:attempted-user; sid:33437; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows True Type Font integer overflow attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|03 03 1B 2D 39 00 00 02 01 D5 03 38 03 FD 05 4D 00 21 00 3E 00 09 40 02 37 07 00 2F 2F 30 31 01|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-010; classtype:attempted-user; sid:33436; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Reader CoolType.DLL out-of-bounds memory access attempt"; flow:to_server,established; file_data; file_data; content:"|6A FB 8F 05 F0 06 DA F7 8F 05 0E 60 F9 6A 77 01 99 F7 25 03 F7 AD 4D 15 3A F5 62 F7 30 F7 18 1A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-9161; reference:url,www.cvedetails.com/cve/CVE-2014-9161; classtype:attempted-user; sid:33455; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Reader CoolType.DLL out-of-bounds memory access attempt"; flow:to_client,established; file_data; file_data; content:"|6A FB 8F 05 F0 06 DA F7 8F 05 0E 60 F9 6A 77 01 99 F7 25 03 F7 AD 4D 15 3A F5 62 F7 30 F7 18 1A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-9161; reference:url,www.cvedetails.com/cve/CVE-2014-9161; classtype:attempted-user; sid:33454; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Apple OSX Safari format string validation corruption attempt"; flow:to_server,established; file_data; content:"<script"; content:"window.console.log("; distance:0; fast_pattern; content:"|25|n|25|n|25|n"; within:20; pcre:"/window\.console\.log\([^)]*(\x22|\x27)[^\x22\x27]*\x25n\x25n\x25n/smi"; metadata:service smtp; reference:cve,2007-0644; classtype:attempted-user; sid:33526; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Apple OSX Safari format string validation corruption attempt"; flow:to_client,established; file_data; content:"<script"; content:"window.console.log("; distance:0; fast_pattern; content:"|25|n|25|n|25|n"; within:20; pcre:"/window\.console\.log\([^)]*(\x22|\x27)[^\x22\x27]*\x25n\x25n\x25n/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-0644; classtype:attempted-user; sid:33525; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle Java WebStart JNLP stack buffer overflow attempt"; flow:to_client,established; file_data; content:"<jnlp spec="; fast_pattern:only; content:"codebase=|22|"; isdataat:1150; content:!"|22|"; within:1150; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-3655; classtype:attempted-user; sid:33588; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Reader ETB baseurl memory corruption attempt"; flow:established,to_server; file_data; content:"<x-ebx-version>"; fast_pattern:only; content:"<etd-entry>"; content:"<baseurl>"; distance:0; content:"</baseurl>"; distance:0; pcre:"/<baseurl>.*?\x25[cdefginopsux].*?<\x2fbaseurl>/i"; metadata:service smtp; reference:cve,2004-1153; classtype:attempted-user; sid:33572; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Reader ETB baseurl memory corruption attempt"; flow:established,to_client; file_data; content:"<x-ebx-version>"; fast_pattern:only; content:"<etd-entry>"; content:"<baseurl>"; distance:0; content:"</baseurl>"; distance:0; pcre:"/<baseurl>.*?\x25[cdefginopsux].*?<\x2fbaseurl>/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2004-1153; classtype:attempted-user; sid:33571; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows Fax Services Cover Page Editor Double Free Memory Corruption attempt"; flow:to_server,established; flowbits:isset,file.cov; file_data; content:"I|00|s|00 20 00|t|00|h|00|i|00|s|00 20 00|w|00|o|00|r|00|t|00|h|00|w|00|h|00|i|00|l|00|e|00|?|00 0A 00 00 00 00 00 FF FE FF|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,45942; reference:cve,2010-4701; classtype:attempted-user; sid:33604; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Fax Services Cover Page Editor Double Free Memory Corruption attempt"; flow:to_client,established; flowbits:isset,file.cov; file_data; content:"I|00|s|00 20 00|t|00|h|00|i|00|s|00 20 00|w|00|o|00|r|00|t|00|h|00|w|00|h|00|i|00|l|00|e|00|?|00 0A 00 00 00 00 00 FF FE FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,45942; reference:cve,2010-4701; classtype:web-application-attack; sid:33603; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Shockwave Player SwDir.dll PlayerVersion Buffer Overflow attempt"; flow:established,to_server; file_data; content:"233C1507-6A77-46A4-9443-F871F945D258"; fast_pattern:only; content:"String|28|"; content:"|2E|PlayerVersion"; pcre:"/String\x28\s*\d{5,}\s*\x2C/i"; metadata:service smtp; reference:bugtraq,36434; reference:bugtraq,36905; reference:cve,2009-3244; reference:url,www.adobe.com/support/security/bulletins/apsb09-16.html; classtype:attempted-user; sid:33593; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave Player SwDir.dll PlayerVersion Buffer Overflow attempt"; flow:established,to_client; file_data; content:"233C1507-6A77-46A4-9443-F871F945D258"; fast_pattern:only; content:"String|28|"; content:"|2E|PlayerVersion"; pcre:"/String\x28\s*\d{5,}\s*\x2c/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36434; reference:bugtraq,36905; reference:cve,2009-3244; reference:url,www.adobe.com/support/security/bulletins/apsb09-16.html; classtype:attempted-user; sid:33592; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Apple Motion OZDocumentparseElement Integer Overflow attempt"; flow:to_client,established; file_data; content:"<viewer subview=|22|"; isdataat:7,relative; content:!"|22|"; within:7; byte_test:9,>,100000000,0,relative,string; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-6114; classtype:attempted-user; sid:33644; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Apple Motion OZDocumentparseElement Integer Overflow attempt"; flow:to_server,established; file_data; content:"<viewer subview=|22|"; isdataat:7,relative; content:!"|22|"; within:7; byte_test:9,>,100000000,0,relative,string; metadata:service smtp; reference:cve,2013-6114; classtype:attempted-user; sid:33643; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows Media MIDI file memory corruption attempt"; flow:to_server,established; flowbits:isset,file.mid; file_data; content:"MTrk"; content:"|00 FF 03|"; within:3; distance:4; content:"|00 FF 02|"; within:200; content:"|00 FF 01|"; within:200; content:"|00 FF 58 04|"; within:200; fast_pattern; content:"|00 FF 59 02|"; within:8; content:"|00 FF 51 03|"; within:6; content:"|00 FF 2F 00|"; within:7; content:"MTrk"; within:4; pcre:"/MTrk.{4}\x00\xff\x03.{2}\w+\x00\xFF\x02.{2}\w+\x00\xff\x01.{2}\w+\x00\xff\x58\x04.{4}\x00\xff\x59\x02.{2}\x00\xff\x51\x03.{3}\x00\xff\x2f\x00MTrk/"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-004; classtype:attempted-user; sid:33684; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Executable disguised as PIF file"; flow:to_client,established; flowbits:isset,file.pif; content:"MZ"; depth:2; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/b534938079ff900c245c319cda47d924bd154fd5fab57166a061a0510470a496/analysis/; classtype:attempted-user; sid:33669; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows jxr information disclosure attempt"; flow:to_server,established; file_data; content:"|49 49 BC 01|"; depth:4; content:"|09 09 A0 00 04 6F FF 00 01 00 00 01 00 87 C0 00 20 43 40 C8 20 61 C4 5A 2C DF DF DF DF DF DF DF|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-029; classtype:attempted-user; sid:33772; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows jxr information disclosure attempt"; flow:to_client,established; file_data; content:"|49 49 BC 01|"; depth:4; content:"|09 09 A0 00 04 6F FF 00 01 00 00 01 00 87 C0 00 20 43 40 C8 20 61 C4 5A 2C DF DF DF DF DF DF DF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-029; classtype:attempted-user; sid:33771; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft OpenType font atlmfd.dll uninitialized memory read attempt"; flow:to_server,established; file_data; content:"|06 BC 07 0A 06 BC 06 A8 06 A8 01 5E 06 9C 05 3B 01 4A 03 9E 05 BC 04 E1 05 1D 05 5A 04 34 05 36 05 23 04 42 04 88 04 C5 03 8F 05 DB 06 23 06 64|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0089; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-021; classtype:attempted-admin; sid:33733; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft OpenType font atlmfd.dll uninitialized memory read attempt"; flow:to_client,established; file_data; content:"|06 BC 07 0A 06 BC 06 A8 06 A8 01 5E 06 9C 05 3B 01 4A 03 9E 05 BC 04 E1 05 1D 05 5A 04 34 05 36 05 23 04 42 04 88 04 C5 03 8F 05 DB 06 23 06 64|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0089; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-021; classtype:attempted-admin; sid:33732; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows Type 1 font blend operator negative operand code execution attempt"; flow:to_server,established; flowbits:isset,file.psfont; file_data; content:"|7C 93 40 4C DF 37 1D BC F1 DB DB 33 B8 83 32 71|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-021; classtype:attempted-user; sid:33725; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Type 1 font blend operator negative operand code execution attempt"; flow:to_client,established; flowbits:isset,file.psfont; file_data; content:"|7C 93 40 4C DF 37 1D BC F1 DB DB 33 B8 83 32 71|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-021; classtype:attempted-user; sid:33724; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Type 1 font memory out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|5F E1 3D 20 49 DD DB 15 D7 26 E2 25 F5 C9 28 B2 CC FB 98 5F 8A 9C C3 B6 5C E4 A5 B4 27 7A 80 01 15 02 00 00 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0092; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-021; classtype:attempted-user; sid:33723; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Type 1 font memory out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|5F E1 3D 20 49 DD DB 15 D7 26 E2 25 F5 C9 28 B2 CC FB 98 5F 8A 9C C3 B6 5C E4 A5 B4 27 7A 80 01 15 02 00 00 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0092; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-021; classtype:attempted-user; sid:33722; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|dppolyline|5C|dppolyline"; content:"|5C|dppolycount"; within:200; content:"|5C|dptxbx|5C|dptxbx"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0086; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-022; classtype:attempted-user; sid:33706; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|dppolyline|5C|dppolyline"; content:"|5C|dppolycount"; within:200; content:"|5C|dptxbx|5C|dptxbx"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0086; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-022; classtype:attempted-user; sid:33705; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER WordPerfect converter buffer overflow attempt"; flow:to_server,established; file_data; content:"|FF|WPC"; depth:4; content:"|07 00|"; within:2; distance:52; byte_test:2,>,0xfffc,0,relative,little; metadata:service smtp; reference:cve,2004-0573; classtype:attempted-user; sid:33959; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER WordPerfect converter buffer overflow attempt"; flow:to_server,established; file_data; content:"|FF|WPC"; depth:4; content:"|07 00|"; within:2; distance:42; byte_test:2,>,0xfffc,0,relative,little; metadata:service smtp; reference:cve,2004-0573; classtype:attempted-user; sid:33958; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER WordPerfect converter buffer overflow attempt"; flow:to_server,established; file_data; content:"|FF|WPC"; depth:4; content:"|07 00|"; within:2; distance:32; byte_test:2,>,0xfffc,0,relative,little; metadata:service smtp; reference:cve,2004-0573; classtype:attempted-user; sid:33957; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER WordPerfect converter buffer overflow attempt"; flow:to_server,established; file_data; content:"|FF|WPC"; depth:4; content:"|07 00|"; within:2; distance:22; byte_test:2,>,0xfffc,0,relative,little; metadata:service smtp; reference:cve,2004-0573; classtype:attempted-user; sid:33956; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER WordPerfect converter buffer overflow attempt"; flow:to_server,established; file_data; content:"|FF|WPC"; depth:4; byte_jump:4,18,relative,little,from_beginning; content:"|07 00|"; within:2; distance:40; byte_test:2,>,0xfffc,0,relative,little; metadata:service smtp; reference:cve,2004-0573; classtype:attempted-user; sid:33955; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER WordPerfect converter buffer overflow attempt"; flow:to_server,established; file_data; content:"|FF|WPC"; depth:4; byte_jump:4,18,relative,little,from_beginning; content:"|07 00|"; within:2; distance:30; byte_test:2,>,0xfffc,0,relative,little; metadata:service smtp; reference:cve,2004-0573; classtype:attempted-user; sid:33954; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER WordPerfect converter buffer overflow attempt"; flow:to_server,established; file_data; content:"|FF|WPC"; depth:4; byte_jump:4,18,relative,little,from_beginning; content:"|07 00|"; within:2; distance:20; byte_test:2,>,0xfffc,0,relative,little; metadata:service smtp; reference:cve,2004-0573; classtype:attempted-user; sid:33953; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER WordPerfect converter buffer overflow attempt"; flow:to_server,established; file_data; content:"|FF|WPC"; depth:4; byte_jump:4,18,relative,little,from_beginning; content:"|07 00|"; within:2; distance:10; byte_test:2,>,0xfffc,0,relative,little; metadata:service smtp; reference:cve,2004-0573; classtype:attempted-user; sid:33952; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER WordPerfect converter buffer overflow attempt"; flow:to_client,established; file_data; content:"|FF|WPC"; depth:4; content:"|07 00|"; within:2; distance:52; byte_test:2,>,0xfffc,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2004-0573; classtype:attempted-user; sid:33951; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER WordPerfect converter buffer overflow attempt"; flow:to_client,established; file_data; content:"|FF|WPC"; depth:4; content:"|07 00|"; within:2; distance:42; byte_test:2,>,0xfffc,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2004-0573; classtype:attempted-user; sid:33950; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER WordPerfect converter buffer overflow attempt"; flow:to_client,established; file_data; content:"|FF|WPC"; depth:4; content:"|07 00|"; within:2; distance:32; byte_test:2,>,0xfffc,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2004-0573; classtype:attempted-user; sid:33949; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER WordPerfect converter buffer overflow attempt"; flow:to_client,established; file_data; content:"|FF|WPC"; depth:4; content:"|07 00|"; within:2; distance:22; byte_test:2,>,0xfffc,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2004-0573; classtype:attempted-user; sid:33948; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER WordPerfect converter buffer overflow attempt"; flow:to_client,established; file_data; content:"|FF|WPC"; depth:4; byte_jump:4,18,relative,little,from_beginning; content:"|07 00|"; within:2; distance:40; byte_test:2,>,0xfffc,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2004-0573; classtype:attempted-user; sid:33947; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER WordPerfect converter buffer overflow attempt"; flow:to_client,established; file_data; content:"|FF|WPC"; depth:4; byte_jump:4,18,relative,little,from_beginning; content:"|07 00|"; within:2; distance:30; byte_test:2,>,0xfffc,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2004-0573; classtype:attempted-user; sid:33946; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER WordPerfect converter buffer overflow attempt"; flow:to_client,established; file_data; content:"|FF|WPC"; depth:4; byte_jump:4,18,relative,little,from_beginning; content:"|07 00|"; within:2; distance:20; byte_test:2,>,0xfffc,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2004-0573; classtype:attempted-user; sid:33945; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER WordPerfect converter buffer overflow attempt"; flow:to_client,established; file_data; content:"|FF|WPC"; depth:4; byte_jump:4,18,relative,little,from_beginning; content:"|07 00|"; within:2; distance:10; byte_test:2,>,0xfffc,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2004-0573; classtype:attempted-user; sid:33944; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft emf small header overwrite attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|50 00 00 00|"; byte_test:4,<,0x28,48,relative,little; metadata:service smtp; reference:cve,2015-1645; reference:cve,2017-3052; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-035; classtype:attempted-user; sid:34083; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft emf small header overwrite attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|50 00 00 00|"; byte_test:4,<,0x28,48,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1645; reference:cve,2017-3052; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-035; classtype:attempted-user; sid:34082; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Journal out of bounds read attempt"; flow:to_server,established; file_data; content:"|4E 42 2A 00 94 4C 00 00 01 01 00 FF FF 01 00 00 B0 09 00 00 B4 0D 00 00 2C 01 00 00 01 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1699; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-045; classtype:attempted-user; sid:34404; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Journal out of bounds read attempt"; flow:to_client,established; file_data; content:"|4E 42 2A 00 94 4C 00 00 01 01 00 FF FF 01 00 00 B0 09 00 00 B4 0D 00 00 2C 01 00 00 01 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1699; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-045; classtype:attempted-user; sid:34403; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Journal file exploitation attempt"; flow:to_client,established; file_data; content:"|3B E0 EF 00 FC 9D 80 DF 8A EC 57 80 BF 00 00 00 01 BE 0F 48 CF 0B F8 FB 00 7F 3F FF 77 03 FE 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1675; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-045; classtype:attempted-user; sid:34400; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Journal file exploitation attempt"; flow:to_server,established; file_data; content:"|3B E0 EF 00 FC 9D 80 DF 8A EC 57 80 BF 00 00 00 01 BE 0F 48 CF 0B F8 FB 00 7F 3F FF 77 03 FE 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1675; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-045; classtype:attempted-user; sid:34399; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Journal out of bounds read attempt"; flow:to_server,established; file_data; content:"|30 00 00 00 FF FF FF FF 01 00 00 00 01 00 20 00 03 00 00 00 02 00 00 00 18 00 98 00 02 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1696; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-045; classtype:attempted-user; sid:34390; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Journal out of bounds read attempt"; flow:to_client,established; file_data; content:"|30 00 00 00 FF FF FF FF 01 00 00 00 01 00 20 00 03 00 00 00 02 00 00 00 18 00 98 00 02 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1696; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-045; classtype:attempted-user; sid:34389; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Journal out of bounds write attempt"; flow:to_server,established; file_data; content:"|80 69 C0 02 EC FD 18 28 0A 2B BB D8 3D 29 82 D5 98 34 BF 94 2E 75 1E F6 1D C5 BF 9C EB DF 5F C5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1695; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-045; classtype:attempted-user; sid:34388; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Journal out of bounds write attempt"; flow:to_client,established; file_data; content:"|80 69 C0 02 EC FD 18 28 0A 2B BB D8 3D 29 82 D5 98 34 BF 94 2E 75 1E F6 1D C5 BF 9C EB DF 5F C5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1695; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-045; classtype:attempted-user; sid:34387; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Journal memory corruption attempt"; flow:to_server,established; file_data; content:"|42 4C 43 52 20 00 65 00 00 00 EB 06 00 00 7F FF FF FF FF FE 1F FF FF FF FF FF FF FF FF C0 00 B5 41 5E E9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1697; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-045; classtype:attempted-user; sid:34386; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Journal memory corruption attempt"; flow:to_client,established; file_data; content:"|42 4C 43 52 20 00 65 00 00 00 EB 06 00 00 7F FF FF FF FF FE 1F FF FF FF FF FF FF FF FF C0 00 B5 41 5E E9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1697; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-045; classtype:attempted-user; sid:34385; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Journal memory corruption attempt"; flow:to_server,established; file_data; content:"|A2 22 72 5A 97 A1 21 28 FF FF FF FF 10 A0 84 8A A2 31 51 1A 32 0B 89 D4 49 41 2D 68 A2 40 92 B9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1698; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-045; classtype:attempted-user; sid:34372; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Journal memory corruption attempt"; flow:to_client,established; file_data; content:"|A2 22 72 5A 97 A1 21 28 FF FF FF FF 10 A0 84 8A A2 31 51 1A 32 0B 89 D4 49 41 2D 68 A2 40 92 B9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1698; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-045; classtype:attempted-user; sid:34371; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Poster Software Publish-It buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pui; file_data; content:"|78 6A 48 65 4E 41 75 5A 52 4A 49 67 64 58 4A 35|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,65366; reference:cve,2014-0980; classtype:attempted-user; sid:33040; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Poster Software Publish-It buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pui; file_data; content:"|04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,65366; reference:cve,2014-0980; classtype:attempted-user; sid:33039; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Poster Software Publish-It buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pui; file_data; content:"styl"; content:"ntltJKKkGLNfWl3f"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,65366; reference:cve,2014-0980; classtype:attempted-user; sid:33038; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Poster Software Publish-It buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pui; file_data; content:"styl"; content:"|64 78 5A 64 70 43 48 61 6E 37 75 46 76 7A 58 62|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,65366; reference:cve,2014-0980; classtype:attempted-user; sid:33037; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Poster Software Publish-It buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pui; file_data; content:"styl"; content:"|42 53 73 59 75 72 46 56 50 33 67 64 69 4F 6D 4E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,65366; reference:cve,2014-0980; classtype:attempted-user; sid:33036; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Poster Software Publish-It buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pui; file_data; content:"styl"; content:"DefaultAAAAAAAAAA"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,65366; reference:cve,2014-0980; classtype:attempted-user; sid:33035; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Poster Software Publish-It buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pui; file_data; content:"|78 6A 48 65 4E 41 75 5A 52 4A 49 67 64 58 4A 35|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,65366; reference:cve,2014-0980; classtype:attempted-user; sid:33034; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Poster Software Publish-It buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pui; file_data; content:"|04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,65366; reference:cve,2014-0980; classtype:attempted-user; sid:33033; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Poster Software Publish-It buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pui; file_data; content:"styl"; content:"|6E 74 6C 74 4A 4B 4B 6B 47 4C 4E 66 57 6C 33 66|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,65366; reference:cve,2014-0980; classtype:attempted-user; sid:33032; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Poster Software Publish-It buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pui; file_data; content:"styl"; content:"|64 78 5A 64 70 43 48 61 6E 37 75 46 76 7A 58 62|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,65366; reference:cve,2014-0980; classtype:attempted-user; sid:33031; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Poster Software Publish-It buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pui; file_data; content:"styl"; content:"|42 53 73 59 75 72 46 56 50 33 67 64 69 4F 6D 4E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,65366; reference:cve,2014-0980; classtype:attempted-user; sid:33030; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Poster Software Publish-It buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pui; file_data; content:"styl"; content:"DefaultAAAAAAAAAA"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,65366; reference:cve,2014-0980; classtype:attempted-user; sid:33029; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Apple Quicktime invalid atom length buffer overflow attempt"; flow:to_server,established; file_data; content:"moov"; content:"rmra"; distance:0; content:"rdrf"; distance:0; content:"alis"; distance:0; content:"|00 0F|"; byte_test:2,>,0x1FE,2,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,60097; reference:cve,2013-1017; reference:url,support.apple.com/kb/HT5770; classtype:attempted-admin; sid:33023; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Apple Quicktime invalid atom length buffer overflow attempt"; flow:to_client,established; file_data; content:"moov"; content:"rmra"; distance:0; content:"rdrf"; distance:0; content:"alis"; distance:0; content:"|00 0F|"; byte_test:2,>,0x1FE,2,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60097; reference:cve,2013-1017; reference:url,support.apple.com/kb/HT5770; classtype:attempted-admin; sid:33022; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Apple OSX Finder DMG volume name memory corruption attempt"; flow:to_server,established; flowbits:isset,file.dmg; file_data; content:"LABL"; content:"|00 00 00 00 00 01|"; within:6; distance:2; byte_test:2,>,254,4,relative; isdataat:259; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-0197; classtype:attempted-user; sid:31325; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Apple OSX Finder DMG volume name memory corruption attempt"; flow:to_server,established; flowbits:isset,file.dmg; file_data; content:"|01 3C 50 72 6F 6F 66 5F 6F 66 5F 43 6F 6E 63 65 70 74 5F 41 73 73 75 72|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-0197; classtype:attempted-user; sid:31324; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Apple OSX Finder DMG volume name memory corruption attempt"; flow:to_client,established; flowbits:isset,file.dmg; file_data; content:"|01 3C 50 72 6F 6F 66 5F 6F 66 5F 43 6F 6E 63 65 70 74 5F 41 73 73 75 72|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-0197; classtype:attempted-user; sid:31323; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Kingsoft Writer long font name buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ole|file.doc; file_data; content:"|87 7A 00 20 00 00 00 80 08 00 00 00 00 00 00 00 FF 01 00 00 00 00 00 00|"; isdataat:80,relative; content:!"|00 00|"; within:80; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,61796; reference:cve,2013-3934; classtype:attempted-user; sid:30534; rev:5;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Kingsoft Writer long font name buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ole|file.doc; file_data; content:"|87 7A 00 20 00 00 00 80 08 00 00 00 00 00 00 00 FF 01 00 00 00 00 00 00|"; isdataat:512,relative; content:!"|00 00|"; within:512; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,61796; reference:cve,2013-3934; classtype:attempted-user; sid:30533; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Oracle Outside In OS/2 Metafile parser stack overflow attempt"; flow:to_server,established; flowbits:isset,file.met; file_data; content:"|D3 A6 BB|"; byte_extract:2,-3,DescDataLen,relative; content:"|D3 EE BB|"; within:DescDataLen; byte_extract:2,-3,DataLen,relative; content:"|E7|"; within:DataLen; byte_test:1,>,8,0,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,64825; reference:cve,2013-5879; classtype:attempted-user; sid:30030; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Oracle Outside In OS/2 Metafile parser stack overflow attempt"; flow:to_server,established; flowbits:isset,file.met; file_data; content:"|D3 A6 BB|"; byte_extract:2,-3,DescDataLen,relative; content:"|D3 EE BB|"; within:DescDataLen; byte_extract:2,-3,DataLen,relative; content:"|E6|"; within:DataLen; byte_test:1,>,8,0,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,64825; reference:cve,2013-5879; classtype:attempted-user; sid:30029; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Oracle Outside In OS/2 Metafile parser stack overflow attempt"; flow:to_server,established; flowbits:isset,file.met; file_data; content:"|D3 A6 BB|"; byte_extract:2,-3,DescDataLen,relative; content:"|D3 EE BB|"; within:DescDataLen; byte_extract:2,-3,DataLen,relative; content:"|A7|"; within:DataLen; byte_test:1,>,8,0,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,64825; reference:cve,2013-5879; classtype:attempted-user; sid:30028; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Oracle Outside In OS/2 Metafile parser stack overflow attempt"; flow:to_server,established; flowbits:isset,file.met; file_data; content:"|D3 A6 BB|"; byte_extract:2,-3,DescDataLen,relative; content:"|D3 EE BB|"; within:DescDataLen; byte_extract:2,-3,DataLen,relative; content:"|A6|"; within:DataLen; byte_test:1,>,8,0,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,64825; reference:cve,2013-5879; classtype:attempted-user; sid:30027; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Oracle Outside In OS/2 Metafile parser stack overflow attempt"; flow:to_server,established; flowbits:isset,file.met; file_data; content:"|D3 A6 BB|"; byte_extract:2,-3,DescDataLen,relative; content:"|D3 EE BB|"; within:DescDataLen; byte_extract:2,-3,DataLen,relative; content:"|54|"; within:DataLen; byte_test:1,>,8,0,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,64825; reference:cve,2013-5879; classtype:attempted-user; sid:30026; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Oracle Outside In OS/2 Metafile parser stack overflow attempt"; flow:to_server,established; flowbits:isset,file.met; file_data; content:"|D3 A6 BB|"; byte_extract:2,-3,DescDataLen,relative; content:"|D3 EE BB|"; within:DescDataLen; byte_extract:2,-3,DataLen,relative; content:"|14|"; within:DataLen; byte_test:1,>,8,0,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,64825; reference:cve,2013-5879; classtype:attempted-user; sid:30025; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle Outside In OS/2 Metafile parser stack overflow attempt"; flow:to_client,established; flowbits:isset,file.met; file_data; content:"|D3 A6 BB|"; byte_extract:2,-3,DescDataLen,relative; content:"|D3 EE BB|"; within:DescDataLen; byte_extract:2,-3,DataLen,relative; content:"|E7|"; within:DataLen; byte_test:1,>,8,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64825; reference:cve,2013-5879; classtype:attempted-user; sid:30024; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle Outside In OS/2 Metafile parser stack overflow attempt"; flow:to_client,established; flowbits:isset,file.met; file_data; content:"|D3 A6 BB|"; byte_extract:2,-3,DescDataLen,relative; content:"|D3 EE BB|"; within:DescDataLen; byte_extract:2,-3,DataLen,relative; content:"|E6|"; within:DataLen; byte_test:1,>,8,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64825; reference:cve,2013-5879; classtype:attempted-user; sid:30023; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle Outside In OS/2 Metafile parser stack overflow attempt"; flow:to_client,established; flowbits:isset,file.met; file_data; content:"|D3 A6 BB|"; byte_extract:2,-3,DescDataLen,relative; content:"|D3 EE BB|"; within:DescDataLen; byte_extract:2,-3,DataLen,relative; content:"|A7|"; within:DataLen; byte_test:1,>,8,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64825; reference:cve,2013-5879; classtype:attempted-user; sid:30022; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle Outside In OS/2 Metafile parser stack overflow attempt"; flow:to_client,established; flowbits:isset,file.met; file_data; content:"|D3 A6 BB|"; byte_extract:2,-3,DescDataLen,relative; content:"|D3 EE BB|"; within:DescDataLen; byte_extract:2,-3,DataLen,relative; content:"|A6|"; within:DataLen; byte_test:1,>,8,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64825; reference:cve,2013-5879; classtype:attempted-user; sid:30021; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle Outside In OS/2 Metafile parser stack overflow attempt"; flow:to_client,established; flowbits:isset,file.met; file_data; content:"|D3 A6 BB|"; byte_extract:2,-3,DescDataLen,relative; content:"|D3 EE BB|"; within:DescDataLen; byte_extract:2,-3,DataLen,relative; content:"|54|"; within:DataLen; byte_test:1,>,8,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64825; reference:cve,2013-5879; classtype:attempted-user; sid:30020; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle Outside In OS/2 Metafile parser stack overflow attempt"; flow:to_client,established; flowbits:isset,file.met; file_data; content:"|D3 A6 BB|"; byte_extract:2,-3,DescDataLen,relative; content:"|D3 EE BB|"; within:DescDataLen; byte_extract:2,-3,DataLen,relative; content:"|14|"; within:DataLen; byte_test:1,>,8,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64825; reference:cve,2013-5879; classtype:attempted-user; sid:30019; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt"; flow:to_server,established; file_data; content:"|D3 A8 A8|"; depth:3; offset:2; content:"|D3 A6 BB|"; within:250; content:"|D3 EE BB|"; within:130; content:"|66|"; within:4; byte_test:1,>,0x08,0,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,63741; reference:cve,2013-5763; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-105; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21660964; classtype:attempted-user; sid:29577; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt"; flow:to_server,established; file_data; content:"|D3 A8 A8|"; depth:3; offset:2; content:"|D3 A6 BB|"; within:250; content:"|D3 EE BB|"; within:130; content:"|65|"; distance:0; byte_test:1,>,0x08,0,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,63741; reference:cve,2013-5763; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-105; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21660964; classtype:attempted-user; sid:29576; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt"; flow:to_server,established; file_data; content:"|D3 A8 A8|"; depth:3; offset:2; content:"|D3 A6 BB|"; within:250; content:"|D3 EE BB|"; within:130; content:"|26|"; within:4; byte_test:1,>,0x08,0,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,63741; reference:cve,2013-5763; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-105; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21660964; classtype:attempted-user; sid:29575; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt"; flow:to_server,established; file_data; content:"|D3 A8 A8|"; depth:3; offset:2; content:"|D3 A6 BB|"; within:250; content:"|D3 EE BB|"; within:130; content:"|25|"; within:4; byte_test:1,>,0x08,0,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,63741; reference:cve,2013-5763; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-105; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21660964; classtype:attempted-user; sid:29574; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt"; flow:to_client,established; file_data; content:"|D3 A8 A8|"; depth:3; offset:2; content:"|D3 A6 BB|"; within:250; content:"|D3 EE BB|"; within:130; content:"|66|"; within:4; byte_test:1,>,0x08,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,63741; reference:cve,2013-5763; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-105; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21660964; classtype:attempted-user; sid:29573; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt"; flow:to_client,established; file_data; content:"|D3 A8 A8|"; depth:3; offset:2; content:"|D3 A6 BB|"; within:250; content:"|D3 EE BB|"; within:130; content:"|65|"; within:4; byte_test:1,>,0x08,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,63741; reference:cve,2013-5763; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-105; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21660964; classtype:attempted-user; sid:29572; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt"; flow:to_client,established; file_data; content:"|D3 A8 A8|"; depth:3; offset:2; content:"|D3 A6 BB|"; within:250; content:"|D3 EE BB|"; within:130; content:"|26|"; within:4; byte_test:1,>,0x08,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,63741; reference:cve,2013-5763; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-105; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21660964; classtype:attempted-user; sid:29571; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt"; flow:to_client,established; file_data; content:"|D3 A8 A8|"; depth:3; offset:2; content:"|D3 A6 BB|"; within:250; content:"|D3 EE BB|"; within:130; content:"|25|"; within:4; byte_test:1,>,0x08,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,63741; reference:cve,2013-5763; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-105; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21660964; classtype:attempted-user; sid:29570; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Corel PDF fusion XPS stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xps; file_data; content:"PK|03 04|"; byte_test:2,>,2048,22,little,relative; content:!"PK|03 04|"; within:2048; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3248; classtype:attempted-user; sid:29468; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Corel PDF fusion XPS stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xps; file_data; content:"PK|01 02|"; byte_test:2,>,2048,24,little,relative; content:!"PK|01 02|"; within:2048; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3248; classtype:attempted-user; sid:29467; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Corel PDF fusion XPS stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xps; file_data; content:"PK|03 04|"; byte_test:2,>,2048,22,little,relative; content:!"PK|03 04|"; within:2048; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3248; classtype:attempted-user; sid:29466; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Corel PDF fusion XPS stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xps; file_data; content:"PK|01 02|"; byte_test:2,>,2048,24,little,relative; content:!"PK|01 02|"; within:2048; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3248; classtype:attempted-user; sid:29465; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER IBM Forms Viewer XFDL form processing stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xfdl; file_data; content:"<fontname>"; nocase; content:!"</fontname>"; within:42; nocase; pcre:"/^[\r\n\t\s]*?[^<]{31}/iR"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2013-5447; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21657500; classtype:attempted-user; sid:29280; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER IBM Forms Viewer XFDL form processing stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xfdl; file_data; content:"<fontinfo>"; nocase; content:"<ae>"; within:50; nocase; content:!"</ae>"; within:36; nocase; pcre:"/^[\r\n\t\s]*?[^<]{31}/iR"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2013-5447; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21657500; classtype:attempted-user; sid:29279; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER IBM Forms Viewer XFDL form processing stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xfdl; file_data; content:"<fontname>"; nocase; content:!"</fontname>"; within:42; nocase; pcre:"/^[\r\n\t\s]*?[^<]{31}/iR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-5447; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21657500; classtype:attempted-user; sid:29278; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER IBM Forms Viewer XFDL form processing stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xfdl; file_data; content:"<fontinfo>"; nocase; content:"<ae>"; within:50; nocase; content:!"</ae>"; within:36; nocase; pcre:"/^[\r\n\t\s]*?[^<]{31}/iR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-5447; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21657500; classtype:attempted-user; sid:29277; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Office Image filter BMP overflow attempt"; flow:to_client,established; file_data; content:"BM"; depth:2; content:"|08|"; within:1; distance:26; byte_test:4,>,256,21,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-3020; classtype:attempted-user; sid:28315; rev:6;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows XP .theme file remote code execution attempt"; flow:to_client,established; file_data; content:"[Theme]"; fast_pattern:only; content:"SCRNSAVE.EXE="; content:!"C|3A 5C|"; within:3; content:!"%"; within:1; content:!"|0D|"; within:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0810; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-071; classtype:attempted-admin; sid:27822; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER BitDefender Internet Security script code execution attempt"; flow:to_client,established; file_data; content:"|52 61 72 21 1A 07 00|"; depth:7; content:"|74|"; byte_test:1,<,4,12,relative; byte_extract:2,23,name_len,relative,little; content:">"; within:name_len; distance:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0850; classtype:attempted-user; sid:27583; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER BitDefender Internet Security script code execution attempt"; flow:to_client,established; file_data; content:"|52 61 72 21 1A 07 00|"; depth:7; content:"|74|"; byte_test:1,<,4,12,relative; byte_extract:2,23,name_len,relative,little; content:"<"; within:name_len; distance:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0850; classtype:attempted-user; sid:27582; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.kvl; file_data; content:"6.00|00 00 00 00|"; depth:8; isdataat:280,relative; content:!"|00|"; within:128; distance:152; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4711; classtype:attempted-admin; sid:26496; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.kvl; file_data; content:"6.00|00 00 00 00|"; depth:8; isdataat:280,relative; content:!"|00|"; within:128; distance:152; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4711; classtype:attempted-admin; sid:26495; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER VMWare OVF Tool format string exploit attempt"; flow:to_client,established; file_data; content:"ovf:name"; nocase; content:"%"; within:50; pcre:"/<Description>[^<]*?\x25(\d+\x24)?(\d+)?[nxcsd]/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56468; reference:cve,2012-3569; reference:url,www.vmware.com/security/advisories/VMSA-2012-0015; classtype:attempted-user; sid:25811; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER VMWare OVF Tool format string exploit attempt"; flow:to_client,established; file_data; content:"ovf:diskId"; nocase; content:"%"; within:75; distance:-75; pcre:"/^(\d+\x24)?(\d+)?[nxcsd]/iR"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56468; reference:cve,2012-3569; reference:url,www.vmware.com/security/advisories/VMSA-2012-0015; classtype:attempted-user; sid:25810; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Apple QuickTime TeXML style sub-element buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xml; file_data; content:"<text3GTrack"; fast_pattern:only; content:"<style"; nocase; content:"font-size|3A|"; distance:0; nocase; content:!"|7D|"; within:16; pcre:"/font-size\x3a\s*?\d{16}/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,56438; reference:bugtraq,56557; reference:cve,2012-3752; reference:cve,2012-3758; reference:url,support.apple.com/kb/HT5581; classtype:attempted-user; sid:25648; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Apple QuickTime TeXML style sub-element buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xml; file_data; content:"<text3GTrack"; fast_pattern:only; content:"<style"; nocase; content:"font-table|3A|"; distance:0; nocase; content:!"|7D|"; within:16; pcre:"/font-table\x3a\s*?\d{16}/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,56557; reference:cve,2012-3752; reference:url,support.apple.com/kb/HT5581; classtype:attempted-user; sid:25647; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Apple QuickTime TeXML style sub-element buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"<text3GTrack"; fast_pattern:only; content:"<style"; nocase; content:"line-height|3A|"; distance:0; nocase; content:!"|7D|"; within:16; pcre:"/line-height\x3a\s*?\d{16}/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56557; reference:cve,2012-3752; reference:url,support.apple.com/kb/HT5581; classtype:attempted-user; sid:25646; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Apple QuickTime TeXML style sub-element buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"<text3GTrack"; fast_pattern:only; content:"<style"; nocase; content:"font-size|3A|"; distance:0; nocase; content:!"|7D|"; within:16; pcre:"/font-size\x3a\s*?\d{16}/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56557; reference:cve,2012-3752; reference:url,support.apple.com/kb/HT5581; classtype:attempted-user; sid:25645; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Apple QuickTime TeXML style sub-element buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"<text3GTrack"; fast_pattern:only; content:"<style"; nocase; content:"font-table|3A|"; distance:0; nocase; content:!"|7D|"; within:16; pcre:"/font-table\x3a\s*?\d{16}/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56438; reference:bugtraq,56557; reference:cve,2012-3752; reference:cve,2012-3758; reference:url,support.apple.com/kb/HT5581; classtype:attempted-user; sid:25644; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Cisco WebEx player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.wrf; file_data; content:"|FF 7F 25 00 88 03 8C 02 CC 7C 01 00 00 00 00 00 FD 7E 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-4004; classtype:attempted-user; sid:25341; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Audition Session file tkrm stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ses; file_data; content:"|43 4F 4F 4C 4E 45 53 53|"; depth:8; content:"|54 52 4B 4D|"; distance:0; byte_jump:4,16,relative,multiplier 2,little; byte_jump:4,8,relative,multiplier 2,little; byte_jump:4,48,relative,multiplier 2,little; byte_jump:4,4,relative,multiplier 2,little; byte_jump:4,0,relative,multiplier 2,little; byte_jump:4,4,relative,multiplier 2,little; byte_test:4,>,12,20,relative,little; content:!"|00 00|"; within:24; distance:24; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,47841; reference:cve,2011-0614; reference:url,www.adobe.com/support/security/bulletins/apsb11-10.html; classtype:attempted-user; sid:25332; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Audition Session file stack buffer overflow attempt"; flow:to_server,established; file_data; content:"COOLNESS"; depth:8; content:"hdr "; within:4; distance:4; content:!"|00 00 00 00|"; within:4; distance:44; byte_test:4,>,884,0,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,47841; reference:cve,2011-0614; reference:url,www.adobe.com/support/security/bulletins/apsb11-10.html; classtype:attempted-user; sid:25310; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Audition Session file stack buffer overflow attempt"; flow:to_client,established; file_data; content:"COOLNESS"; depth:8; content:"hdr "; within:4; distance:4; content:!"|00 00 00 00|"; within:4; distance:44; byte_test:4,>,884,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,47841; reference:cve,2011-0614; reference:url,www.adobe.com/support/security/bulletins/apsb11-10.html; classtype:attempted-user; sid:25309; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Cisco WebEx WRF memory corruption attempt"; flow:to_server, established; flowbits:isset,file.wrf; file_data; content:"|1F 6A 4E 00 00 14 00 00 00 02 FF 7F 8C 02 18|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-3939; classtype:attempted-user; sid:25304; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Cisco WebEx WRF memory corruption attempt"; flow:to_client, established; flowbits:isset,file.wrf; file_data; content:"|1F 6A 4E 00 00 14 00 00 00 02 FF 7F 8C 02 18|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-3939; classtype:attempted-user; sid:25303; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Cisco WebEx recording format buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.wrf; file_data; content:"|14 00 00 00 00 00 00 00 00 02|"; byte_test:1,=,0xBB,-15,relative; content:"|CC 7C 01 00 00 00 00 00 FD|"; within:9; distance:8; content:"|01|"; within:1; distance:6; byte_test:1,>=,0x2d,10,relative; byte_test:1,>=,0x58,11,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1337; classtype:attempted-user; sid:24998; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director rcsL chunk parsing denial of service attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|42 00 57 C6 42 DD 57 C0 43 00 66 BD 42 01 57 BE|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2031; classtype:denial-of-service; sid:24761; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director rcsL chunk parsing denial of service attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|2C 52 02 4C 00 4C 33 4C 02 4C 01 61|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2030; classtype:denial-of-service; sid:24702; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Cisco WebEx recording format buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.wrf; content:"|1F|"; content:"|14 00 00 00 02|"; within:5; distance:4; byte_jump:4,25,relative,little; content:"|01|"; within:1; content:"|00 00|"; within:2; distance:5; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1335; classtype:attempted-user; sid:24680; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Cisco WebEx recording format buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.wrf; content:"|1F|"; content:"|14 00 00 00 02|"; within:5; distance:4; content:"|01|"; within:1; distance:24; content:"|00 00|"; within:2; distance:7; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1335; classtype:attempted-user; sid:24679; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Cisco WebEx recording format buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.wrf; content:"|1F|"; content:"|14 00 00 00 02|"; within:5; distance:4; content:"|01|"; within:1; distance:24; content:"|00 00|"; within:2; distance:5; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1335; classtype:attempted-user; sid:24678; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Apple Quicktime TeXML Style attribute overflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"text3GTrack"; nocase; content:"<description"; distance:0; content:"backgroundColor="; distance:0; pcre:"/color\x3d\s*?[\x22\x27][^\x22\x27]{20}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0663; classtype:attempted-user; sid:24338; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER IBM Lotus Notes LZH Attachment Viewer buffer overflow"; flow:to_server,established; flowbits:isset,file.lzh; file_data; byte_test:1,<,19,0; content:"-lh"; depth:3; offset:2; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,48018; reference:cve,2011-1213; classtype:attempted-user; sid:24208; rev:11;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER IBM Lotus Notes LZH Attachment Viewer buffer overflow"; flow:to_server,established; flowbits:isset,file.lzh; content:"|0D 0A 0D 0A|CBotbGgwLXwaAAB8"; fast_pattern:4,16; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,48018; reference:cve,2011-1213; classtype:attempted-user; sid:24207; rev:11;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Oracle outside in Lotus 1-2-3 heap overflow attempt"; flow:to_server,established; flowbits:isset,file.wk|file.123; file_data; content:"|1B 00|"; byte_test:2,>,1024,0,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-0110; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-webex; classtype:attempted-user; sid:24029; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows Media MIDI file memory corruption attempt"; flow:to_server,established; flowbits:isset,file.mid; file_data; content:"|00 B9 07 64 00 B9 0A 40 00 B9 7B 00 00 B9 5B 28 00 B9 5D 00 85 50 99 23|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-004; classtype:attempted-user; sid:24003; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows Media MIDI file memory corruption attempt"; flow:to_server,established; file_data; content:"|4D 54 68 64|"; depth:4; content:"|4D 54 72 6B 00 00 01 74 00 C9 01 00 9F FF 7F 00 99 23 7F 78 89|"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,51292; reference:cve,2012-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-004; classtype:attempted-user; sid:24002; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows Media MIDI file memory corruption attempt"; flow:to_server,established; flowbits:isset,file.mid; file_data; content:"|7F 00 43 7F 82 68 43 00 04 3C 00 14 3C 7F 00 43 7C 82 6C 3C 00 00 43 00 14 43 7F 00 3C 7E 82 68|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,51292; reference:cve,2012-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-004; classtype:attempted-user; sid:24001; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows Media MIDI file memory corruption attempt"; flow:to_server,established; flowbits:isset,file.mid; file_data; content:"|9F 92 7F 00 9F B2 00 00 99 23 7F 78 89 23 7F 00 23 7F 78 23 7F 78 23 7F 78 23 7F 00 99 23 7F 78|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,51292; reference:cve,2012-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-004; classtype:attempted-user; sid:24000; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Media MIDI file memory corruption attempt"; flow:to_client,established; flowbits:isset,file.mid; file_data; content:"|9F 92 7F 00 9F B2 00 00 99 23 7F 78 89 23 7F 00 23 7F 78 23 7F 78 23 7F 78 23 7F 00 99 23 7F 78|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,51292; reference:cve,2012-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-004; classtype:attempted-user; sid:23999; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER heapspray characters detected - binary"; flow:to_client,established; flowbits:isnotset,file.jpeg; file_data; content:"|0C 0C 0C 0C 0C 0C 0C 0C|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:23861; rev:11;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER heapspray characters detected - binary"; flow:to_server,established; flowbits:isnotset,file.jpeg; file_data; content:"|0C 0C 0C 0C 0C 0C 0C 0C|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:attempted-user; sid:23858; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle Outside-In JPEG2000 QCD segment processing heap buffer overflow attempt"; flow:established,to_client; file_data; content:"|00 00 00 0C 6A 50 20 20|"; depth:8; content:"|6A 70 32 63|"; distance:0; content:"|FF 5C|"; within:70; byte_test:2,>,840,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,54500; reference:cve,2012-1769; classtype:attempted-admin; sid:23806; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Novell Groupwise Addressbook buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.nab; file_data; content:":::TAGMAP:::"; fast_pattern:only; content:"|2C|"; isdataat:750,relative; content:!"|2C|"; within:750; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,52233; reference:bugtraq,55729; reference:cve,2011-4189; reference:cve,2012-0418; reference:url,novell.com/support/kb/doc.php?id=7010205; reference:url,novell.com/support/kb/doc.php?id=7010771; classtype:attempted-user; sid:23580; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER VLC mms hostname buffer overflow attempt"; flow:to_server,established; file_data; content:"mms|3A 2F 2F|"; nocase; isdataat:4018,relative; pcre:"/^[^\x22\x27]{4018}/R"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1775; reference:url,www.videolan.org/security/sa1201.html; classtype:attempted-user; sid:23577; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Apple Quicktime TeXML Style attribute overflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"text3GTrack"; nocase; content:"karaoke"; distance:0; content:"color="; distance:0; pcre:"/color\x3d\s*?[\x22\x27][^\x22\x27]{20}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0663; classtype:attempted-user; sid:23465; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"text3GTrack"; nocase; content:"description"; distance:0; content:"backgroundColor|3A|"; pcre:"/^\s*[^\x3e]{62}/Rsmi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0663; classtype:attempted-user; sid:23464; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Apple Quicktime TeXML sampleData attribute overflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"text3GTrack"; nocase; content:"sampleData"; distance:0; content:"highlightColor|3A|"; pcre:"/^\s*[^\x3e]{62}/Rsmi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0663; classtype:attempted-user; sid:23463; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Apple Quicktime TeXML Style attribute overflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"text3GTrack"; nocase; content:"style"; distance:0; content:"color|3A|"; distance:0; pcre:"/color\x3a\s*?[^\x7d]{62}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0663; classtype:attempted-user; sid:23462; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Apple Quicktime TeXML Transform attribute overflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"text3GTrack"; nocase; content:"transform"; distance:0; pcre:"/^\s*\x3d\s*[\x27\x22](translate|matrix)[^\x27\x22]{62}/Rsmi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0663; classtype:attempted-user; sid:23461; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Apple Quicktime JPEG2000 length integer underflow attempt"; flow:to_client,established; file_data; content:"|6A 50 20 20|"; depth:4; offset:4; byte_jump:4,-8,relative; content:"|66 74 79 70|"; within:4; byte_jump:4,-8,relative; content:"|6A 70 32 68|"; within:4; byte_jump:4,-8,relative; content:"|6A 70 32 63 FF 4F FF 51|"; distance:0; byte_jump:2,0,relative; content:"|FF 52|"; within:2; distance:-2; byte_test:2,<,12,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-3250; classtype:attempted-user; sid:23400; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle outside in Lotus 1-2-3 heap overflow attempt"; flow:to_client,established; flowbits:isset,file.wk|file.123; file_data; content:"|1B 00|"; byte_test:2,>,1024,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0110; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-webex; classtype:attempted-user; sid:23346; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Cisco WebEx recording integer overflow attempt"; flow:to_client,established; flowbits:isset,file.wrf; file_data; content:"|14 00 00 00 00 00 00 00 00 02|"; fast_pattern; content:"|BB|"; within:1; distance:-15; content:"|01|"; within:1; distance:50; byte_test:4,>=,0x15555555,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52882; reference:cve,2012-1336; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120404-webex; classtype:attempted-user; sid:23269; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER OpenType Font file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"OTTO"; depth:4; content:"cmap"; within:200; content:"head"; within:200; byte_test:4,>=,0x80000000,4,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2741; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-078; classtype:attempted-user; sid:23152; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Cisco WebEx recording integer overflow attempt"; flow:to_client,established; flowbits:isset,file.wrf; file_data; content:"|14 00 00 00 02|"; depth:2000; fast_pattern; content:"|01 00 00 00|"; within:4; distance:15; byte_test:2,>=,0x8000,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-webex; classtype:attempted-user; sid:23101; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Cisco WebEx recording integer overflow attempt"; flow:to_client,established; flowbits:isset,file.wrf; file_data; content:"|14 00 00 00 02|"; depth:2000; fast_pattern; content:"|01 00 00 00|"; within:4; distance:15; byte_test:2,>=,0x8000,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-webex; classtype:attempted-user; sid:23100; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Photoshop asset elements stack based buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.collada; content:"<COLLADA"; content:"<asset>"; distance:0; content:">"; distance:0; isdataat:2048,relative; content:!"</"; within:2048; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53464; classtype:attempted-user; sid:23014; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Novell Groupwise Addressbook buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.nab; file_data; content:":::TAGMAP:::"; fast_pattern:only; content:"|2C|"; isdataat:750,relative; content:!"|2C|"; within:750; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52233; reference:bugtraq,55729; reference:cve,2011-4189; reference:cve,2012-0418; reference:url,novell.com/support/kb/doc.php?id=7010205; reference:url,novell.com/support/kb/doc.php?id=7010771; classtype:attempted-user; sid:22947; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER VLC mms hostname buffer overflow attempt"; flow:to_client,established; file_data; content:"mms|3A 2F 2F|"; nocase; isdataat:4018,relative; pcre:"/^[^\x22\x27]{4018}/R"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1775; reference:url,www.videolan.org/security/sa1201.html; classtype:attempted-user; sid:21922; rev:11;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Java JRE sandbox breach attempt"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"AtomicReferenceArray"; content:"localAtomicReferenceArray = (AtomicReferenceArray)arrayofObject"; distance:0; nocase; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52161; reference:cve,2012-0507; classtype:attempted-user; sid:21869; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER ZIP file name overflow attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"PK|03 04|"; depth:4; byte_test:2,>,128,22,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,41333; reference:bugtraq,46059; reference:bugtraq,46375; reference:cve,2004-1094; reference:cve,2010-3227; reference:cve,2011-4535; reference:cve,2015-7939; reference:cve,2016-4519; classtype:attempted-user; sid:21484; rev:17;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave Director KEY chunk buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"RIFX"; depth:4; fast_pattern; nocase; content:"KEY|2A|"; distance:0; byte_test:4,<,5,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,48300; reference:cve,2011-2111; classtype:attempted-user; sid:21371; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe shockwave director tSAC string termination memory corruption attempt"; flow:to_client,established; file_data; flowbits:isset,file.dir; content:"|00 00 00 01 00 00 12 47 00 00 00 00 F0 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2118; classtype:attempted-user; sid:21316; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows C Run-Time Library remote code execution attempt"; flow:to_client,established; flowbits:isset,file.asx; file_data; content:"<ASX"; fast_pattern; nocase; content:"VERSION"; within:50; nocase; pcre:"/<ASX[^>]*?VERSION\s*=\s*[0-9\x22\x27][0-9\x2e]{20}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0150; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-013; classtype:attempted-user; sid:21308; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Media MIDI file memory corruption attempt"; flow:to_client,established; flowbits:isset,file.mid; file_data; content:"|00 B9 07 64 00 B9 0A 40 00 B9 7B 00 00 B9 5B 28 00 B9 5D 00 85 50 99 23|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,51292; reference:cve,2012-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-004; classtype:attempted-user; sid:21167; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Media MIDI file memory corruption attempt"; flow:to_client,established; flowbits:isset,file.mid; file_data; content:"|7F 00 43 7F 82 68 43 00 04 3C 00 14 3C 7F 00 43 7C 82 6C 3C 00 00 43 00 14 43 7F 00 3C 7E 82 68|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,51292; reference:cve,2012-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-004; classtype:attempted-user; sid:21159; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Cisco Webex selector and size2 subrecords corruption attempt"; flow:to_client,established; flowbits:isset,file.wrf; file_data; content:"|02 3C 00 3C 00 18 77 04 00 00 00 10 77 04 00 00 01 00 00 00 88 03 5B 00 18 00 00 40|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-3319; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-093; reference:url,www.securityfocus.com/bid/50373; classtype:attempted-user; sid:21116; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows OpenType font parsing stack overflow attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"|1E 1A 00 04 88 28 1F 8B 8B 1E 1A 00 04 88 28 1F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-032; classtype:attempted-admin; sid:20903; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Media MIDI file memory corruption attempt"; flow:to_client,established; flowbits:isset,file.mid; file_data; content:"|4D 54 68 64|"; depth:4; content:"|4D 54 72 6B 00 00 01 74 00 C9 01 00 9F FF 7F 00 99 23 7F 78 89|"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,51292; reference:cve,2012-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-004; classtype:attempted-user; sid:20900; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Interactive Data eSignal stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.esignal; file_data; content:"<StyleTemplate>"; fast_pattern; nocase; isdataat:512,relative; content:!"</StyleTemplate>"; within:512; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-3494; classtype:attempted-user; sid:20843; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Interactive Data eSignal stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.esignal; file_data; content:"|00 00 00|"; depth:3; offset:1; byte_test:1,<,12,0; byte_test:1,>,20,13; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-3494; classtype:attempted-user; sid:20842; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Agent Helper Malicious JAR download attempt"; flow:to_client,established; flowbits:isset,file.jar.agent_helper; file_data; content:"META-INF/MANIFEST.MF"; nocase; isdataat:128,relative; flowbits:unset,file.jar.agent_helper; content:!"META-INF/MICCORJA.SF"; nocase; content:!"META-INF/MICCORJA.RSA"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1969; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-079; classtype:attempted-user; sid:20259; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mime; file_data; content:"Content-Type"; fast_pattern:only; content:"name"; nocase; content:"="; within:5; isdataat:300,relative; content:!"|3B|"; within:300; content:!"|0A|"; within:302; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1336; classtype:attempted-user; sid:20034; rev:17;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft SYmbolic LinK stack overflow attempt"; flow:to_client,established; flowbits:isset,file.slk; file_data; content:"P|3B|"; fast_pattern:only; pcre:"/(^P\x3B[^\x3B]*\x0D\x0A){200}/mi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,48161; reference:cve,2011-1276; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:19911; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows embedded OpenType EOT font integer overflow attempt"; flow:to_client,established; flowbits:isset,file.eot; file_data; content:"|52 E7 0D 2C 32 3E 1D FC BE E2 B2 A1 E9 94 6A 46 57 35 B4 FD|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43775; reference:cve,2010-1883; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-076; classtype:attempted-user; sid:19308; rev:16;)
# alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"FILE-OTHER Microsoft LNK shortcut arbitary dll load attempt"; flow:to_client,established; content:"|FF|SMB"; depth:4; offset:4; content:"|00 00 00 00|"; within:4; distance:1; content:"|4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; content:"|20 20 EC 21 EA 3A 69 10 A2 DD 08 00 2B 30 30 9D|"; distance:0; pcre:"/\x2E\x00?d\x00?l\x00?l\x00?/Ri"; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2010-2568; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-046; classtype:attempted-user; sid:19290; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Cisco Webex Player .wrf stack buffer overflow"; flow:to_client,established; flowbits:isset,file.wrf; file_data; content:"|02 01 78 02 69 C1 F0 FC|"; offset:690; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46075; reference:cve,2010-3269; classtype:attempted-user; sid:19226; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Fax Services Cover Page Editor Double Free Memory Corruption"; flow:to_client,established; flowbits:isset,file.cov; file_data; content:"|00 00 42 00 55 00 47 00 0A 00 A7 FE FF FF DA 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,45942; reference:cve,2010-2701; classtype:attempted-admin; sid:19220; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Fax Services Cover Page Editor Double Free Memory Corruption"; flow:to_client,established; flowbits:isset,file.cov; file_data; content:"|00 73 00 04 00 AD FE FF FF FE 01 00 00 2F FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,45942; reference:cve,2010-2701; classtype:attempted-admin; sid:19219; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows .NET Framework XAML browser applications stack corruption"; flow:to_client,established; flowbits:isset,file.manifest; file_data; content:"|2F 00 59 00 41 01 6B 00 61 00 41 01 6B 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,47223; reference:cve,2010-3958; classtype:attempted-user; sid:19170; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows MPEG Layer-3 audio heap corruption attempt"; flow:to_client,established; flowbits:isset,file.asx; file_data; content:"|FF FA 92 60 41 41 41 41|"; depth:8; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,42298; reference:cve,2010-1882; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-052; classtype:attempted-user; sid:19144; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave 3D structure opcode 89 overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"initmainVWTL"; content:"XMED"; within:4; distance:4; content:"|89 FF FF FF 00 FF 00|"; within:7; distance:36; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-4003; reference:url,www.adobe.com/support/security/bulletins/apsb10-03.html; classtype:attempted-user; sid:19115; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave 3D structure opcode 45 overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"initmainVWTL"; content:"XMED"; within:4; distance:4; content:"|45 FF FF FF 00 FF 00|"; within:7; distance:36; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-4003; reference:url,www.adobe.com/support/security/bulletins/apsb10-03.html; classtype:attempted-user; sid:19114; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave 3D structure opcode 81 overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"initmainVWTL"; content:"XMED"; within:4; distance:4; content:"|81 FF FF FF 00 FF 00|"; within:7; distance:36; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-4003; reference:url,www.adobe.com/support/security/bulletins/apsb10-03.html; classtype:attempted-user; sid:19113; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave 3D stucture heap overflow"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"initmainVWTL"; content:"XMED"; within:4; distance:4; content:"|80 FF FF FF 00|"; within:5; distance:36; content:"|0C 0C 0C 0C FF 00 00 00|"; within:8; distance:25; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-4002; reference:url,www.adobe.com/support/security/bulletins/apsb10-03.html; classtype:attempted-user; sid:19112; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft OpenType font index remote code execution attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"|FB 01 FF FF 00 00 FF 2F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,45311; reference:cve,2010-3956; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-091; classtype:attempted-user; sid:19064; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave Player Lnam chunk processing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"manL"; content:"|00 00|"; within:2; distance:2; content:!"|00 00|"; within:2; distance:18; content:"|FF|"; within:1; distance:20; isdataat:256,relative; content:!"|00|"; within:256; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,44516; reference:cve,2010-3655; reference:url,www.adobe.com/support/security/bulletins/apsb10-25.html; classtype:attempted-user; sid:19012; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave Player Lnam chunk processing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"Lnam|00 00|"; content:!"|00 00|"; within:2; distance:20; content:"|FF|"; within:1; distance:22; isdataat:256; content:!"|00|"; within:256; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,44516; reference:cve,2010-3655; reference:url,www.adobe.com/support/security/bulletins/apsb10-25.html; classtype:attempted-user; sid:19011; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER rich text format unexpected field type memory corruption attempt"; flow:to_client,established; file_data; content:"|CB 5D 91 76 A2 A3 23 D7 EF 15 F9 A8 E3 7A DD A5 78 21 08 0E FE 17 FF 2F 2D AD 84 49 9C 65 41 B6|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1901; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:18954; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER rich text format unexpected field type memory corruption attempt"; flow:to_client,established; file_data; content:"|4B 47 2D D7 6B CF 87 5D CF DB F3 1E FE 9F 9F 5F F4 A3 30 49 BC A4 DB 9E B3 C3 7B ED B9 C5 28 6E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1901; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:18953; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows uniscribe fonts parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|AA FF FF FF FF 00 00 00 20 00 00 00 03 00 00 00 21 00 00 00 7E 00 00 00 04 00 00 00 A0 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43068; reference:cve,2010-2738; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-063; classtype:attempted-user; sid:18952; rev:18;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave Director pamm chunk memory corruption attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"XFIR"; depth:4; content:"pamm"; distance:4; byte_test:2,>,0x14,6,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-4084; reference:url,www.adobe.com/support/security/bulletins/apsb10-25.html; classtype:attempted-user; sid:18776; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER OpenOffice.org XPM file processing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.xpm; file_data; content:"/* XPM */"; fast_pattern; content:"static char *"; distance:0; pcre:"/^[^\x22]+\x22(\d+\x20+){2}/R"; byte_test:10,>,419062,0,relative,string; byte_test:10,>,10244,1,relative,string; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,38218; reference:cve,2009-2949; classtype:attempted-user; sid:18537; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Media Player dvr-ms file parsing remote code execution attempt"; flow:to_client,established; file_data; content:"|00 00 00 00 A2 00 56 61 6C 69 02 00 00 00 90 00 42 42 42 42|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0042; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-015; classtype:attempted-user; sid:18498; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows MPEG Layer-3 audio heap corruption attempt"; flow:to_client,established; flowbits:isset,file.asx; file_data; content:"|FF FA 92 60 3C 6F|"; content:"|FF FA 92 C9 B9 56|"; within:6; distance:412; fast_pattern; content:"|A9 00 04 48 58 DC E1 83 4B 68 32 01 9B BC 04 A3 27 0E A5 3D 71 66 0D 2D A8 D3 84 AF 3C 14 88 94 3E 89 CA BF 80 9C|"; within:38; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1882; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-052; classtype:attempted-user; sid:18463; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows ATMFD Adobe font driver remote code execution attempt"; flow:to_client,established; file_data; content:"|64 A2 F7 60 A2 01 F7 A7 C8 03 14 E0 F7 E6 43 15 BE C9 A3 B0|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0033; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-007; classtype:attempted-user; sid:18402; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows ATMFD font driver remote code execution attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"|01 00 04 04 00 01 01 01 03 49 57 00 01 02 80 01 00 40 F8 0F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3957; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-091; classtype:attempted-user; sid:18219; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|FF FF FF FF FF FF FF 00 00|rcsL"; isdataat:484,relative; content:"|00 00 00 80 00 00 F0 41 41 41 41 41 41 AB 41 05 43 01 57 17|"; within:20; distance:484; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,44291; reference:cve,2010-3653; reference:url,www.adobe.com/support/security/advisories/apsa10-04.html; classtype:attempted-user; sid:17807; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|FF FF 00 00|rcsL"; isdataat:192,relative; content:"|01 02 4C 00 00 00 00 80 00 00 F0 FF F0 02 67 25 A2 01 33 41|"; within:20; distance:192; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,44291; reference:cve,2010-3653; reference:url,www.adobe.com/support/security/advisories/apsa10-04.html; classtype:attempted-user; sid:17806; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk memory corruption attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"rcsL"; isdataat:203,relative; content:"|FF F0 02 67|"; within:4; distance:203; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,42682; reference:cve,2010-2873; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:17803; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER BitDefender Internet Security script code execution attempt"; flow:to_client,established; content:"gzip"; http_header; content:"|0D 0A 0D 0A 1F 8B|"; byte_test:1,&,0x08,1,relative; content:">"; within:20; distance:8; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0850; classtype:attempted-user; sid:17778; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle JDK image parsing library ICC buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|BC 08 59 03 02 54 59 04 10 D8 54 59 05 02 54 59|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24004; reference:cve,2007-2788; reference:url,scary.beasts.org/security/CESA-2006-004.html; classtype:attempted-user; sid:17727; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER McAfee LHA file parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"-lh0-"; nocase; content:"AAAAAAAA"; within:50; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,10243; reference:cve,2005-0643; classtype:attempted-user; sid:17704; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Multiple AV vendor invalid archive checksum bypass attempt"; flow:to_client,established; file_data; content:"|50 4B 03 04 0A 00 00 00 00 00 E0 98 B8 28 00 00 00 00 44 00 00 00 44 00 00 00 09 00 00 00 65 69 63 61 72 2E 63 6F 6D 58|"; depth:40; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,12771; reference:url,archives.neohapsis.com/archives/fulldisclosure/2005-03/0207.html; classtype:attempted-user; sid:17651; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Pagemaker Key Strings Stack Buffer Overflow attempt"; flow:to_client,established; flowbits:isset,file.pmd; file_data; content:"Magenta"; nocase; content:"|41 41 41 41 41|"; within:5; distance:241; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,31999; reference:cve,2007-6432; classtype:attempted-admin; sid:17650; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER RealNetworks RealPlayer SWF frame handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|E5 05 00 00 78 00 05 5F 00 00 0F A0 00 00 0C 01 00 43 02 FF FF FF BF 00 39 00 00 00 01 00 70 F2|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30370; reference:cve,2007-5400; classtype:attempted-user; sid:17633; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER ClamAV antivirus CHM file handling DOS"; flow:to_client,established; file_data; content:"ITSF"; content:"|11 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC|"; within:16; distance:36; content:"ITSP"; distance:0; byte_test:4,<,8,12,relative,little; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30994; reference:cve,2008-1389; reference:url,sourceforge.net/project/shownotes.php?group_id=86638&release_id=623661; classtype:attempted-dos; sid:17602; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER IBM Lotus Notes Applix Graphics Parsing Buffer Overflow"; flow:to_server,established; content:"Content-Transfer-Encoding|3A 20|quoted-printable|0D 0A|"; nocase; content:"Content-Disposition|3A 20|attachment"; distance:0; nocase; content:"|2A|BEGIN GRAPHICS VERSION"; within:23; distance:25; nocase; pcre:"/VERSION\x3d3D\d{3}[^\r\n]*\r\n/i"; content:"ENCODING"; within:8; nocase; pcre:"/^\x3d3D7BIT[^\r\n]{20}/Ri"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,28454; reference:cve,2007-5405; classtype:attempted-admin; sid:17559; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Pagemaker Font Name Buffer Overflow attempt"; flow:to_client,established; flowbits:isset,file.pmd; file_data; content:"Courier|20|New|61 61 61 61 61 61 61 61 61|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,25989; reference:cve,2007-5169; classtype:attempted-user; sid:17553; rev:17;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Avast Antivirus Engine Remote LHA buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.lzh; file_data; content:"|19 4C 2D 6C 68 30 2D 53 0C 00 00 2C 00 00 00 28 94 28 35 20|"; depth:20; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19903; reference:cve,2006-4626; classtype:attempted-admin; sid:17541; rev:16;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER ClamAV UPX FileHandling Heap overflow attempt"; flow:to_server,established; content:"|34 66 75 67 34 41 74 41 6E 4E 49 62 67 42 54 4D 30 68 56 47|"; content:"|67 68 44 41 6B 43 43 50 51 6F 47 53 35 51 76 6A 52 6F 4B 33|"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,19381; reference:cve,2006-4018; classtype:attempted-user; sid:17493; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows itss.dll CHM File Handling Heap Corruption attempt"; flow:to_client,established; file_data; content:"|74 03 9E 02 4A 02 9C 01 12 01 8B 00 3E 00 25 00 00 00 02 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,17926; reference:cve,2006-2297; classtype:attempted-admin; sid:17490; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER RealNetworks RealPlayer zipped skin file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rjs&file.zip; file_data; content:"|50 4B 03 04 14 00 00 00 08 00 91 98 6E 33 EB 71 F9 B3 1D 00 00 00 00 01 00 00 0B 00 00 00 53 68 75 66 66 6C 65 2E 62 6D 70 73 F2 DD C1 E5 08 04|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15382; reference:cve,2005-2630; classtype:attempted-user; sid:17461; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER BitDefender Internet Security script code execution attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"PK|01 02|"; byte_extract:2,24,name_len,relative,little; content:"<"; within:name_len; distance:16; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0850; classtype:attempted-user; sid:17458; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows download of .lnk file that executes cmd.exe detected"; flow:to_client,established; flowbits:isset,file.lnk; file_data; content:"WINDOWS|5C|system32|5C|cmd|2E|exe"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15069; reference:cve,2005-2122; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-049; classtype:attempted-user; sid:17442; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Project Invalid Memory Pointer Code Execution attempt"; flow:to_client,established; file_data; content:"|00 0B 00 00 00 CC E5 1A 00 41 41 41 41 00 00 00 00 03 02 01 22|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28607; reference:cve,2008-1088; classtype:attempted-user; sid:17382; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Help Workshop HPJ OPTIONS section buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.hpj; file_data; content:"[OPTIONS]"; content:"HLP"; distance:0; nocase; pcre:"/^\s*HLP\s*\x3d\s*[^\n]{257}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,22135; reference:cve,2007-0427; classtype:attempted-user; sid:17366; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Help Workshop CNT Help contents buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.cnt; content:"Content-Type: text/plain"; fast_pattern:only; file_data; pcre:"/^[^\n]{513}/si"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,22100; reference:cve,2007-0352; classtype:web-application-attack; sid:17365; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Apple OSX Finder DMG volume name memory corruption attempt"; flow:to_client,established; flowbits:isset,file.dmg; file_data; content:"LABL"; content:"|00 00 00 00 00 01|"; within:6; distance:2; byte_test:2,>,254,4,relative; isdataat:259; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-0197; classtype:attempted-user; sid:17363; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER NOD32 Anti-Virus ARJ Archive Handling Buffer Overflow attempt"; flow:to_client,established; file_data; content:"|60 EA|"; depth:2; byte_jump:2,0,relative,little; content:"|60 EA|"; within:2; distance:6; byte_test:2,>,256,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,14773; reference:cve,2005-2903; classtype:attempted-admin; sid:17356; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER ClamAV CHM File Handling Integer Overflow attempt"; flow:to_client,established; file_data; content:"|50 4D 47 4C 4A 0D 00 00 00 00 00 00 FF FF FF FF FF FF FF FF 01 2F 00 00 00 8F FF FF FF 7F 58 48 44 52|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,14359; reference:cve,2005-2450; classtype:attempted-user; sid:17352; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Nullsoft Winamp ID3v2 Tag Handling Buffer Overflow attempt"; flow:to_client,established; file_data; content:"ID3"; depth:3; pcre:"/T(PE(1|2)|IT2)/iR"; byte_test:4,>,0x190,0,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,14276; reference:cve,2005-2310; classtype:attempted-user; sid:17351; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER CoolPlayer Playlist File Handling Buffer Overflow"; flow:to_client,established; content:"Content-Type|3A|"; nocase; http_header; content:"audio|2F|x-mpegurl"; within:30; fast_pattern; nocase; http_header; file_data; content:"aaaaaaaaaaaaa"; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30418; reference:cve,2008-3408; classtype:attempted-user; sid:17309; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER ClamAV libclamav PE file handling integer overflow attempt"; flow:to_client,established; file_data; content:"|4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00|"; isdataat:288,relative; content:"|00 00 2E 70 65 74 69 74 65 00 00 D0 0D 00 00 30 FF FF A3 D1|"; within:20; distance:288; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0318; classtype:attempted-user; sid:17305; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER GNU gzip LZH decompression make_table overflow attempt"; flow:to_client,established; file_data; content:"|1F A0 AB CD FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-4335; reference:url,secunia.com/advisories/21996/; classtype:attempted-user; sid:17289; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Visual Basic for Applications document properties overflow attempt"; flow:to_client,established; file_data; content:"Attribut|00|e VB_Nam|00|e = "; fast_pattern; nocase; content:"|22|ThiAsDocumen|22|t"; within:15; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19414; reference:cve,2006-3649; classtype:attempted-user; sid:17286; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Panda Antivirus ZOO archive decompression buffer overflow attempt"; flow:to_client,established; file_data; content:"|40 29 23 28 00 00 83 08 24 48 B0 A0 C1 83 08 13 2A 5C C8 B0 A1 C3 87 10 23 4A 9C 48 B1 A2 C5 8B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2005-3922; classtype:attempted-user; sid:17281; rev:13;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER Multiple vendor Antivirus magic byte detection evasion attempt"; flow:to_client,established; content:"Content|2D|Type|3A|"; nocase; http_header; content:"text|2F|html"; within:20; fast_pattern; nocase; http_header; file_data; pcre:"/^(MZ|PK|BZh|BZ|GIF8|BM|IC|PI|CI|CP)/"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-3370; reference:cve,2005-3371; reference:cve,2005-3372; reference:cve,2005-3373; reference:cve,2005-3374; reference:cve,2005-3375; reference:cve,2005-3376; reference:cve,2005-3377; reference:cve,2005-3378; reference:cve,2005-3379; reference:cve,2005-3380; reference:cve,2005-3381; reference:cve,2005-3382; classtype:attempted-user; sid:17276; rev:19;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Multiple vendor malformed ZIP archive Antivirus detection bypass attempt"; flow:to_client,established; file_data; content:"|13 00 00 00 46 53 43 1B 5B 32 50 4F 43 1B 5B 30 3B 35 39 2E 74 78 74 0B F0 66 66 E1 62 00 01 A3|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,12793; reference:url,ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/unfiltered-escape-sequences.txt; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2005-March/032530.html; classtype:attempted-user; sid:17266; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER Antivirus ACE file handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|2A 2A 41 43 45 2A 2A|"; depth:7; offset:7; content:"|01 80 1C 00 00 00 BE 02 00 00 C5 5A 08 33 20 00 00 00 80 98 92 84 02 03 0A 00 54 45 07 02|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2385; reference:cve,2005-2720; classtype:attempted-user; sid:17244; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER ACD Systems ACDSee Products XBM file handling buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xbm; file_data; content:"|23|define"; content:"|5F|width"; distance:0; pcre:"/\x23define\s*(?=[\S]{57})\S*\x5Fwidth/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,37685; classtype:attempted-user; sid:17238; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director file file Shockwave 3D overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"Shockwave 3D"; fast_pattern:only; content:"XFIR"; nocase; content:"tSAC"; distance:0; nocase; byte_test:2,>,32767,36,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2866; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:17202; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director file tSAC tag exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|FF FF 00 00|shockwave3d|00 00 01|P3DPR|00 00 01|P|00 00 00 06 00 00 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,42668; reference:cve,2010-2875; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:17194; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"39VMpami|18 00 00 00 01 41 41 41 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2872; classtype:attempted-user; sid:17191; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director file pamm record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"pamm"; byte_test:4,>,4294967118,20,relative; content:!"|FF FF FF FF|"; within:4; distance:20; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2868; reference:cve,2010-2869; reference:cve,2010-2880; classtype:attempted-user; sid:17179; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft LNK shortcut arbitrary dll load attempt"; flow:to_client,established; file_data; content:"|4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; content:"|20 20 EC 21 EA 3A 69 10 A2 DD 08 00 2B 30 30 9D|"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2568; reference:cve,2015-0096; reference:cve,2017-8464; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-046; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-020; classtype:attempted-user; sid:17042; rev:17;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Orbital Viewer .orb stack buffer overflow attempt"; flow:to_client,established; file_data; content:"OrbitalFileV1.0|0D 0A|"; nocase; isdataat:500,relative; content:!"|00|"; within:500; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,38436; reference:cve,2010-0688; classtype:attempted-user; sid:16721; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER CA multiple product AV engine CAB header parsing stack overflow attempt"; flow:to_client,established; file_data; content:"MSCF"; depth:4; byte_test:2,=,1,24,relative,little; byte_jump:4,12,relative,post_offset -20,little; pcre:"/^.{16}[^\x00]{256}/sR"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,24330; reference:cve,2007-2864; classtype:attempted-user; sid:16719; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave DIR file PAMI chunk code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"XFIR"; depth:4; content:"pami"; distance:0; byte_test:4,>,0x7FFFFFFF,4,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1292; reference:url,secunia.com/advisories/38751/; reference:url,www.adobe.com/support/security/bulletins/apsb10-12.html; classtype:attempted-user; sid:16673; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle JRE Java Platform SE and Java Deployment Toolkit plugins code execution attempt - npruntime-scriptable-plugin"; flow:to_client,established; content:"application/npruntime-scriptable-plugin|3B|deploymenttoolkit"; nocase; http_header; file_data; content:"-J-jar"; pcre:"/http\x3A\s+-J-jar\s+-J[^\s]+\x2Ejar/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16549; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Free Download Manager .torrent parsing path overflow attempt"; flow:to_client,established; flowbits:isset,file.torrent; file_data; content:"4:pathl"; nocase; byte_test:6,>,10000,0,relative,dec,string; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16520; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Free Download Manager .torrent parsing name overflow attempt"; flow:to_client,established; flowbits:isset,file.torrent; file_data; content:"4:name"; nocase; byte_test:6,>,10000,0,relative,dec,string; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16519; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Free Download Manager .torrent parsing announce overflow attempt"; flow:to_client,established; flowbits:isset,file.torrent; file_data; content:"8:announce"; nocase; byte_test:6,>,100000,0,relative,dec,string; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16518; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Free Download Manager .torrent parsing comment overflow attempt"; flow:to_client,established; flowbits:isset,file.torrent; file_data; content:"7:comment"; nocase; byte_test:6,>,100000,0,relative,dec,string; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16517; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Illustrator DSC comment overflow attempt"; flow:to_client,established; file_data; content:"%!PS-Adobe-"; nocase; content:"EPSF-"; within:10; pcre:"/%[^\x0d\x0a]{1000}/smiR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,37192; reference:cve,2009-4195; classtype:attempted-user; sid:16359; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Kaspersky antivirus library heap buffer overflow - without optional fields"; flow:to_client,established; file_data; content:"MSCF"; byte_test:2,&,0x0003,26,relative,little; byte_test:2,!&,0x0004,26,relative,little; pcre:"/^.{32}([^\x00]*\x00)?[^\x00]{256}/sR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,14998; reference:cve,2005-3142; classtype:attempted-user; sid:16295; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Multiple vendor AV gateway virus detection bypass attempt"; flow:to_client,established; file_data; content:"<a href=|22|data|3A|application/octet-stream|3B|base64,WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo=|22|>"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,12269; reference:cve,2005-0218; classtype:misc-attack; sid:16087; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER X.org PCF parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"|01|fcp|08 00 00 00 01 00 00 00 0E 00 00 00 A0 02 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,27352; reference:cve,2008-0006; classtype:attempted-user; sid:16070; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Apple Mac OS X installer package filename format string vulnerability"; flow:to_server,established; content:".mpkg"; nocase; http_uri; pcre:"/GET\s+[^\x0D\x0A]*\x25[^\x0D\x0A]*\x2Empkg/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0465; classtype:attempted-admin; sid:16004; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Sophos Anti-Virus zip file handling DoS attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"PK|03 04|"; content:"|0C 00|"; within:2; distance:4; content:"-|00 00 00 F9 00 00 00 05 00 FF FF|"; within:12; distance:8; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,14270; reference:cve,2005-1530; classtype:attempted-dos; sid:15957; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Vista Feed Headlines Gagdet code execution attempt"; flow:to_client,established; flowbits:isset,file.rss; file_data; content:"&lt|3B|"; fast_pattern; nocase; content:"<title>"; nocase; pcre:"/\x3ctitle\x3e[^\x3c]*\x26lt\x3b[^\x3c]*(>|\x26gt\x3b)/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,25287; reference:cve,2007-3033; classtype:attempted-user; sid:15946; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER libxml2 file processing long entity overflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"<!ENTITY"; isdataat:200,relative; pcre:"/^\s+([^\x22\x20\x3E]{200}|[^\s]*\s+\x22[^\x22\x20\x3E]{200})/smR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,31126; reference:cve,2008-3529; classtype:attempted-user; sid:15866; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Embedded Open Type Font malformed name table integer overflow attempt"; flow:to_client,established; flowbits:isset,file.eot; file_data; content:"|00 01 00 00|"; content:"|00 01|"; within:2; distance:2; content:"|00 01 00 00|"; within:100; content:"|00 04|"; within:2; distance:2; byte_test:2,>,0xffc1,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0232; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-029; classtype:attempted-user; sid:15694; rev:17;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Embedded Open Type Font malformed name table overflow attempt"; flow:to_client,established; flowbits:isset,file.eot; file_data; content:"|00 01 00 01 00 12 00 01 00 01 00 00 00 01 FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-029; classtype:attempted-user; sid:15693; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"xsl|3A|stylesheet"; fast_pattern; nocase; content:"crypto|3A|rc4_"; nocase; pcre:"/^(encrypt|decrypt)\x28\x27[^\x27]{129}/smiR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30467; reference:cve,2008-2935; reference:url,attack.mitre.org/techniques/T1220; classtype:attempted-user; sid:14039; rev:20;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft malformed saved search heap corruption attempt"; flow:to_client,established; flowbits:isset,file.search-ms; file_data; content:"type=|22|notCondition|22|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-1435; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-038; classtype:attempted-admin; sid:13893; rev:17;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER ClamAV MEW PE file integer overflow attempt"; flow:to_client,established; file_data; content:"MZ"; depth:2; content:"PE"; content:"MEW"; content:!"|00|"; within:1; distance:8; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26927; reference:cve,2007-6335; classtype:attempted-user; sid:13361; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Visual Basic VBP file reference overflow attempt"; flow:to_client,established; file_data; content:"Reference"; nocase; pcre:"/^Reference\s*=\s*\*\x5CG\{[A-Z\d-]{36}\}\x23\d+\.\d+\x23\d+\x23[^\r\n]{474}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,25629; reference:cve,2007-4776; classtype:attempted-user; sid:12618; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER PCRE character class heap buffer overflow attempt"; flow:to_client,established; file_data; content:"RegExp"; content:"[[!!]][[!!]][[!!]]"; within:50; fast_pattern; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25002; reference:cve,2007-3944; classtype:attempted-user; sid:12286; rev:17;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Download Manger dm.ini stack overflow attempt"; flow:to_client,established; flowbits:isset,file.aom; file_data; content:"<?aom"; nocase; content:"<url>"; isdataat:271; content:!"</url>"; within:271; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,21453; reference:cve,2006-5856; classtype:attempted-user; sid:9637; rev:11;)
# alert tcp $EXTERNAL_NET [80,5190,8090] -> $HOME_NET any (msg:"FILE-OTHER Ultravox-Max-Msg header integer overflow attempt"; flow:to_client,established; content:"Ultravox-Max-Msg|3A|"; nocase; byte_test:10,>,65535,0,relative,string; metadata:policy max-detect-ips drop, service http; reference:bugtraq,20744; reference:cve,2006-5567; reference:url,www.winamp.com/player/version_history.php; classtype:attempted-user; sid:9434; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Sophos Anti-Virus CAB file overflow attempt"; flow:to_client,established; file_data; content:"MSCF"; depth:4; byte_test:2,>,8192,22,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,17876; reference:cve,2006-0994; classtype:attempted-admin; sid:6504; rev:14;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft CAB incorrect version multiple antivirus evasion attempt"; flow:to_server,established; file_data; content:"|4D 53 43 46 00 00 00 00|"; depth:8; content:!"|03 01|"; within:2; distance:16; metadata:service smtp; reference:cve,2012-1455; classtype:misc-attack; sid:34531; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft CAB incorrect version multiple antivirus evasion attempt"; flow:to_client,established; file_data; content:"|4D 53 43 46 00 00 00 00|"; depth:8; content:!"|03 01|"; within:2; distance:16; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1455; classtype:misc-attack; sid:34530; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Flash Player invalid mpd memory corruption attempt"; flow:to_server,established; file_data; content:"urn|3A|mpeg|3A|dash|3A|schema|3A|mpd|3A|2011"; fast_pattern:only; content:"<Period "; content:"start="; content:"duration="; pcre:"/start=[\x22\x27](?P<start>[A-Za-z0-9]+)[\x22\x27][^>]+duration=[\x22\x27](?P=start)[\x22\x27]/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3089; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-admin; sid:34519; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Flash Player invalid mpd memory corruption attempt"; flow:to_client,established; file_data; content:"urn|3A|mpeg|3A|dash|3A|schema|3A|mpd|3A|2011"; fast_pattern:only; content:"<Period "; content:"start="; content:"duration="; pcre:"/start=[\x22\x27](?P<start>[A-Za-z0-9]+)[\x22\x27][^>]+duration=[\x22\x27](?P=start)[\x22\x27]/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3089; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-admin; sid:34518; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Flash Player mp4 avcC atom memory corruption attempt"; flow:to_server,established; flowbits:isset,file.mp4; file_data; content:"|00 00 00 01|hvcC"; byte_test:4,>,0x01000000,4,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3078; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34513; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Flash Player mp4 avcC atom memory corruption attempt"; flow:to_server,established; flowbits:isset,file.mp4; file_data; content:"|00 00 00 01|avcC"; byte_test:4,>,0x01000000,4,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3078; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34512; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Flash Player mp4 avcC atom memory corruption attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"|00 00 00 01|hvcC"; byte_test:4,>,0x01000000,4,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3078; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34511; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Flash Player mp4 avcC atom memory corruption attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"|00 00 00 01|avcC"; byte_test:4,>,0x01000000,4,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3078; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34510; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows Font Library file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.fon; file_data; content:"MZ"; depth:2; nocase; byte_test:4,>,50,120,little; metadata:service smtp; reference:cve,2011-2003; reference:url,secunia.com/advisories/46405/; reference:url,www.exploit-db.com/exploits/17978/; reference:url,www.kb.cert.org/vuls/id/619281; classtype:attempted-user; sid:34566; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat font definition memory corruption attempt"; flow:established,to_client; content:"|E9 A5 F8 17 38 61 AA EF|"; content:"|2F|Length3 484 0 R|2F|Length2 503 0 R|2F|Length1 504 0 R"; distance:0; nocase; reference:cve,2011-0594; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18449; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave Director file LsCM overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"LsCM"; byte_test:4,>,4294967051,4,relative; metadata:service http; reference:cve,2010-2865; classtype:attempted-user; sid:17201; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave Director file lRTX overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"lRTX"; content:"|7F FF FF|"; within:3; distance:8; metadata:service http; reference:cve,2010-2863; classtype:attempted-user; sid:17199; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows device context memory corruption attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|6A 04 8B 45 FC 50 8B 4D F8 51 FF 15 D8 F1 42 00 89 45 F4 8B 45 F4 8B E5 5D C3 CC CC CC CC CC CC|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1724; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-061; classtype:attempted-admin; sid:34787; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows device context memory corruption attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|6A 04 8B 45 FC 50 8B 4D F8 51 FF 15 D8 F1 42 00 89 45 F4 8B 45 F4 8B E5 5D C3 CC CC CC CC CC CC|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1724; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-061; classtype:attempted-admin; sid:34786; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows device context visible region memory corruption attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00 00 8D 8D FC FB FF FF 51 E8 ED 07 00 00 83 C4 10 8D 95 FC FB FF FF 52 6A 00 FF 15 D0 31 43 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1725; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-061; classtype:attempted-admin; sid:34781; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows device context visible region memory corruption attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00 00 8D 8D FC FB FF FF 51 E8 ED 07 00 00 83 C4 10 8D 95 FC FB FF FF 52 6A 00 FF 15 D0 31 43 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1725; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-061; classtype:attempted-admin; sid:34780; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro VC1DecDll_SSE3.dll dll-load exploit attempt"; flow:to_server,established; content:"V|00|C|00|1|00|D|00|e|00|c|00|D|00|l|00|l|00|_|00|S|00|S|00|E|00|3|00|.|00|d|00|l|00|l"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34914; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro VC1DecDll_SSE3.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|VC1DecDll_SSE3.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34913; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro VC1DecDll.dll dll-load exploit attempt"; flow:to_server,established; content:"V|00|C|00|1|00|D|00|e|00|c|00|D|00|l|00|l|00|.|00|d|00|l|00|l"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34912; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro VC1DecDll.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|VC1DecDll.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34911; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro uvipl.dll dll-load exploit attempt"; flow:to_server,established; content:"u|00|v|00|i|00|p|00|l|00|.|00|d|00|l|00|l"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34910; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro uipl.dll dll-load exploit attempt"; flow:to_server,established; content:"u|00|i|00|p|00|l|00|.|00|d|00|l|00|l"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34909; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro uhDSPlay.dll dll-load exploit attempt"; flow:to_server,established; content:"u|00|h|00|D|00|S|00|P|00|l|00|a|00|y|00|.|00|d|00|l|00|l"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34908; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro uhDSPlay.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|uhDSPlay.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34907; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro uFioUtil.dll dll-load exploit attempt"; flow:to_server,established; content:"u|00|F|00|i|00|o|00|U|00|t|00|i|00|l|00|.|00|d|00|l|00|l"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34906; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro uFioUtil.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|uFioUtil.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34905; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro MSPStyleLib.dll dll-load exploit attempt"; flow:to_server,established; content:"M|00|S|00|P|00|S|00|t|00|y|00|l|00|e|00|L|00|i|00|b|00|.|00|d|00|l|00|l"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34904; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro MSPStyleLib.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|MSPStyleLib.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34903; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro ipl.dll dll-load exploit attempt"; flow:to_server,established; content:"i|00|p|00|l|00|.|00|d|00|l|00|l"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34902; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro igfxcmrt32.dll dll-load exploit attempt"; flow:to_server,established; content:"i|00|g|00|f|00|x|00|c|00|m|00|r|00|t|00|3|00|2|00|.|00|d|00|l|00|l"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34901; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro igfxcmrt32.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|igfxcmrt32.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34900; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro wacommt.dll dll-load exploit attempt"; flow:to_server,established; content:"w|00|a|00|c|00|o|00|m|00|m|00|t|00|.|00|d|00|l|00|l"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34899; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro wacommt.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|wacommt.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34898; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro TD_Mgd_3.08_9.dll dll-load exploit attempt"; flow:to_server,established; content:"T|00|D|00|_|00|M|00|g|00|d|00|_|00|3|00|.|00|0|00|8|00|_|00|9|00|.|00|d|00|l|00|l"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34897; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro TD_Mgd_3.08_9.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|TD_Mgd_3.08_9.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34896; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro FxManagedCommands dll-load exploit attempt"; flow:to_server,established; content:"F|00|x|00|M|00|a|00|n|00|a|00|g|00|e|00|d|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00|s|00|_|00|3|00|.|00|0|00|8|00|_|00|9"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34895; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro FxManagedCommands dll-load exploit attempt"; flow:to_server,established; content:"|2F|FxManagedCommands_3.08_9.tx"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34894; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro quserex.dll dll-load exploit attempt"; flow:to_server,established; content:"q|00|u|00|s|00|e|00|r|00|e|00|x|00|.|00|d|00|l|00|l"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34893; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro quserex.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|quserex.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34892; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro u32Zlib.dll dll-load exploit attempt"; flow:to_server,established; content:"u|00|3|00|2|00|Z|00|L|00|i|00|b|00|.|00|d|00|l|00|l"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34891; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Corel PaintShop Pro u32ZLib.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|u32ZLib.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34890; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER VMWare Workstation JPEG2000 stack overflow attempt"; flow:to_server,established; file_data; content:"|3C D9 6B 65 8D DE B3 E9 23 2B 7F FD 61 6D B9 D5 1A 3F D3 57 FB 94 E7 AC F1 B3 BB 7C C3 6A F4 4C|"; fast_pattern:only; metadata:service smtp; reference:cve,2012-0897; reference:url,vmware.com/security/advisories/VMSA-2015-0004.html; classtype:attempted-admin; sid:34987; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $EXTERNAL_NET any (msg:"FILE-OTHER VMWare Workstation JPEG2000 stack overflow attempt"; flow:to_client,established; file_data; content:"|3C D9 6B 65 8D DE B3 E9 23 2B 7F FD 61 6D B9 D5 1A 3F D3 57 FB 94 E7 AC F1 B3 BB 7C C3 6A F4 4C|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-0897; reference:url,vmware.com/security/advisories/VMSA-2015-0004.html; classtype:attempted-admin; sid:34986; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER VMWare Workstation JPEG2000 stack overflow attempt"; flow:to_server,established; file_data; content:"|CA E4 10 01 C5 95 10 01 FF 00 10 10 00 F4 00 00 FF 00 10 10 C5 95 10 01 FF FF 7F FF CA E4 10 01|"; fast_pattern:only; metadata:service smtp; reference:cve,2012-0897; reference:url,vmware.com/security/advisories/VMSA-2015-0004.html; classtype:attempted-admin; sid:34985; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $EXTERNAL_NET any (msg:"FILE-OTHER VMWare Workstation JPEG2000 stack overflow attempt"; flow:to_client,established; file_data; content:"|CA E4 10 01 C5 95 10 01 FF 00 10 10 00 F4 00 00 FF 00 10 10 C5 95 10 01 FF FF 7F FF CA E4 10 01|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-0897; reference:url,vmware.com/security/advisories/VMSA-2015-0004.html; classtype:attempted-admin; sid:34984; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft proxy autoconfig script system library import attempt"; flow:to_server,established; file_data; content:"FindProxyForURL|28|"; fast_pattern:only; content:"import "; nocase; pcre:"/import\s+[\w\x2f\x2e]+?\x3b/i"; metadata:service smtp; reference:bugtraq,56463; reference:cve,2012-4776; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-074; classtype:policy-violation; sid:35094; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows ATMFD kernel pool overflow attempt"; flow:to_server,established; flowbits:isset,file.otf; file_data; content:"|00 01 00 00|"; byte_jump:2,4,relative, post_offset -10; content:"|00 1A 00 36 00 3E 00 46 00 4E 00 56 00 5E 00 66 00 70|"; within:18; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2426; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-078; classtype:attempted-admin; sid:35305; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows ATMFD kernel pool overflow attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"|00 01 00 00|"; byte_jump:2,4,relative, post_offset -10; content:"|00 1A 00 36 00 3E 00 46 00 4E 00 56 00 5E 00 66 00 70|"; within:18; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2426; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-078; classtype:attempted-admin; sid:35304; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows malformed TTF table hmtx remote code execution attempt"; flow:to_server,established; file_data; content:"|0E 5C 13 09 00 00 19 6C 00 00 00 24 68 6D 74 78 8F DD E1 3A 00 00 19 90 00 00 03 C4 6C 6F 63 61|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2456; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-080; classtype:attempted-user; sid:35530; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows malformed TTF table hmtx remote code execution attempt"; flow:to_client,established; file_data; content:"|0E 5C 13 09 00 00 19 6C 00 00 00 24 68 6D 74 78 8F DD E1 3A 00 00 19 90 00 00 03 C4 6C 6F 63 61|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2456; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-080; classtype:attempted-user; sid:35529; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows kernel-mode driver TTF file glyf table out of bounds attempt"; flow:to_server,established; file_data; content:"|75 70 70 7B 75 7B 75 25 00 00 00 10 00 9B 00 6C 09 0B 09 00 09 09 09 09 09 09 09 0B 07 07 07 07|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2463; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-080; classtype:attempted-admin; sid:35520; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows kernel-mode driver TTF file glyf table out of bounds attempt"; flow:to_client,established; file_data; content:"|75 70 70 7B 75 7B 75 25 00 00 00 10 00 9B 00 6C 09 0B 09 00 09 09 09 09 09 09 09 0B 07 07 07 07|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2463; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-080; classtype:attempted-admin; sid:35519; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows FontView OpenType Font atmfd.dll invalid memory reference attempt"; flow:to_server,established; flowbits:isset,file.otf; file_data; content:"|4E 58 8B 08 58 8B 5F B8 8B E1 08 8B DF AE B6 C7 8B 08 0E F9 0A F7 17 F7 D5 15 EB 8B F7 12 72 8B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2461; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-080; classtype:attempted-admin; sid:35518; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows FontView OpenType Font atmfd.dll invalid memory reference attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"|4E 58 8B 08 58 8B 5F B8 8B E1 08 8B DF AE B6 C7 8B 08 0E F9 0A F7 17 F7 D5 15 EB 8B F7 12 72 8B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2461; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-080; classtype:attempted-admin; sid:35517; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file remote code execution attempt"; flow:to_server,established; flowbits:isset,file.otf; file_data; content:"|E3 F7 0A 07 91 90 8E 8E 8E 89 8F 88 8F 1F 72 A8 83 93 6F A7 76 71 84 83 79 72 08 7A F2 06 8B AB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2459; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-080; classtype:attempted-admin; sid:35496; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file remote code execution attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"|E3 F7 0A 07 91 90 8E 8E 8E 89 8F 88 8F 1F 72 A8 83 93 6F A7 76 71 84 83 79 72 08 7A F2 06 8B AB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2459; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-080; classtype:attempted-admin; sid:35495; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows GDI DrvQueryFontData function uninitialized glyph data remote code execution attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"|F7 15 19 27 58 41 14 16 16 27 37 22 19 01 0A 0D 22 15 63 17 24 1A 0E 1E 1A 2B 63 16 23|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2435; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-080; classtype:attempted-user; sid:35492; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows GDI DrvQueryFontData function uninitialized glyph data remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|F7 15 19 27 58 41 14 16 16 27 37 22 19 01 0A 0D 22 15 63 17 24 1A 0E 1E 1A 2B 63 16 23|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2435; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-080; classtype:attempted-user; sid:35491; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows OTF file parsing error exploitation attempt"; flow:to_server,established; flowbits:isset,file.otf; file_data; content:"|84 94 85 97 81 A1 A5 93 95 99 A0 08 F0 06 1C 1C BE 0A FC 23 FC AF 15 6F 54 6D 68 56 63 63 6D 69|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2458; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-080; classtype:attempted-user; sid:35490; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows OTF file parsing error exploitation attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"|84 94 85 97 81 A1 A5 93 95 99 A0 08 F0 06 1C 1C BE 0A FC 23 FC AF 15 6F 54 6D 68 56 63 63 6D 69|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2458; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-080; classtype:attempted-user; sid:35489; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows atmfd.dll font driver malformed OTF file remote code execution attempt"; flow:to_server,established; flowbits:isset,file.otf; file_data; content:"|8E 80 08 9A F7 40 7C 06 88 80 86 83 86 86 08 86 86 83 89 81 1B 67 F8 1E 06 94 8D 93 8F 90 1E 90 90 93 90 97|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2462; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-080; classtype:attempted-admin; sid:35486; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows atmfd.dll font driver malformed OTF file remote code execution attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"|8E 80 08 9A F7 40 7C 06 88 80 86 83 86 86 08 86 86 83 89 81 1B 67 F8 1E 06 94 8D 93 8F 90 1E 90 90 93 90 97|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2462; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-080; classtype:attempted-admin; sid:35485; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file remote code execution attempt"; flow:to_server,established; flowbits:isset,file.otf; file_data; content:"|16 F8 40 F9 48 FC 40 06 B6 FC EB 15 8B F8 8F F7 27 FB 92 05 FB 13 FB C3 15 F7 2B F7 99 F7 2B FB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2432; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-080; classtype:attempted-admin; sid:35484; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file remote code execution attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"|16 F8 40 F9 48 FC 40 06 B6 FC EB 15 8B F8 8F F7 27 FB 92 05 FB 13 FB C3 15 F7 2B F7 99 F7 2B FB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2432; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-080; classtype:attempted-admin; sid:35483; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER TAR archive with absolute path detected"; flow:to_server,established; file_data; content:"ustar"; depth:5; offset:257; content:"c:/"; depth:3; nocase; metadata:service smtp; reference:cve,2014-3697; reference:url,talosintel.com/reports/VRT-2014-0205/; classtype:policy-violation; sid:35827; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER TAR archive with absolute path detected"; flow:to_client,established; file_data; content:"ustar"; depth:5; offset:257; content:"c:/"; depth:3; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-3697; reference:url,talosintel.com/reports/VRT-2014-0205/; classtype:policy-violation; sid:35826; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft System.Uri heap corruption attempt"; flow:to_server,established; file_data; content:"%F0%9F%BF%BE%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD"; fast_pattern:only; metadata:service smtp; reference:bugtraq,70351; reference:cve,2015-4021; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-057; classtype:attempted-user; sid:35858; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-OTHER Microsoft System.Uri heap corruption attempt"; flow:to_server,established; file_data; content:"%F0%9F%BF%BE%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD"; fast_pattern:only; metadata:service http; reference:bugtraq,70351; reference:cve,2014-4121; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-057; classtype:attempted-user; sid:35857; rev:3;)
alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Media Center link file code execution attempt"; flow:to_client,established; content:"|FF|SMB|2E 00 00|"; content:"<application"; fast_pattern:only; pcre:"/<application\s[^>]*?(run|url)\s*=\s*[\x22\x27][^\x22\x27]*?\.(lnk|bat|com|exe|cmd|ms[ip]|pif|ws[cfh]?)\s*[\x22\x27]/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:bugtraq,90023; reference:cve,2015-2509; reference:cve,2015-6131; reference:cve,2016-0185; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-100; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-134; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-059; classtype:attempted-user; sid:35983; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Journal file parsing remote code execution attempt"; flow:to_server,established; file_data; content:"|4E 42 2A 00 2E 72 5B 00 01 00 00 00 7B 00 00 00 30 4C 83 01 03 00 00 00 FF FF FF FF 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2513; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-098; classtype:attempted-user; sid:35962; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Journal file parsing remote code execution attempt"; flow:to_client,established; file_data; content:"|4E 42 2A 00 2E 72 5B 00 01 00 00 00 7B 00 00 00 30 4C 83 01 03 00 00 00 FF FF FF FF 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2513; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-098; classtype:attempted-user; sid:35961; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Visual Basic scripting engine Filter argument mishandling attempt"; flow:to_server,established; file_data; content:"Microsoft.XMLHTTP"; fast_pattern:only; content:".open"; content:".send"; within:50; content:".responsebody"; within:50; content:"Filter"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6055; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; classtype:attempted-user; sid:36442; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Visual Basic scripting engine Filter argument mishandling attempt"; flow:to_client,established; file_data; content:"Microsoft.XMLHTTP"; fast_pattern:only; content:".open"; content:".send"; within:50; content:".responsebody"; within:50; content:"Filter"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6055; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; classtype:attempted-user; sid:36441; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.corel|file.doc; content:"|DC 01|"; byte_extract:2,0,rowLength,relative,little; content:"|03 00 00 A4|"; within:rowLength; content:"|03 00 00 A4|"; within:rowLength; byte_test:1,>,32,6,relative,little; content:"|01 DC|"; within:rowLength; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1324; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-091; classtype:attempted-user; sid:36501; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.corel|file.doc; content:"|DC 01|"; byte_extract:2,0,rowLength,relative,little; content:"|03 00 00 A4|"; within:rowLength; content:"|03 00 00 A4|"; within:rowLength; byte_test:1,>,32,6,relative,little; content:"|01 DC|"; within:rowLength; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1324; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-091; classtype:attempted-user; sid:36500; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt"; flow:to_server,established; flowbits:isset,file.corel; file_data; content:"|DC 01|"; byte_extract:2,0,rowLength,relative,little; content:"|03 00 00 8E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 8E|"; within:rowLength; byte_test:1,>,32,2,relative,little; content:"|01 DC|"; within:rowLength; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1324; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-091; classtype:attempted-user; sid:36499; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt"; flow:to_client,established; flowbits:isset,file.corel; file_data; content:"|DC 01|"; byte_extract:2,0,rowLength,relative,little; content:"|03 00 00 8E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 8E|"; within:rowLength; byte_test:1,>,32,2,relative,little; content:"|01 DC|"; within:rowLength; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1324; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-091; classtype:attempted-user; sid:36498; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows TrueType font parsing out of bounds write attempt"; flow:to_server,established; file_data; content:"|00 01 00 00|"; depth:4; content:"OS/2"; byte_jump:4,4,relative,from_beginning; content:"|00 01|"; within:2; byte_extract:2,62,first_char_idx,relative; byte_test:2,<,first_char_idx,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6103; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-115; classtype:attempted-user; sid:36750; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows TrueType font parsing out of bounds write attempt"; flow:to_client,established; file_data; content:"|00 01 00 00|"; depth:4; content:"OS/2"; byte_jump:4,4,relative,from_beginning; content:"|00 01|"; within:2; byte_extract:2,62,first_char_idx,relative; byte_test:2,<,first_char_idx,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6103; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-115; classtype:attempted-user; sid:36749; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows malformed TrueType file remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|00 01 00 00 00 00 E6 66 85 43 27 2E 5F 0F 3C F5 00 01 04 00 00 00 00 00 BB 2B 2C 8F 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6104; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-115; classtype:attempted-user; sid:36737; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows malformed TrueType file remote code execution attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"|00 01 00 00 00 00 E6 66 85 43 27 2E 5F 0F 3C F5 00 01 04 00 00 00 00 00 BB 2B 2C 8F 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6104; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-115; classtype:attempted-user; sid:36736; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows Journal integer overflow attempt"; flow:to_server,established; file_data; content:"|32 87 70 A2 43 71 34 43 71 35 43 71 36 43 71 37 43 E9 E8 43 71 BF 43 72 30 43 67 0C 0C 72 32 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6097; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-114; classtype:attempted-user; sid:36698; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Journal integer overflow attempt"; flow:to_client,established; file_data; content:"|32 87 70 A2 43 71 34 43 71 35 43 71 36 43 71 37 43 E9 E8 43 71 BF 43 72 30 43 67 0C 0C 72 32 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6097; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-114; classtype:attempted-user; sid:36697; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Interactive Data eSignal stack buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.esignal; content:"|00|"; depth:1; offset:4; byte_test:1,<,12,0; byte_test:1,>,32,14; byte_extract:1,14,bufferSize; isdataat:!bufferSize,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-3494; classtype:attempted-user; sid:36661; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Interactive Data eSignal stack buffer overflow attempt"; flow:to_server,established; content:".sum"; file_data; content:"|00|"; depth:1; offset:4; fast_pattern; byte_test:1,<,12,0; byte_test:1,>,32,14; byte_extract:1,14,bufferSize; isdataat:!bufferSize,relative; metadata:service smtp; reference:cve,2011-3494; classtype:attempted-user; sid:36660; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Interactive Data eSignal stack buffer overflow attempt"; flow:to_server,established; content:".por"; file_data; content:"|00|"; depth:1; offset:4; fast_pattern; byte_test:1,<,12,0; byte_test:1,>,32,14; byte_extract:1,14,bufferSize; isdataat:!bufferSize,relative; metadata:service smtp; reference:cve,2011-3494; classtype:attempted-user; sid:36659; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Interactive Data eSignal stack buffer overflow attempt"; flow:to_server,established; content:".quo"; file_data; content:"|00|"; depth:1; offset:4; fast_pattern; byte_test:1,<,12,0; byte_test:1,>,32,14; byte_extract:1,14,bufferSize; isdataat:!bufferSize,relative; metadata:service smtp; reference:cve,2011-3494; classtype:attempted-user; sid:36658; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-OTHER Microsoft Outlook for Mac EML file http-equiv refresh url attempt"; flow:to_server,established; file_data; content:"http-equiv"; nocase; content:"refresh"; within:25; distance:1; nocase; content:"content"; content:"URL"; within:50; distance:1; nocase; metadata:service smtp; reference:cve,2015-6123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-116; classtype:misc-attack; sid:36767; rev:1;)
# alert tcp any [110,143] -> $HOME_NET any (msg:"FILE-OTHER Microsoft Outlook for Mac EML file http-equiv refresh url attempt"; flow:to_client,established; file_data; content:"http-equiv"; nocase; content:"refresh"; within:25; distance:1; nocase; content:"content"; content:"URL"; within:50; distance:1; nocase; metadata:service imap, service pop3; reference:cve,2015-6123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-116; classtype:misc-attack; sid:36766; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Apple SceneKit qlmanage setelementname buffer overflow attempt"; flow:to_server,established; file_data; content:"<COLLADA"; fast_pattern:only; content:"<technique profile="; nocase; content:">|0A|"; distance:0; content:"<"; distance:0; isdataat:129,relative; content:!"|2F|>"; within:129; content:"<|2F|technique>"; distance:0; nocase; metadata:service smtp; reference:bugtraq,76340; reference:cve,2015-3783; reference:url,support.apple.com/en-us/HT205031; classtype:attempted-user; sid:36787; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Apple SceneKit qlmanage setelementname buffer overflow attempt"; flow:to_client,established; file_data; content:"<COLLADA"; fast_pattern:only; content:"<technique profile="; nocase; content:">|0A|"; distance:0; content:"<"; distance:0; isdataat:129,relative; content:!"|2F|>"; within:129; content:"<|2F|technique>"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,76340; reference:cve,2015-3783; reference:url,support.apple.com/en-us/HT205031; classtype:attempted-user; sid:36786; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Wireshark DECT packet dissector overflow attempt"; flow:to_server,established; file_data; content:"|D4 C3 B2 A1 02 00 04 00|"; depth:8; byte_test:4,>,1499,36,little; content:"|FF FF FF FF FF FF 00 00 00 00 00 00 23 23|"; depth:14; offset:40; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,47392; reference:cve,2011-1591; classtype:attempted-user; sid:36855; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER IDEAL Administration IPJ file handling stack overflow attempt"; flow:to_server,established; file_data; content:"|0D 0A|[Group,Export,Yes]|0D 0A|"; depth:22; content:"Computer="; distance:0; pcre:"/^[^\s\x00]{512}/R"; metadata:service smtp; reference:cve,2009-4265; classtype:attempted-user; sid:36854; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"APIE"; within:4; distance:185; metadata:service smtp; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37061; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"APIE"; within:4; distance:185; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37060; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"AAAA"; within:4; distance:185; metadata:service smtp; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37059; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"AAAA"; within:4; distance:185; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37058; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"|29 4C E1 77|"; within:4; distance:185; metadata:service smtp; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37057; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"|29 4C E1 77|"; within:4; distance:185; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37056; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"|23 63 E2 77|"; within:4; distance:185; metadata:service smtp; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37055; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"|23 63 E2 77|"; within:4; distance:185; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37054; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Windows Media Player MCL to HTML information disclosure attempt"; flow:to_server,established; flowbits:isset,file.mcl; file_data; content:"MSXML2.XMLHTTP"; fast_pattern:only; content:".open"; nocase; content:".send"; nocase; content:"file:///"; nocase; metadata:service smtp; reference:cve,2015-6127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-134; classtype:attempted-recon; sid:36973; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Windows Media Player MCL to HTML information disclosure attempt"; flow:to_client,established; flowbits:isset,file.mcl; file_data; content:"MSXML2.XMLHTTP"; fast_pattern:only; content:".open"; nocase; content:".send"; nocase; content:"file:///"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-134; classtype:attempted-recon; sid:36972; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows Font Viewer cmap offset integer underflow attempt"; flow:to_server,established; file_data; content:"|16 4D 00 03 00 01 04 10 00 04 00 26 16 5B 00 03 00 01 04 13 00 02 00 12 16 81 00 03 00 01 04 13|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6130; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-130; classtype:attempted-user; sid:36953; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Font Viewer cmap offset integer underflow attempt"; flow:to_client,established; file_data; content:"|16 4D 00 03 00 01 04 10 00 04 00 26 16 5B 00 03 00 01 04 13 00 02 00 12 16 81 00 03 00 01 04 13|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6130; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-130; classtype:attempted-user; sid:36952; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Office MScomctl.ocx memory leak attempt"; flow:to_server,established; file_data; content:"C74190B6-8589-11D1-B16A-00C0F0283628"; fast_pattern; nocase; content:"data"; within:50; nocase; content:".mso"; within:50; nocase; metadata:service smtp; reference:cve,2016-0012; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-004; classtype:attempted-user; sid:37282; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Office MScomctl.ocx memory leak attempt"; flow:to_client,established; file_data; content:"C74190B6-8589-11D1-B16A-00C0F0283628"; fast_pattern; nocase; content:"data"; within:50; nocase; content:".mso"; within:50; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-0012; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-004; classtype:attempted-user; sid:37281; rev:1;)
# alert tcp $EXTERNAL_NET 1935 -> $HOME_NET any (msg:"FILE-OTHER librtmp invalid pointer dereference attempt"; flow:to_client,established; content:"|03|"; depth:1; content:"|14|"; within:1; distance:6; content:"|02|"; within:1; distance:4; content:"|00|"; within:30; distance:2; content:"|11|"; within:25; distance:8; byte_test:1,&,128,1,relative; byte_test:1,&,128,2,relative; byte_test:1,&,128,3,relative; reference:cve,2015-8271; reference:url,www.talosintel.com/vulnerability-reports; classtype:attempted-user; sid:37407; rev:1;)
# alert tcp $EXTERNAL_NET 1935 -> $HOME_NET any (msg:"FILE-OTHER librtmp invalid pointer dereference attempt"; flow:to_client,established; content:"|03|"; depth:1; content:"|14|"; within:1; distance:6; content:"|02|"; within:1; distance:4; content:"|00|"; within:30; distance:2; content:"|11|"; within:1; distance:8; byte_test:1,&,1,1,relative; isdataat:2,relative; pcre:"/.{3}\w+/R"; byte_test:1,!&,1,0,relative; reference:cve,2015-8270; reference:url,www.talosintel.com/vulnerability-reports; classtype:attempted-dos; sid:37402; rev:1;)
# alert tcp $EXTERNAL_NET 1935 -> $HOME_NET any (msg:"FILE-OTHER librtmp invalid pointer dereference attempt"; flow:to_client,established; content:"|03|"; depth:1; content:"|14|"; within:1; distance:6; content:"|02|"; within:1; distance:4; content:"|00|"; within:30; distance:2; content:"|11|"; within:1; distance:8; byte_test:1,&,1,1,relative; isdataat:!2,relative; reference:cve,2015-8270; reference:url,www.talosintel.com/vulnerability-reports; classtype:attempted-dos; sid:37401; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Flash Player javascript parsing cross site scripting attempt"; flow:to_server,established; file_data; content:"|5C 5C 26|quot|3B|"; fast_pattern:only; content:"sendDataToJS"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0533; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:attempted-user; sid:37442; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Flash Player javascript parsing cross site scripting attempt"; flow:to_client,established; file_data; content:"|5C 5C 26|quot|3B|"; fast_pattern:only; content:"sendDataToJS"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0533; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:attempted-user; sid:37441; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER ReGet Deluxe wjr file buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C|ReGetJr"; nocase; content:"SaveTo|3D 22|"; nocase; isdataat:268,relative; content:!"|22|"; within:268; reference:bugtraq,37511; classtype:misc-attack; sid:37524; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows Journal CWispTiss use after free attempt"; flow:to_server,established; file_data; content:"|0F 9F FF FF FF B5 C8 00 00 04 8C B8 01 C2 60 C2 C3 7A FE 3A F5 EB 4A AF 5C B9 73 80 00 02 81 80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0038; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-013; classtype:attempted-user; sid:37578; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Journal CWispTiss use after free attempt"; flow:to_client,established; file_data; content:"|0F 9F FF FF FF B5 C8 00 00 04 8C B8 01 C2 60 C2 C3 7A FE 3A F5 EB 4A AF 5C B9 73 80 00 02 81 80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0038; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-013; classtype:attempted-user; sid:37577; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6502 (msg:"FILE-OTHER CA BrightStor stack buffer overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; offset:2; content:"|26 00|"; depth:23; offset:21; isdataat:1001,relative; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2006-6917; classtype:web-application-attack; sid:37650; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FILE-OTHER Sophos Anti-Virus reserved device name handling vulnerability attempt"; flow:to_server,established; file_data; content:"filename="; pcre:"/filename=(CON|PRN|AUX|NUL|COM[1-9]|LPT[1-9]|CLOCK\x24)/iE"; metadata:service ftp, service http, service imap, service pop3; reference:cve,2004-0552; classtype:misc-activity; sid:37649; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Office ole object external file loading attempt"; flow:to_server,established; file_data; content:"|46 2D 92 26 20 46 1A A3 89 37 F0 06 EE 3C 82 37 F0 06 E8 C2 BD AE 3C 85 D4 A7 A5 18 42 A2 34 0C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4114; reference:cve,2014-6352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-060; classtype:attempted-admin; sid:37727; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Office ole object external file loading attempt"; flow:to_client,established; file_data; content:"|46 2D 92 26 20 46 1A A3 89 37 F0 06 EE 3C 82 37 F0 06 E8 C2 BD AE 3C 85 D4 A7 A5 18 42 A2 34 0C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4114; reference:cve,2014-6352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-060; classtype:attempted-admin; sid:37726; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Oracle Outside-In invalid CRG segment memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jp2; file_data; content:"|FF 63 00 13 40 40 48 48 50 48 48 50 48 48 50 48 48 50 48 48 50 FF 64|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-4517; classtype:attempted-user; sid:37852; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle Outside-In invalid CRG segment memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jp2; file_data; content:"|FF 63 00 13 40 40 48 48 50 48 48 50 48 48 50 48 48 50 48 48 50 FF 64|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-4517; classtype:attempted-user; sid:37851; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Poster Software Publish-It buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pui; file_data; content:"styl"; content:"M"; within:1; distance:22; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,65366; reference:cve,2014-0980; classtype:attempted-user; sid:37833; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Poster Software Publish-It buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pui; file_data; content:"styl"; content:"M"; within:1; distance:22; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,65366; reference:cve,2014-0980; classtype:attempted-user; sid:37832; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Poster Software Publish-It buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pui; file_data; content:"styl"; content:"|10 CE 79 08 B0 5F 06 15 07 C8 31 30 7C 00 E2 09|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,65366; reference:cve,2014-0980; classtype:attempted-user; sid:37831; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Poster Software Publish-It buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pui; file_data; content:"styl"; content:"|10 CE 79 08 B0 5F 06 15 07 C8 31 30 7C 00 E2 09|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,65366; reference:cve,2014-0980; classtype:attempted-user; sid:37830; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Office ole object external file loading attempt"; flow:to_server,established; file_data; content:"|4A 6A 4A 70 49 BA A1 5E 49 45 09 43 4C 8C A1 A5 91 9E A1 99 85 9E A1 9E 61 4C 71 46 62 51 6A 4C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4114; reference:cve,2014-6352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-060; classtype:attempted-admin; sid:37825; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Office ole object external file loading attempt"; flow:to_client,established; file_data; content:"|4A 6A 4A 70 49 BA A1 5E 49 45 09 43 4C 8C A1 A5 91 9E A1 99 85 9E A1 9E 61 4C 71 46 62 51 6A 4C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4114; reference:cve,2014-6352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-060; classtype:attempted-admin; sid:37824; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Kingsoft Writer long font name buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ole|file.doc; file_data; content:"|00 00 FF FF 54 00 69 00 6D 00 65 00 73 00 20 00 4E 00 65 00 77 00 20 00|"; isdataat:80,relative; content:!"|00 00|"; within:80; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,61796; reference:cve,2013-3934; classtype:attempted-user; sid:37800; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Kingsoft Writer long font name buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ole|file.doc; file_data; content:"|00 00 FF FF 54 00 69 00 6D 00 65 00 73 00 20 00 4E 00 65 00 77 00 20 00|"; isdataat:512,relative; content:!"|00|"; within:512; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,61796; reference:cve,2013-3934; classtype:attempted-user; sid:37799; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Flash Player unsupported video encoding remote code execution attempt"; flow:to_server,established; file_data; content:"|04 70 20 7B E7 8D 01 FF C5 00 F4 B7 E0 83 8E A5 D9 BA D2 26 77 58 86 35 00 00 00 BB 09 00 00 05 00 46 00 00 00 00 00 17 02 00 00 00 00 00 00 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0967; classtype:attempted-user; sid:37779; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Flash Player unsupported video encoding remote code execution attempt"; flow:to_client,established; file_data; content:"|04 70 20 7B E7 8D 01 FF C5 00 F4 B7 E0 83 8E A5 D9 BA D2 26 77 58 86 35 00 00 00 BB 09 00 00 05 00 46 00 00 00 00 00 17 02 00 00 00 00 00 00 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0967; classtype:attempted-user; sid:37778; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Oracle Outside In tag parsing buffer overflow attempt"; flow:to_server,established; file_data; content:"|CB 4A C3 40 14 06 E0 BD E0 3B 84 D9 9B 69 AA 16 91 26 45 10 A1 5B 8D 0F 30 4D 4E 2E 9A B9 30 33|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:url,www.oracle.com/technetwork/topics/security/cpujan2012-366304.html; classtype:attempted-user; sid:37898; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Oracle Outside In tag parsing buffer overflow attempt"; flow:to_server,established; file_data; content:"|C6 DA 78 6C 67 27 A7 92 1D 97 9D DD A9 73 B6 B6 52 34 05 59 98 50 84 86 17 C9 9E 87 3A 6F 70 FE|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:url,www.oracle.com/technetwork/topics/security/cpujan2012-366304.html; classtype:attempted-user; sid:37897; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Oracle Outside In tag parsing buffer overflow attempt"; flow:to_server,established; file_data; content:"|01 05 04 04 00 01 FF 63 00 13 40 40 48 48 50 48 48 50 48 48 50 48 48 50 48 48 50 FF 64 00 25 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:url,www.oracle.com/technetwork/topics/security/cpujan2012-366304.html; classtype:attempted-user; sid:37896; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle Outside In tag parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"|CB 4A C3 40 14 06 E0 BD E0 3B 84 D9 9B 69 AA 16 91 26 45 10 A1 5B 8D 0F 30 4D 4E 2E 9A B9 30 33|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.oracle.com/technetwork/topics/security/cpujan2012-366304.html; classtype:attempted-user; sid:37895; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle Outside In tag parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"|C6 DA 78 6C 67 27 A7 92 1D 97 9D DD A9 73 B6 B6 52 34 05 59 98 50 84 86 17 C9 9E 87 3A 6F 70 FE|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.oracle.com/technetwork/topics/security/cpujan2012-366304.html; classtype:attempted-user; sid:37894; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle Outside In tag parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"|01 05 04 04 00 01 FF 63 00 13 40 40 48 48 50 48 48 50 48 48 50 48 48 50 48 48 50 FF 64 00 25 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.oracle.com/technetwork/topics/security/cpujan2012-366304.html; classtype:attempted-user; sid:37893; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows atmfd.dll font driver malformed OTF file remote code execution attempt"; flow:to_server,established; file_data; content:"|7A B3 F8 10 8B 8B 08 20 BA 05 8B 8B 69 FB C6 57 94 4D 95 93 D3 AC F7 F7 08 E3 F8 59 56 91 FB E9 FB B3 05 F7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0121; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-026; classtype:attempted-user; sid:38064; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows atmfd.dll font driver malformed OTF file remote code execution attempt"; flow:to_client,established; file_data; content:"|7A B3 F8 10 8B 8B 08 20 BA 05 8B 8B 69 FB C6 57 94 4D 95 93 D3 AC F7 F7 08 E3 F8 59 56 91 FB E9 FB B3 05 F7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0121; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-026; classtype:attempted-user; sid:38063; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Adobe Acrobat updaternotifications.dll dll-load exploit attempt"; flow:to_server,established; content:"/updaternotifications.dll"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2016-1008; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-09.html; classtype:attempted-user; sid:38172; rev:2;)
alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Adobe Acrobat request for updaternotifications.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"u|00|p|00|d|00|a|00|t|00|e|00|r|00|n|00|o|00|t|00|i|00|f|00|i|00|c|00|a|00|t|00|i|00|o|00|n|00|s|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2016-1008; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-09.html; classtype:attempted-user; sid:38171; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Edge Chakra JavaScript engine out of bounds read attempt"; flow:to_server,established; file_data; content:"ArrayBuffer("; content:"DataView("; within:500; content:"0xFFFFFFFF"; within:200; content:".setUint32("; within:500; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0024; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-002; classtype:attempted-user; sid:38318; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Edge Chakra JavaScript engine out of bounds read attempt"; flow:to_client,established; file_data; content:"ArrayBuffer("; content:"DataView("; within:500; content:"0xFFFFFFFF"; within:200; content:".setUint32("; within:500; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0024; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-002; classtype:attempted-user; sid:38317; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows win32k.sys glyph bitmap boundary out of bounds memory access attempt"; flow:to_server,established; file_data; content:"|33 15 23 33 35 23 01 01 01 01 0A 0A 0A 00 00 00 00 01 00 00 00 01 00 00 55 56 E6 2C 5F 0F 3C F5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0145; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-039; classtype:attempted-admin; sid:38494; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows win32k.sys glyph bitmap boundary out of bounds memory access attempt"; flow:to_client,established; file_data; content:"|33 15 23 33 35 23 01 01 01 01 0A 0A 0A 00 00 00 00 01 00 00 00 01 00 00 55 56 E6 2C 5F 0F 3C F5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0145; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-039; classtype:attempted-admin; sid:38493; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-OTHER ABC file instruction field parsing exploitation attempt"; flow:established,to_server; file_data; content:"MIDI gchord"; nocase; content:"bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"; within:90; metadata:service smtp; reference:cve,2013-4234; reference:url,blog.scrt.ch/2013/07/24/vlc-abc-parsing-seems-to-be-a-ctf-challenge/; classtype:attempted-user; sid:38572; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-OTHER ABC file instruction field parsing exploitation attempt"; flow:established,to_server; file_data; content:"MIDI drum"; nocase; content:"ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"; within:90; metadata:service smtp; reference:cve,2013-4234; reference:url,blog.scrt.ch/2013/07/24/vlc-abc-parsing-seems-to-be-a-ctf-challenge/; classtype:attempted-user; sid:38571; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER ABC file instruction field parsing exploitation attempt"; flow:established,to_client; file_data; content:"MIDI gchord"; nocase; content:"bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"; within:90; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-4234; reference:url,blog.scrt.ch/2013/07/24/vlc-abc-parsing-seems-to-be-a-ctf-challenge/; classtype:attempted-user; sid:38570; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER ABC file instruction field parsing exploitation attempt"; flow:established,to_client; file_data; content:"MIDI drum"; nocase; content:"ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"; within:90; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-4234; reference:url,blog.scrt.ch/2013/07/24/vlc-abc-parsing-seems-to-be-a-ctf-challenge/; classtype:attempted-user; sid:38569; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER GDCM DICOM image integer overflow attempt"; flow:to_server,established; file_data; content:"DICM"; depth:4; offset:128; content:"|FF F7 00 11 08 06 92 0D 14 03 01 11 00 02 11 00 03 11 00 FF E8 00 07 6D 72 66 78 01 FF DA 00 0C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8396; classtype:attempted-user; sid:38624; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER GDCM DICOM image integer overflow attempt"; flow:to_client,established; file_data; content:"DICM"; depth:4; offset:128; content:"|FF F7 00 11 08 06 92 0D 14 03 01 11 00 02 11 00 03 11 00 FF E8 00 07 6D 72 66 78 01 FF DA 00 0C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8396; classtype:attempted-user; sid:38623; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Office ole object external file loading attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"|09 00 03 9A D1 3E 54 BF C8 3E 54 55 78 04 00 ED 03 64 00 BB 70 5E F0 C1 C2 8D 52 0F 19 D0 80 1D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4114; reference:cve,2014-6352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-060; classtype:attempted-admin; sid:38742; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows gdi32 malformed EMF file ExtEscape buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|6A 00 00 00|"; byte_extract:4,0,rec_size,relative,little; byte_test:4,>,rec_size,8,relative,little; byte_test:4,>,65000,8,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0170; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-055; classtype:attempted-user; sid:38817; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows gdi32 malformed EMF file ExtEscape buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|6A 00 00 00|"; byte_extract:4,0,rec_size,relative,little; byte_test:4,>,rec_size,8,relative,little; byte_test:4,>,65000,8,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0170; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-055; classtype:attempted-user; sid:38816; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows Media Center link file code execution attempt"; flow:to_server,established; file_data; content:"<application"; fast_pattern:only; pcre:"/<application\s[^>]*?\s(run|url)\s*=\s*[\x22\x27][^\x22\x27]*?\.(lnk|bat|com|exe|cmd|ms[ip]|pif|ws[cfh]?)\s*[\x22\x27]/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,90023; reference:cve,2015-2509; reference:cve,2015-6131; reference:cve,2016-0185; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-100; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-134; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-059; classtype:attempted-user; sid:38779; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Media Center link file code execution attempt"; flow:to_client,established; file_data; content:"<application"; fast_pattern:only; pcre:"/<application\s[^>]*?\s(run|url)\s*=\s*[\x22\x27][^\x22\x27]*?\.(lnk|bat|com|exe|cmd|ms[ip]|pif|ws[cfh]?)\s*[\x22\x27]/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,90023; reference:cve,2015-2509; reference:cve,2015-6131; reference:cve,2016-0185; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-100; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-134; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-059; classtype:attempted-user; sid:38778; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Adobe Illustrator CS4 aires.dll dll-load exploit attempt"; flow:to_server,established; content:"aires.dll"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2010-3152; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:38898; rev:3;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Adobe Illustrator CS4 request for aires.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"a|00|i|00|r|00|e|00|s|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2010-3152; classtype:attempted-user; sid:38897; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; flowbits:isnotset,file.jpeg; file_data; content:"|01 12|"; content:!"|00 03|"; within:2; content:"|00 00 00 01|"; within:4; distance:2; byte_test:2,<,533,4,relative,big; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1080; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38957; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; flowbits:isnotset,file.jpeg; file_data; content:"|01 12|"; content:!"|00 03|"; within:2; content:"|00 00 00 01|"; within:4; distance:2; byte_test:2,<,533,4,relative,big; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1080; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38956; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; flowbits:isnotset,file.jpeg; file_data; content:"|12 01|"; content:!"|03 00|"; within:2; content:"|01 00 00 00|"; within:4; distance:2; byte_test:2,<,533,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1080; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38955; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; flowbits:isnotset,file.jpeg; file_data; content:"|12 01|"; content:!"|03 00|"; within:2; content:"|01 00 00 00|"; within:4; distance:2; byte_test:2,<,533,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1080; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38954; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.otf; file_data; content:"CFF|20|"; content:"|01 00 04 04|"; content:"|00 01 04 00 00 00 01|"; distance:10; byte_extract:4,0,dictsize,relative; content:!"|04 00 00|"; within:8; distance:dictsize; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-074; classtype:attempted-admin; sid:39261; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"CFF|20|"; content:"|01 00 04 04|"; content:"|00 01 04 00 00 00 01|"; distance:10; byte_extract:4,0,dictsize,relative; content:!"|04 00 00|"; within:8; distance:dictsize; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-074; classtype:attempted-user; sid:39260; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Flash Player malformed JPEG XR heap overflow attempt"; flow:to_server,established; flowbits:isset,file.atf; file_data; content:"|81 E0 00 00 80 08 60 01 08 00 40 00 00 00 00 27 27 3A 10 A1 04 14 26 00 00 01 00 92 C2 C2 C2 C2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4136; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39278; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Flash Player malformed JPEG XR heap overflow attempt"; flow:to_client,established; flowbits:isset,file.atf; file_data; content:"|81 E0 00 00 80 08 60 01 08 00 40 00 00 00 00 27 27 3A 10 A1 04 14 26 00 00 01 00 92 C2 C2 C2 C2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4136; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; classtype:attempted-user; sid:39277; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Symantec TNEF decoder integer overflow attempt"; flow:to_server,established; flowbits:isset,file.tnef; file_data; content:"|78 9F 3E 22|"; depth:4; content:"|20 80 03 00 0E 00 00 00|"; distance:0; byte_test:2,>,6,12,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3645; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20160628_00; classtype:attempted-admin; sid:39432; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Symantec TNEF decoder integer overflow attempt"; flow:to_client,established; flowbits:isset,file.tnef; file_data; content:"|78 9F 3E 22|"; depth:4; content:"|20 80 03 00 0E 00 00 00|"; distance:0; byte_test:2,>,6,12,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3645; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20160628_00; classtype:attempted-admin; sid:39431; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Symantec Antivirus ALPkOldFormatDecompressor out of bounds read attempt"; flow:to_server,established; stream_size:client,<,20000; file_data; content:"PK|03 04|"; byte_test:4,>,0,18,relative,little; byte_test:4,<,429496729,18,relative,little; byte_extract:4,18,unCompSize,relative,multiplier 10,little; byte_test:4,>,unCompSize,-8,relative,little; content:"|08 00|"; within:2; distance:-18; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3646; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=821; classtype:attempted-user; sid:39403; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Symantec Antivirus ALPkOldFormatDecompressor out of bounds read attempt"; flow:to_client,established; file_data; stream_size:server,<,10000; content:"PK|03 04|"; byte_test:4,>,0,18,relative,little; byte_test:4,<,429496729,18,relative,little; byte_extract:4,18,unCompSize,relative,multiplier 10,little; byte_test:4,>,unCompSize,-8,relative,little; content:"|08 00|"; within:2; distance:-18; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3646; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=821; classtype:attempted-user; sid:39402; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt"; flow:to_server,established; file_data; content:"|FF C5 88 65 54 32 26 78 66 46 87 C9 20 49 00 81 0B 82 5C 26 12 89 54 54 12 F5 4B 2A 08 A8 22 28|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-2207; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=810; classtype:attempted-user; sid:39386; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt"; flow:to_client,established; file_data; content:"|FF C5 88 65 54 32 26 78 66 46 87 C9 20 49 00 81 0B 82 5C 26 12 89 54 54 12 F5 4B 2A 08 A8 22 28|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-2207; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=810; classtype:attempted-user; sid:39385; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER VideoCharge buffer overflow SEH attempt"; flow:to_server,established; file_data; content:"<Value"; nocase; content:"value=|22|"; within:50; nocase; isdataat:500; content:!"|22|"; within:500; metadata:service smtp; reference:cve,2013-6935; reference:url,exploit-db.com/exploits/37813; classtype:attempted-admin; sid:39736; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER VideoCharge buffer overflow SEH attempt"; flow:to_client,established; file_data; content:"<Value"; nocase; content:"value=|22|"; within:50; nocase; isdataat:500; content:!"|22|"; within:500; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-6935; reference:url,exploit-db.com/exploits/37813; classtype:attempted-admin; sid:39735; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Ubisoft Heroes of Might and Magic III .h3m map file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.h3m; file_data; content:"|B1 EA 43 00 0F 0C 58 00 00 E2 5C 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,exploit-db.com/exploits/37737/; classtype:attempted-admin; sid:39781; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Ubisoft Heroes of Might and Magic III .h3m map file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.h3m; file_data; content:"|87 FF 4E 00 D4 97 44 00 30 64 6A 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,exploit-db.com/exploits/37737/; classtype:attempted-admin; sid:39780; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Ubisoft Heroes of Might and Magic III .h3m map file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.h3m; file_data; content:"|0F 0C 58 00 48 6A 45 00 30 68 6A 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,exploit-db.com/exploits/37737/; classtype:attempted-admin; sid:39779; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows PDF parsing invalid JPEG2000 SIZ marker attempt"; flow:to_server,established; file_data; content:"stream|0A|"; content:"jp2c|FF 4F FF 51|"; distance:0; byte_extract:2,0,csiz,relative; content:"|FF 90|"; distance:0; content:"|FF 51|"; within:400; distance:10; byte_test:2,>,csiz,0,relative; pcre:"/\xff\x90.{10}((?!\xff\x93).){0,400}\xff\x51/sm"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-3319; reference:url,talosintel.com/reports/TALOS-2016-0170/; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-102; classtype:attempted-user; sid:39874; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows PDF parsing invalid JPEG2000 SIZ marker attempt"; flow:to_client,established; file_data; content:"stream|0A|"; content:"jp2c|FF 4F FF 51|"; distance:0; byte_extract:2,0,csiz,relative; content:"|FF 90|"; distance:0; content:"|FF 51|"; within:400; distance:10; byte_test:2,>,csiz,0,relative; pcre:"/\xff\x90.{10}((?!\xff\x93).){0,400}\xff\x51/sm"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3319; reference:url,talosintel.com/reports/TALOS-2016-0170/; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-102; classtype:attempted-user; sid:39873; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows malformed TrueType file RCVT out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"|02 B5 02 CC 00 00 02 E3 FF FF FF E4 FF 86 FF CF FF B6 00 2D 00 2D 00 60 00 A1 00 CD 01 2B 01 1B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3209; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-120; classtype:attempted-user; sid:40409; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows malformed TrueType file RCVT out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|02 B5 02 CC 00 00 02 E3 FF FF FF E4 FF 86 FF CF FF B6 00 2D 00 2D 00 60 00 A1 00 CD 01 2B 01 1B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3209; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-120; classtype:attempted-user; sid:40408; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|dppolygon|5C|dppolygon"; content:"|5C|dppolycount"; within:200; content:"|5C|dprect"; within:200; content:"|5C|dprect"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0086; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-022; classtype:attempted-user; sid:40728; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|dppolygon|5C|dppolygon"; content:"|5C|dppolycount"; within:200; content:"|5C|dprect"; within:200; content:"|5C|dprect"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0086; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-022; classtype:attempted-user; sid:40727; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows OTF cmap table parsing integer overflow attempt"; flow:to_server,established; flowbits:isset,file.otf; file_data; content:"cmap"; fast_pattern; byte_jump:4,4,relative,post_offset 4,from_beginning; content:"|00 04 00 03|"; within:4; byte_test:1,&,0x80,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7210; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-132; classtype:attempted-admin; sid:40706; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows OTF cmap table parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"cmap"; fast_pattern; byte_jump:4,4,relative,post_offset 4,from_beginning; content:"|00 04 00 03|"; within:4; byte_test:1,&,0x80,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7210; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-132; classtype:attempted-admin; sid:40705; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt"; flow:to_server,established; file_data; content:"|F0 13 00 00 68 13 00 00 00 00 00 00 00 00 00 00 07 F0 FD C1 88 00 00 00 00 00 20 01 40 9C 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3332; reference:cve,2016-3333; reference:cve,2016-3334; reference:cve,2016-3335; reference:cve,2016-3338; reference:cve,2016-3342; reference:cve,2018-0846; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0846; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-134; classtype:attempted-user; sid:40692; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt"; flow:to_client,established; file_data; content:"|F0 13 00 00 68 13 00 00 00 00 00 00 00 00 00 00 07 F0 FD C1 88 00 00 00 00 00 20 01 40 9C 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3332; reference:cve,2016-3333; reference:cve,2016-3334; reference:cve,2016-3335; reference:cve,2016-3338; reference:cve,2016-3342; reference:cve,2018-0846; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0846; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-134; classtype:attempted-user; sid:40691; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt"; flow:to_server,established; file_data; content:"|F0 13 00 00 68 13 00 00 00 00 00 00 00 00 00 00 07 F0 FD C1 88 00 00 00 00 00 00 01 40 9C 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0026; reference:cve,2016-7184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-134; classtype:attempted-user; sid:40690; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt"; flow:to_client,established; file_data; content:"|F0 13 00 00 68 13 00 00 00 00 00 00 00 00 00 00 07 F0 FD C1 88 00 00 00 00 00 00 01 40 9C 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0026; reference:cve,2016-7184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-134; classtype:attempted-user; sid:40689; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows OTF parsing memory corruption attempt"; flow:to_server,established; flowbits:isset,file.otf; file_data; content:"CFF|20|"; fast_pattern; byte_jump:4,4,relative,from_beginning; content:"|01 00 04|"; within:3; content:"|00 01 02|"; within:3; distance:1; byte_test:2,>,25000,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7256; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-132; classtype:attempted-admin; sid:40730; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows OTF parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"CFF|20|"; fast_pattern; byte_jump:4,4,relative,from_beginning; content:"|01 00 04|"; within:3; content:"|00 01 02|"; within:3; distance:1; byte_test:2,>,25000,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7256; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-132; classtype:attempted-admin; sid:40729; rev:3;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"FILE-OTHER Microsoft Office ole object external file loading attempt"; flow:to_client,established; content:"|FF|SMB"; content:".inf"; within:100; nocase; content:"Version"; within:100; content:"Signature"; within:20; pcre:"/Signature.{0,2}=.?"?\$(Chicago|Windows (NT|95))\$"?/i"; content:"HKLM,Software|5C|Microsoft|5C|Windows|5C|CurrentVersion|5C|RunOnce,Install"; within:400; metadata:impact_flag red, policy max-detect-ips drop; reference:cve,2014-4114; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-060; classtype:attempted-admin; sid:40885; rev:1;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"FILE-OTHER Microsoft Office ole object external file loading attempt"; flow:to_client,established; content:"|FE|SMB@"; content:".inf"; within:100; nocase; content:"Version"; within:100; content:"Signature"; within:20; pcre:"/Signature.{0,2}=.?"?\$(Chicago|Windows (NT|95))\$"?/i"; content:"HKLM,Software|5C|Microsoft|5C|Windows|5C|CurrentVersion|5C|RunOnce,Install"; within:400; metadata:policy max-detect-ips drop; reference:cve,2014-4114; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-060; classtype:attempted-admin; sid:40884; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Internet Explorer malformed ico integer overflow attempt"; flow:to_server,established; flowbits:isset,file.ico; file_data; content:"|00 00 01 00 FF FF|"; depth:6; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7272; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-146; classtype:attempted-admin; sid:40983; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Internet Explorer malformed ico integer overflow attempt"; flow:to_client,established; flowbits:isset,file.ico; file_data; content:"|00 00 01 00 FF FF|"; depth:6; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7272; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-146; classtype:attempted-admin; sid:40982; rev:2;)
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"FILE-OTHER Microsoft Office OLE DLL side load attempt"; flow:to_server,established; content:"mstr2tsc.dll"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-7275; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-148; classtype:attempted-user; sid:40962; rev:2;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Microsoft Office OLE DLL side load attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"m|00|s|00|t|00|r|00|2|00|t|00|s|00|c|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; pcre:"/(\x1B\x00|\x00\x5C)\x00m\x00s\x00t\x00r\x002\x00t\x00s\x00c\x00\.\x00d\x00l\x00l\x00\x00\x00/i"; metadata:service netbios-ssn; reference:cve,2016-7275; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-148; classtype:attempted-user; sid:40961; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows GDI32.dll cmap numUVSMappings overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.ttf; content:"|00 00 00 05 00 00|"; content:"|00 0E 00 00|"; within:1000; byte_test:4,<,0x19,13,relative; byte_test:4,>,0x14,13,relative; byte_jump:4,13,relative,post_offset -21; byte_test:4,>,0x33333333,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7274; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-147; classtype:attempted-user; sid:40943; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows GDI32.dll cmap numUVSMappings overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.ttf; content:"|00 00 00 05 00 00|"; content:"|00 0E 00 00|"; within:1000; byte_test:4,<,0x19,13,relative; byte_test:4,>,0x14,13,relative; byte_jump:4,13,relative,post_offset -21; byte_test:4,>,0x33333333,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7274; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-147; classtype:attempted-user; sid:40942; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER LexMark Perceptive Document Filters BZIP2 convert out of bounds write attempt"; flow:to_server, established; file_data; content:"|1F 9D 90 01 03 0A 0C 48 B0 84 C1 83 08 13 2A 5C C8 B0 A1 C1 87 10 23 4A 9C 48 B1 A2 A3 1F 1F 1F|"; depth:32; metadata:service smtp; reference:cve,2016-4336; reference:url,www.talosintelligence.com/reports/TALOS-2016-0173/; classtype:attempted-user; sid:41484; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER LexMark Perceptive Document Filters BZIP2 convert out of bounds write attempt"; flow:to_client, established; file_data; content:"|1F 9D 90 01 03 0A 0C 48 B0 84 C1 83 08 13 2A 5C C8 B0 A1 C1 87 10 23 4A 9C 48 B1 A2 A3 1F 1F 1F|"; depth:32; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4336; reference:url,www.talosintelligence.com/reports/TALOS-2016-0173/; classtype:attempted-user; sid:41483; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe AcrobatDC EMF buffer underflow attempt"; flow:to_server,established; file_data; content:"|80 A8 55 75 6C 43 00 00 80 A8 00 54 EC 44 56 75 6C 43 00 54 EC 44 56 75 6C 43 55 75 6C 43 00 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5098; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:41636; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe AcrobatDC EMF buffer underflow attempt"; flow:to_client,established; file_data; content:"|80 A8 55 75 6C 43 00 00 80 A8 00 54 EC 44 56 75 6C 43 00 54 EC 44 56 75 6C 43 55 75 6C 43 00 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5098; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:41635; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Flash Player mp4 h264 decompression routine out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.mp4; file_data; content:"dinf"; content:"dref|00 00 00 00|"; within:8; distance:4; fast_pattern; byte_test:4,>,0x100000,4,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2990; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-user; sid:41632; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Flash Player mp4 h264 decompression routine out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"dinf"; content:"dref|00 00 00 00|"; within:8; distance:4; fast_pattern; byte_test:4,>,0x100000,4,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2990; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-user; sid:41631; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt"; flow:to_server,established; file_data; content:"|00 00 00 0C 41 9E 31 B5 10 55 FF 1C 6F B8 E7 A0 00 00 00 10 41 02 C9 E3 1B 51 05 5F 43 BF 4D A3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2984; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-user; sid:41618; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt"; flow:to_client,established; file_data; content:"|00 00 00 0C 41 9E 31 B5 10 55 FF 1C 6F B8 E7 A0 00 00 00 10 41 02 C9 E3 1B 51 05 5F 43 BF 4D A3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2984; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-user; sid:41617; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt"; flow:to_server,established; file_data; content:"|00 00 00 07 41 9A 54 07 78 07 FE 00 00 0D AC 41 88 98 23 FF E1 0F 08 E8 90 00 10 91 F2 D6 75 FA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2984; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-user; sid:41616; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt"; flow:to_client,established; file_data; content:"|00 00 00 07 41 9A 54 07 78 07 FE 00 00 0D AC 41 88 98 23 FF E1 0F 08 E8 90 00 10 91 F2 D6 75 FA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2984; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-user; sid:41615; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt"; flow:to_server,established; file_data; content:"|00 00 00 15 06 0E 11 03 87 F4 4E CD 0A 4B DC A1 94 3A C3 D4 9B 17 1F 00 80 00 00 00 CB 21 E2 09|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2984; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-user; sid:41614; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt"; flow:to_client,established; file_data; content:"|00 00 00 15 06 0E 11 03 87 F4 4E CD 0A 4B DC A1 94 3A C3 D4 9B 17 1F 00 80 00 00 00 CB 21 E2 09|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2984; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-user; sid:41613; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Flash Player h264 decoder luminance adjustment out of bounds memory access attempt"; flow:to_server,established; file_data; content:"|02 29 01 9E 08 0A 54 84 BF DB A9 1C 06 BE 2A 49 67 7B 0D 86 B0 B3 B2 70 4B 4B 36 FC B6 3D 08 6F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2991; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-user; sid:41612; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Flash Player h264 decoder luminance adjustment out of bounds memory access attempt"; flow:to_client,established; file_data; content:"|02 29 01 9E 08 0A 54 84 BF DB A9 1C 06 BE 2A 49 67 7B 0D 86 B0 B3 B2 70 4B 4B 36 FC B6 3D 08 6F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2991; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-005; classtype:attempted-user; sid:41611; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|dpcallout"; content:"|5C|dppoly"; within:50; content:"|5C|dppolycount"; within:100; content:"|5C|dp"; within:100; content:"|5C|dp"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0086; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-022; classtype:attempted-user; sid:41792; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|dpcallout"; content:"|5C|dppoly"; within:50; content:"|5C|dppolycount"; within:100; content:"|5C|dp"; within:100; content:"|5C|dp"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0086; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-022; classtype:attempted-user; sid:41791; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows TTF file out of bounds access attempt"; flow:to_server,established; file_data; content:"|00 0E 00 0D FF FC 00 0F 00 0D FF FC 00 10 00 0E DF FC 00 11 04 0F FF FB 00 12 00 0F FE FB 00 13|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0083; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-011; classtype:attempted-admin; sid:41992; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows TTF file out of bounds access attempt"; flow:to_client,established; file_data; content:"|00 0E 00 0D FF FC 00 0F 00 0D FF FC 00 10 00 0E DF FC 00 11 04 0F FF FB 00 12 00 0F FE FB 00 13|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0083; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-011; classtype:attempted-admin; sid:41991; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows Uniscribe privilege escalation attempt"; flow:to_server,established; file_data; content:"|D0 93 D0 9B D0 A3 D0 E6 D1 47 D1 B7 D1 DD D1 FC 00 01 00 00 03 CD 02 05 00 12 00 62 00 09 37 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-011; classtype:attempted-admin; sid:41935; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Uniscribe privilege escalation attempt"; flow:to_client,established; file_data; content:"|D0 93 D0 9B D0 A3 D0 E6 D1 47 D1 B7 D1 DD D1 FC 00 01 00 00 03 CD 02 05 00 12 00 62 00 09 37 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-011; classtype:attempted-admin; sid:41934; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows Uniscribe privilege escalation attempt"; flow:to_server,established; file_data; content:"|25 24 08 18 06 2F 26 ED ED 02 0C 4C 8B 43 3B 14 11 92 44 3A 37 22 25 71 1B 0C 26 2F 00 01 00 0F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0108; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-013; classtype:attempted-admin; sid:41933; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Uniscribe privilege escalation attempt"; flow:to_client,established; file_data; content:"|25 24 08 18 06 2F 26 ED ED 02 0C 4C 8B 43 3B 14 11 92 44 3A 37 22 25 71 1B 0C 26 2F 00 01 00 0F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0108; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-013; classtype:attempted-admin; sid:41932; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Notepad++ scilexer.dll dll-load exploit attempt"; flow:to_server,established; content:"/scilexer.dll"; fast_pattern:only; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,notepad-plus-plus.org/news/notepad-7.3.3-fix-cia-hacking-issue.html; classtype:attempted-user; sid:41925; rev:2;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Notepad++ request for scilexer.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"s|00|c|00|i|00|l|00|e|00|x|00|e|00|r|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; pcre:"/(\x1B\x00|\x00\x5C)\x00s\x00c\x00i\x00l\x00e\x00x\x00e\x00r\x00\.\x00d\x00l\x00l\x00\x00\x00/i"; metadata:service netbios-ssn; reference:url,notepad-plus-plus.org/news/notepad-7.3.3-fix-cia-hacking-issue.html; classtype:attempted-user; sid:41924; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Apple GarageBand out of bounds write attempt"; flow:to_server,established; file_data; content:"|00 00 00 00|qeSM"; content:"|FF FF FF FF FF FF FF FF 02 00 00 00 01 00|"; within:14; distance:10; byte_test:2,>,0x1000,24,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2374; reference:url,www.talosintelligence.com/reports/TALOS-2017-0275; classtype:attempted-user; sid:41448; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Apple GarageBand out of bounds write attempt"; flow:to_client,established; file_data; content:"|00 00 00 00|qeSM"; content:"|FF FF FF FF FF FF FF FF 02 00 00 00 01 00|"; within:14; distance:10; byte_test:2,>,0x1000,24,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2374; reference:url,www.talosintelligence.com/reports/TALOS-2017-0275; classtype:attempted-user; sid:41447; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER National Instruments LabVIEW LvVarientUnflatten remote code execution attempt"; flow:to_server,established; file_data; content:"RSRC"; depth:4; content:"goodSyntaxTargets"; isdataat:26,relative; content:!"|FF FF FF FF|"; within:4; distance:22; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2775; reference:url,www.talosintelligence.com/reports/TALOS-2017-0269/; classtype:attempted-user; sid:41371; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER National Instruments LabVIEW LvVarientUnflatten remote code execution attempt"; flow:to_client,established; file_data; content:"RSRC"; depth:4; content:"goodSyntaxTargets"; isdataat:26,relative; content:!"|FF FF FF FF|"; within:4; distance:22; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2775; reference:url,www.talosintelligence.com/reports/TALOS-2017-0269/; classtype:attempted-user; sid:41370; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Apple Garageband .band file out of bounds write attempt"; flow:to_server,established; file_data; content:"|00 0A 00 00 00 01 00 00 00 00 00 00 00 18 FF FF 74 72 53 63 74 78 7C 7C 7C 52 65 70 65 61 74 20|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2372; reference:url,www.talosintelligence.com/reports/TALOS-2017-0262; classtype:attempted-user; sid:41351; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Apple Garageband .band file out of bounds write attempt"; flow:to_client,established; file_data; content:"|00 0A 00 00 00 01 00 00 00 00 00 00 00 18 FF FF 74 72 53 63 74 78 7C 7C 7C 52 65 70 65 61 74 20|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2372; reference:url,www.talosintelligence.com/reports/TALOS-2017-0262; classtype:attempted-user; sid:41350; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER R Project PDF encoding buffer overflow attempt"; flow:to_server,established; file_data; content:"write|28|data"; content:"pdf|28|encoding"; fast_pattern:only; metadata:service smtp; reference:cve,2016-8714; reference:url,www.talosintelligence.com/reports/TALOS-2016-0227; reference:url,www.talosintelligence.com/reports/talos-2016-0227; classtype:attempted-user; sid:40895; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER R Project PDF encoding buffer overflow attempt"; flow:to_client,established; file_data; content:"write|28|data"; content:"pdf|28|encoding"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-8714; reference:url,www.talosintelligence.com/reports/TALOS-2016-0227; reference:url,www.talosintelligence.com/reports/talos-2016-0227; classtype:attempted-user; sid:40894; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER HDF5 new object modification time out of bounds write attempt"; flow:to_server,established; flowbits:isset,file.hdf; file_data; content:"|12 00 08 00 40 00 00 00|"; content:"|00 00 00|"; within:3; distance:1; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4332; reference:url,www.talosintelligence.com/reports/TALOS-2016-0178/; classtype:attempted-user; sid:40810; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER HDF5 new object modification time out of bounds write attempt"; flow:to_client,established; flowbits:isset,file.hdf; file_data; content:"|12 00 08 00 40 00 00 00|"; content:"|00 00 00|"; within:3; distance:1; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4332; reference:url,www.talosintelligence.com/reports/TALOS-2016-0178/; classtype:attempted-user; sid:40809; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER HDF5 symbol table message out of bounds write attempt"; flow:to_server,established; flowbits:isset,file.hdf; file_data; content:"|89|HDF|0D 0A 1A 0A|"; depth:8; fast_pattern; content:"|11 00 10 00 40 00 00 00|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4332; reference:url,www.talosintelligence.com/reports/TALOS-2016-0178/; classtype:attempted-user; sid:40808; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER HDF5 symbol table message out of bounds write attempt"; flow:to_client,established; flowbits:isset,file.hdf; file_data; content:"|89|HDF|0D 0A 1A 0A|"; depth:8; fast_pattern; content:"|11 00 10 00 40 00 00 00|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4332; reference:url,www.talosintelligence.com/reports/TALOS-2016-0178/; classtype:attempted-user; sid:40807; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER HDF5 object modification time out of bounds write attempt"; flow:to_server,established; flowbits:isset,file.hdf; file_data; content:"|89|HDF|0D 0A 1A 0A|"; depth:8; fast_pattern; content:"|0E 00 10 00 40 00 00 00|"; content:"|00 00|"; within:2; distance:14; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4332; reference:url,www.talosintelligence.com/reports/TALOS-2016-0178/; classtype:attempted-user; sid:40806; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER HDF5 object modification time out of bounds write attempt"; flow:to_client,established; flowbits:isset,file.hdf; file_data; content:"|89|HDF|0D 0A 1A 0A|"; depth:8; fast_pattern; content:"|0E 00 10 00 40 00 00 00|"; content:"|00 00|"; within:2; distance:14; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4332; reference:url,www.talosintelligence.com/reports/TALOS-2016-0178/; classtype:attempted-user; sid:40805; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER HDF5 H5O_dtype_decode_helper heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.hdf; file_data; content:"|89|HDF|0D 0A 1A 0A|"; depth:8; content:"|01 00|"; distance:0; content:"|00 00 00|"; within:3; distance:3; content:"|00 00 00 00 00|"; within:5; distance:3; content:"|01 00 00 00 16|"; within:5; distance:4; fast_pattern; byte_extract:2,0,dimensionality,little,relative; byte_test:4,>,dimensionality,17,little,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4333; reference:url,www.talosintelligence.com/reports/TALOS-2016-0179; classtype:attempted-user; sid:40804; rev:6;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER HDF5 H5O_dtype_decode_helper heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.hdf; file_data; content:"|89|HDF|0D 0A 1A 0A|"; depth:8; content:"|01 00|"; distance:0; content:"|00 00 00|"; within:3; distance:3; content:"|00 00 00 00 00|"; within:5; distance:3; content:"|01 00 00 00 16|"; within:5; distance:4; fast_pattern; byte_extract:2,0,dimensionality,little,relative; byte_test:4,>,dimensionality,17,little,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4333; reference:url,www.talosintelligence.com/reports/TALOS-2016-0179; classtype:attempted-user; sid:40803; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER HDF5 H5Z_NBIT filter heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.hdf; file_data; content:"nbit|00 00 00 00 08 00 00 00|"; content:"|01 00 00 00|"; within:4; distance:8; byte_extract:4,0,psize,relative,little; byte_test:4,>,psize,4,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4331; reference:url,www.talosintelligence.com/reports/TALOS-2016-0177/; classtype:attempted-user; sid:40802; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER HDF5 H5Z_NBIT filter heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.hdf; file_data; content:"nbit|00 00 00 00 08 00 00 00|"; content:"|01 00 00 00|"; within:4; distance:8; byte_extract:4,0,psize,relative,little; byte_test:4,>,psize,4,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4331; reference:url,www.talosintelligence.com/reports/TALOS-2016-0177/; classtype:attempted-user; sid:40801; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER HDF5 msg_dtype H5T_ARRAY heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.hdf; file_data; content:"|89|HDF|0D 0A 1A 0A|"; depth:8; byte_test:1,>,1,0,relative; byte_test:1,<,4,0,relative; byte_extract:1,1,sizeof_addr,relative; content:"SNOD|01 00|"; distance:0; content:"|00|"; within:1; distance:1; byte_jump:4,sizeof_addr,relative,from_beginning,little; content:"|01 00|"; within:2; content:"|03 00|"; within:500; distance:6; content:"|00 00 00|"; within:3; distance:3; byte_test:1,&,8,0,relative; byte_test:1,&,2,0,relative; byte_test:1,!&,5,0,relative; byte_test:1,>,0x20,8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4330; reference:url,www.talosintelligence.com/reports/TALOS-2016-0176/; classtype:attempted-user; sid:40794; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER HDF5 msg_dtype H5T_ARRAY heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.hdf; file_data; content:"|89|HDF|0D 0A 1A 0A|"; depth:8; byte_test:1,>,1,0,relative; byte_test:1,<,4,0,relative; byte_extract:1,1,sizeof_addr,relative; content:"SNOD|01 00|"; distance:0; content:"|00|"; within:1; distance:1; byte_jump:4,sizeof_addr,relative,from_beginning,little; content:"|01 00|"; within:2; content:"|03 00|"; within:500; distance:6; content:"|00 00 00|"; within:3; distance:3; byte_test:1,&,8,0,relative; byte_test:1,&,2,0,relative; byte_test:1,!&,5,0,relative; byte_test:1,>,0x20,8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4330; reference:url,www.talosintelligence.com/reports/TALOS-2016-0176/; classtype:attempted-user; sid:40793; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER HDF5 msg_dtype H5T_ARRAY heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.hdf; file_data; content:"|89|HDF|0D 0A 1A 0A|"; depth:8; byte_test:1,<,2,0,relative; byte_extract:1,5,sizeof_addr,relative; content:"SNOD|01 00|"; distance:0; content:"|00|"; within:1; distance:1; byte_jump:4,sizeof_addr,relative,from_beginning,little; content:"|01 00|"; within:2; content:"|03 00|"; within:500; distance:6; content:"|00 00 00|"; within:3; distance:3; byte_test:1,&,8,0,relative; byte_test:1,&,2,0,relative; byte_test:1,!&,5,0,relative; byte_test:1,>,0x20,8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4330; reference:url,www.talosintelligence.com/reports/TALOS-2016-0176/; classtype:attempted-user; sid:40792; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER HDF5 msg_dtype H5T_ARRAY heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.hdf; file_data; content:"|89|HDF|0D 0A 1A 0A|"; depth:8; byte_test:1,<,2,0,relative; byte_extract:1,5,sizeof_addr,relative; content:"SNOD|01 00|"; distance:0; content:"|00|"; within:1; distance:1; byte_jump:4,sizeof_addr,relative,from_beginning,little; content:"|01 00|"; within:2; content:"|03 00|"; within:500; distance:6; content:"|00 00 00|"; within:3; distance:3; byte_test:1,&,8,0,relative; byte_test:1,&,2,0,relative; byte_test:1,!&,5,0,relative; byte_test:1,>,0x20,8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4330; reference:url,www.talosintelligence.com/reports/TALOS-2016-0176/; classtype:attempted-user; sid:40791; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Ichitaro Office Excel TxO record heap overflow attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"|B6 01 12 00|"; content:"|3C 00 00 00|"; within:4; distance:18; metadata:service smtp; reference:cve,2017-2790; reference:url,www.talosintelligence.com/reports/TALOS-2016-0197/; classtype:attempted-user; sid:40126; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Ichitaro Office Excel TxO record heap overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|B6 01 12 00|"; content:"|3C 00 00 00|"; within:4; distance:18; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2790; reference:url,www.talosintelligence.com/reports/TALOS-2016-0197/; classtype:attempted-user; sid:40125; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Oracle OIT libvs_word ContentAccess out of bounds write attempt"; flow:to_server,established; file_data; content:"|FE 37 37 3C 41 41 41 41 41 41 41 42 41 41 41 41 41 41 41 41 00 00 00 00 41 41 41 41 41 41 41 41|"; fast_pattern:only; metadata:service smtp; reference:cve,2016-3590; reference:url,www.talosintelligence.com/reports/TALOS-2016-0156; classtype:attempted-user; sid:39672; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle OIT libvs_word ContentAccess out of bounds write attempt"; flow:to_client,established; file_data; content:"|FE 37 37 3C 41 41 41 41 41 41 41 42 41 41 41 41 41 41 41 41 00 00 00 00 41 41 41 41 41 41 41 41|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3590; reference:url,www.talosintelligence.com/reports/TALOS-2016-0156; classtype:attempted-user; sid:39671; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Oracle OIT libvs_word ContentAccess out of bounds write attempt"; flow:to_server,established; file_data; content:"|01 00 9F 7F 00 00 30 A8 02 00 00 CC 00 00 00 02 00 00 00 00 10 21 56 00 40 00 00 00 00 10 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2016-3592; reference:url,www.talosintelligence.com/reports/TALOS-2016-0158; classtype:attempted-user; sid:39668; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle OIT libvs_word ContentAccess out of bounds write attempt"; flow:to_client,established; file_data; content:"|01 00 9F 7F 00 00 30 A8 02 00 00 CC 00 00 00 02 00 00 00 00 10 21 56 00 40 00 00 00 00 10 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3592; reference:url,www.talosintelligence.com/reports/TALOS-2016-0158; classtype:attempted-user; sid:39667; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Oracle OIT libvs_word ContentAccess out of bounds write attempt"; flow:to_server,established; file_data; content:"|86 84 84 84 84 84 84 84 02 00 01 00 9F 81 00 00 30 A8 02 00 00 00 00 00 00 00 00 01 00 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2016-3592; reference:url,www.talosintelligence.com/reports/TALOS-2016-0158; classtype:attempted-user; sid:39666; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle OIT libvs_word ContentAccess out of bounds write attempt"; flow:to_client,established; file_data; content:"|86 84 84 84 84 84 84 84 02 00 01 00 9F 81 00 00 30 A8 02 00 00 00 00 00 00 00 00 01 00 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3592; reference:url,www.talosintelligence.com/reports/TALOS-2016-0158; classtype:attempted-user; sid:39665; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Oracle OIT ContentAccess libvs_mwkd VwStreamReadRecord out of bounds write attempt"; flow:to_server,established; file_data; content:"|02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01|"; depth:50; metadata:service smtp; reference:cve,2016-3591; reference:url,www.talosintelligence.com/reports/TALOS-2016-0157; classtype:attempted-user; sid:39664; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle OIT ContentAccess libvs_mwkd VwStreamReadRecord out of bounds write attempt"; flow:to_client,established; file_data; content:"|02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01|"; depth:50; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3591; reference:url,www.talosintelligence.com/reports/TALOS-2016-0157; classtype:attempted-user; sid:39663; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Oracle OIT gem metafile n_integers heap buffer overflow attempt"; flow:to_server,established; file_data; content:"|FF FF 18 00|"; depth:4; fast_pattern; byte_test:2,<,3,2,relative,little; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:20; distance:24; byte_test:2,>,0x7ffd,4,relative,little; metadata:service smtp; reference:cve,2016-3595; reference:url,www.talosintelligence.com/reports/TALOS-2016-0162; classtype:attempted-user; sid:39661; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle OIT gem metafile n_integers heap buffer overflow attempt"; flow:to_client,established; file_data; content:"|FF FF 18 00|"; depth:4; fast_pattern; byte_test:2,<,3,2,relative,little; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:20; distance:24; byte_test:2,>,0x7ffd,4,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3595; reference:url,www.talosintelligence.com/reports/TALOS-2016-0162; classtype:attempted-user; sid:39660; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER libarchive RAR RestartModel out of bounds write attempt"; flow:to_server,established; file_data; content:"|2E 68 74 6D 6C C0 CC BB 4C 35 40 27 4D 35 41 72 6E 22 3E 3C 41 20 4C 2C FF FF FF 7F 4C 69 66 FF|"; fast_pattern:only; metadata:service smtp; reference:cve,2016-4302; reference:url,www.talosintelligence.com/reports/TALOS-2016-0154; classtype:attempted-user; sid:39046; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER libarchive RAR RestartModel out of bounds write attempt"; flow:to_client,established; file_data; content:"|2E 68 74 6D 6C C0 CC BB 4C 35 40 27 4D 35 41 72 6E 22 3E 3C 41 20 4C 2C FF FF FF 7F 4C 69 66 FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4302; reference:url,www.talosintelligence.com/reports/TALOS-2016-0154; classtype:attempted-user; sid:39045; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER libarchive mtree parse_device stack buffer overflow attempt"; flow:to_server,established; file_data; content:"|23|mtree"; depth:6; fast_pattern; content:"|20|device="; pcre:"/\x20device=\w+,[0-9,]*\d{10}/"; metadata:service smtp; reference:cve,2016-4301; reference:url,www.talosintelligence.com/reports/TALOS-2016-0153; classtype:attempted-user; sid:39035; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER libarchive mtree parse_device stack buffer overflow attempt"; flow:to_client,established; file_data; content:"|23|mtree"; depth:6; fast_pattern; content:"|20|device="; pcre:"/\x20device=\w+,[0-9,]*\d{10}/"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4301; reference:url,www.talosintelligence.com/reports/TALOS-2016-0153; classtype:attempted-user; sid:39034; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Hancom Hangul Office HShow integer-based heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.hpt; file_data; content:"|3E 6C 0C 0C 6E CC 0C 70 1A 19 30 32 D0 0B 6C C1 22 06 B1 9D 31 81 89 6C 53 39 E1 2C 2E 30 99 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4298; reference:url,www.talosintelligence.com/reports/TALOS-2016-0144; classtype:attempted-user; sid:38869; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Hancom Hangul Office HShow integer-based heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.hpt; file_data; content:"|3E 6C 0C 0C 6E CC 0C 70 1A 19 30 32 D0 0B 6C C1 22 06 B1 9D 31 81 89 6C 53 39 E1 2C 2E 30 99 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4298; reference:url,www.talosintelligence.com/reports/TALOS-2016-0144; classtype:attempted-user; sid:38868; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Oracle OIT ContentAccess libvs_mwkd out of bounds write attempt"; flow:to_server,established; file_data; content:"|80 00 00 B6 B6 B6 B6 B6 00 01 00 02 00 02 00 00 00 00 00 00 00 20 00 00 00 20 00 00 00 01 05 B8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3593; reference:url,www.talosintelligence.com/reports/TALOS-2016-0159; classtype:attempted-user; sid:38861; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oracle OIT ContentAccess libvs_mwkd out of bounds write attempt"; flow:to_client,established; file_data; content:"|80 00 00 B6 B6 B6 B6 B6 00 01 00 02 00 02 00 00 00 00 00 00 00 20 00 00 00 20 00 00 00 01 05 B8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3593; reference:url,www.talosintelligence.com/reports/TALOS-2016-0159; classtype:attempted-user; sid:38860; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Hancom Hangul HCell pVertices OfficeArt record heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|EC 00|"; content:"|04 F0|"; within:2; distance:4; content:"|0A F0 08 00 00 00|"; within:6; distance:6; content:"|0B F0|"; within:2; distance:10; byte_extract:4,0,fopt_len,relative,little; content:"|45 C1|"; within:fopt_len; byte_test:4,>,255,0,relative,little; metadata:service smtp; reference:cve,2016-4294; reference:url,www.talosintelligence.com/reports/TALOS-2016-0149; classtype:attempted-user; sid:38859; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Hancom Hangul HCell pConnectionSites OfficeArt record heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|EC 00|"; content:"|04 F0|"; within:2; distance:4; content:"|0A F0 08 00 00 00|"; within:6; distance:6; content:"|0B F0|"; within:2; distance:10; byte_extract:4,0,fopt_len,relative,little; content:"|51 C1|"; within:fopt_len; byte_test:4,>,255,0,relative,little; metadata:service smtp; reference:cve,2016-4294; reference:url,www.talosintelligence.com/reports/TALOS-2016-0149; classtype:attempted-user; sid:38858; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Hancom Hangul HCell pVertices OfficeArt record heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|EC 00|"; content:"|04 F0|"; within:2; distance:4; content:"|0A F0 08 00 00 00|"; within:6; distance:6; content:"|0B F0|"; within:2; distance:10; byte_extract:4,0,fopt_len,relative,little; content:"|45 C1|"; within:fopt_len; byte_test:4,>,255,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4294; reference:url,www.talosintelligence.com/reports/TALOS-2016-0149; classtype:attempted-user; sid:38857; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Hancom Hangul HCell pConnectionSites OfficeArt record heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|EC 00|"; content:"|04 F0|"; within:2; distance:4; content:"|0A F0 08 00 00 00|"; within:6; distance:6; content:"|0B F0|"; within:2; distance:10; byte_extract:4,0,fopt_len,relative,little; content:"|51 C1|"; within:fopt_len; byte_test:4,>,255,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4294; reference:url,www.talosintelligence.com/reports/TALOS-2016-0149; classtype:attempted-user; sid:38856; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER libarchive zip_read_mac_metadata heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"PK|01 02|"; content:"|00 00|"; within:2; distance:6; byte_extract:4,8,compSize,relative,little; byte_test:4,<,compSize,0,relative,little; content:"__MACOSX/"; within:9; distance:22; fast_pattern; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1541; reference:url,www.talosintelligence.com/reports/TALOS-2016-0155; classtype:attempted-user; sid:38628; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER libarchive zip_read_mac_metadata heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"PK|01 02|"; content:"|00 00|"; within:2; distance:6; byte_extract:4,8,compSize,relative,little; byte_test:4,<,compSize,0,relative,little; content:"__MACOSX/"; within:9; distance:22; fast_pattern; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1541; reference:url,www.talosintelligence.com/reports/TALOS-2016-0155; classtype:attempted-user; sid:38627; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER 7zip HFS+ handling heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.decmpfs; file_data; content:"|00 00 00 00 00 0A 05 0E 02 00 00 00 14 00 00 00 FF 1F 01 00 13 20 01 00 FB E4 08 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2016-2334; reference:url,www.talosintelligence.com/reports/TALOS-2016-0093; classtype:attempted-user; sid:38324; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER 7zip HFS+ handling heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.decmpfs; file_data; content:"|00 00 00 00 00 0A 05 0E 02 00 00 00 14 00 00 00 FF 1F 01 00 13 20 01 00 FB E4 08 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-2334; reference:url,www.talosintelligence.com/reports/TALOS-2016-0093; classtype:attempted-user; sid:38323; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER 7zip UDF partition reference out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.udf; file_data; content:"|00 01 03 00|"; content:"*OSTA UDF Compliant"; within:19; distance:413; byte_test:2,>,64,-28,relative,little; metadata:service smtp; reference:cve,2016-2335; reference:url,www.talosintelligence.com/reports/TALOS-2016-0094/; classtype:attempted-user; sid:38296; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER 7zip UDF partition reference out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.udf; file_data; content:"|00 01 03 00|"; content:"*OSTA UDF Compliant"; within:19; distance:413; byte_test:2,>,64,-28,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-2335; reference:url,www.talosintelligence.com/reports/TALOS-2016-0094/; classtype:attempted-user; sid:38295; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER 7zip UDF partition reference out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.udf; file_data; content:"|00 01 02 00|"; content:"*OSTA UDF Compliant"; within:19; distance:413; byte_test:2,>,64,-28,relative,little; metadata:service smtp; reference:cve,2016-2335; reference:url,www.talosintelligence.com/reports/TALOS-2016-0094/; classtype:attempted-user; sid:38294; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER 7zip UDF partition reference out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.udf; file_data; content:"|00 01 02 00|"; content:"*OSTA UDF Compliant"; within:19; distance:413; byte_test:2,>,64,-28,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-2335; reference:url,www.talosintelligence.com/reports/TALOS-2016-0094/; classtype:attempted-user; sid:38293; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Intel HD Graphics Windows kernel driver local privilege escalation attempt"; flow:to_server,established; file_data; content:"|CC CC CC CC CC CC CC CC CC CC CC CC 00 00 00 00 00 CC 90 B0 01 00 00 00 01 00 00 00 CC CC CC CC|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-5647; reference:url,www.talosintelligence.com/reports/TALOS-2016-0087; classtype:attempted-user; sid:37520; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Intel HD Graphics Windows kernel driver local privilege escalation attempt"; flow:to_client,established; file_data; content:"|CC CC CC CC CC CC CC CC CC CC CC CC 00 00 00 00 00 CC 90 B0 01 00 00 00 01 00 00 00 CC CC CC CC|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5647; reference:url,www.talosintelligence.com/reports/TALOS-2016-0087; classtype:attempted-user; sid:37519; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Apple OSX local privilege escalation attempt"; flow:to_server,established; file_data; content:"SUWVATAUAVAWH|8B 05 CD FF FF FF FF D0 48 89 C7 48 8B 05 C9 FF FF FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1743; reference:url,www.talosintelligence.com/reports/TALOS-2016-0088; classtype:attempted-user; sid:37518; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Apple OSX local privilege escalation attempt"; flow:to_client,established; file_data; content:"SUWVATAUAVAWH|8B 05 CD FF FF FF FF D0 48 89 C7 48 8B 05 C9 FF FF FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1743; reference:url,www.talosintelligence.com/reports/TALOS-2016-0088; classtype:attempted-user; sid:37517; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER lhasa decode_level3_header heap corruption attempt"; flow:to_server,established; flowbits:isset,file.lzh; file_data; content:"|04 00|-lh"; content:"-"; within:1; distance:1; content:"|20 03|"; within:2; distance:12; byte_test:4,<,32,3,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-2347; reference:url,www.talosintelligence.com/reports/TALOS-2016-0095; classtype:attempted-user; sid:37494; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER lhasa decode_level3_header heap corruption attempt"; flow:to_client,established; flowbits:isset,file.lzh; file_data; content:"|04 00|-lh"; content:"-"; within:1; distance:1; content:"|20 03|"; within:2; distance:12; byte_test:4,<,32,3,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-2347; reference:url,www.talosintelligence.com/reports/TALOS-2016-0095; classtype:attempted-user; sid:37493; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Libgraphite context item handling arbitrary code execution attempt"; flow:to_server,established; file_data; content:"|22 00 07 2E 37 00 00 22 00 13 22 01 09 2E 37 00 00 2E 37 FF 00 13 10 22 02 09 2E 37|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1523; reference:url,www.talosintelligence.com/reports/TALOS-2016-0059; classtype:attempted-user; sid:36388; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Libgraphite context item handling arbitrary code execution attempt"; flow:to_client,established; file_data; content:"|22 00 07 2E 37 00 00 22 00 13 22 01 09 2E 37 00 00 2E 37 FF 00 13 10 22 02 09 2E 37|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1523; reference:url,www.talosintelligence.com/reports/TALOS-2016-0059; classtype:attempted-user; sid:36387; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER SIL LibGraphite BracketPairStack out of bounds access exploit attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"Glat"; depth:75; content:"|54 01 00 1E 49 01 00 15|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1522; reference:url,www.talosintelligence.com/reports/TALOS-2016-0057; classtype:attempted-user; sid:36386; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER SIL LibGraphite BracketPairStack out of bounds access exploit attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"Glat"; depth:75; content:"|54 01 00 1E 49 01 00 15|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1522; reference:url,www.talosintelligence.com/reports/TALOS-2016-0057; classtype:attempted-user; sid:36385; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Libgraphite empty feature list denial of service attempt"; flow:to_server,established; file_data; content:"|00 03 21 01 00 19 31 00 00 01 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 18 80 00 01 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1522; reference:url,www.talosintelligence.com/reports/TALOS-2016-0060; classtype:denial-of-service; sid:36228; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Libgraphite empty feature list denial of service attempt"; flow:to_client,established; file_data; content:"|00 03 21 01 00 19 31 00 00 01 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 18 80 00 01 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1522; reference:url,www.talosintelligence.com/reports/TALOS-2016-0060; classtype:denial-of-service; sid:36227; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Libgraphite empty feature list denial of service attempt"; flow:to_server,established; file_data; content:"|00 01 00 00|"; depth:4; content:"Feat"; within:200; byte_test:4,<,15000,4,relative; byte_jump:4,4,relative,from_beginning; content:"|00 01 00 00 00 00|"; within:6; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1522; reference:url,www.talosintelligence.com/reports/TALOS-2016-0060; classtype:denial-of-service; sid:36226; rev:5;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Libgraphite empty feature list denial of service attempt"; flow:to_client,established; file_data; content:"|00 01 00 00|"; depth:4; content:"Feat"; within:200; byte_test:4,<,15000,4,relative; byte_jump:4,4,relative,from_beginning; content:"|00 01 00 00 00 00|"; within:6; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1522; reference:url,www.talosintelligence.com/reports/TALOS-2016-0060; classtype:denial-of-service; sid:36225; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER libgraphite TTF opcode handling out of bounds read attempt"; flow:to_server,established; file_data; content:"|FF 00 13 22 02 07 2E 37 00 00 01 00 13 10 30 22 01 07 2E 37 00 00 01 00 13 30 22 00 0C 2E 37 00 00 01 01 13 22 01 07 2E 37 00 00 01 01 13 10 22|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1521; reference:url,www.talosintelligence.com/reports/TALOS-2016-0058; classtype:attempted-user; sid:36217; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER libgraphite TTF opcode handling out of bounds read attempt"; flow:to_client,established; file_data; content:"|FF 00 13 22 02 07 2E 37 00 00 01 00 13 10 30 22 01 07 2E 37 00 00 01 00 13 30 22 00 0C 2E 37 00 00 01 01 13 22 01 07 2E 37 00 00 01 01 13 10 22|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1521; reference:url,www.talosintelligence.com/reports/TALOS-2016-0058; classtype:attempted-user; sid:36216; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Libgraphite LocaLookup out-of-bounds read attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"|00 01 00 00|"; depth:4; content:"loca"; within:700; content:"|00|"; within:1; distance:4; content:"|00 00 00 00|"; within:4; distance:3; content:"cmap"; within:400; distance:-200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1521; reference:url,www.talosintelligence.com/reports/TALOS-2016-0061; classtype:attempted-user; sid:36213; rev:6;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Libgraphite LocaLookup out-of-bounds read attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|00 01 00 00|"; depth:4; content:"loca"; within:700; content:"|00|"; within:1; distance:4; content:"|00 00 00 00|"; within:4; distance:3; content:"cmap"; within:400; distance:-200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1521; reference:url,www.talosintelligence.com/reports/TALOS-2016-0061; classtype:attempted-user; sid:36212; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER OpenOffice Starview metafile arbitrary read write attempt"; flow:to_server,established; file_data; content:"PK|03 04|"; content:"Pictures/"; content:".svm"; within:50; nocase; metadata:service smtp; reference:cve,2016-1513; reference:url,www.talosintelligence.com/reports/TALOS-2016-0051; classtype:attempted-user; sid:35829; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER OpenOffice Starview metafile arbitrary read write attempt"; flow:to_client,established; file_data; content:"PK|03 04|"; content:"Pictures/"; content:".svm"; within:50; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-1513; reference:url,www.talosintelligence.com/reports/TALOS-2016-0051; classtype:attempted-user; sid:35828; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Reader pcx planes memory corruption attempt"; flow:to_server,established; file_data; content:"|0A 05 01|"; depth:3; fast_pattern; content:"|00 00 00 00|"; within:4; distance:1; byte_test:1,>,128,65; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3036; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42217; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Reader pcx planes memory corruption attempt"; flow:to_client,established; file_data; content:"|0A 05 01|"; depth:3; fast_pattern; content:"|00 00 00 00|"; within:4; distance:1; byte_test:1,>,128,65; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3036; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42216; rev:3;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Microsoft Office OneNote 2007 dll-load exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"c|00|e|00|u|00|t|00|i|00|l|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2017-0197; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:42164; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Microsoft Office OneNote 2007 dll-load exploit attempt"; flow:to_server,established; content:"/ceutil.dll"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2017-0197; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:42163; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt"; flow:to_server,established; content:"|BB A7 A1 02 28 52 71 D3 BD B4 96 F2 44 90 95 8E C4 EB 29 58 2A 54 82 F9 FA 5C 04 80 B3 CE 31 0E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0192; classtype:attempted-user; sid:42151; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt"; flow:to_server,established; content:"|15 04 F5 02 B9 03 25 05 7C 03 45 04 A4 03 B8 02 87 03 7C 03 6D 04 EF 03 CB 03 C4 03 9D 04 37 03|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0192; classtype:attempted-user; sid:42150; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt"; flow:to_client,established; content:"|BB A7 A1 02 28 52 71 D3 BD B4 96 F2 44 90 95 8E C4 EB 29 58 2A 54 82 F9 FA 5C 04 80 B3 CE 31 0E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0192; classtype:attempted-user; sid:42149; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt"; flow:to_client,established; content:"|15 04 F5 02 B9 03 25 05 7C 03 45 04 A4 03 B8 02 87 03 7C 03 6D 04 EF 03 CB 03 C4 03 9D 04 37 03|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0192; classtype:attempted-user; sid:42148; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Adobe Acrobat RARfsClientNP.dll dll-load exploit attempt"; flow:to_server,established; content:"/RARfsClientNP.dll"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2017-3013; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:42280; rev:2;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Adobe Acrobat request for RARfsClientNP.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"R|00|A|00|R|00|f|00|s|00|C|00|l|00|i|00|e|00|n|00|t|00|N|00|P|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; pcre:"/(\x25\x00|\x00\x5C)\x00R\x00A\x00R\x00f\x00s\x00C\x00l\x00i\x00e\x00n\x00t\x00N\x00P\x00\.\x00d\x00l\x00l\x00\x00\x00/i"; metadata:service netbios-ssn; reference:cve,2017-3013; classtype:attempted-user; sid:42279; rev:2;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER fwpuclnt dll-load exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"f|00|w|00|p|00|u|00|c|00|l|00|n|00|t|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:42305; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER fwpuclnt dll-load exploit attempt"; flow:to_server,established; content:"/fwpuclnt.dll"; fast_pattern:only; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:42304; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Director rcsL chunk parsing denial of service attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"|2B B0 88 48 0C E0 07 C0 82 7C 0F DE 02 BE 04 32 07 83 00 00 82 71 54 19 42 4E 22 79 E1 25 AE 4B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-2030; classtype:denial-of-service; sid:42423; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director rcsL chunk parsing denial of service attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|2B B0 88 48 0C E0 07 C0 82 7C 0F DE 02 BE 04 32 07 83 00 00 82 71 54 19 42 4E 22 79 E1 25 AE 4B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2030; classtype:denial-of-service; sid:42422; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Director rcsL chunk parsing denial of service attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"|42 00 00 00 4D 0C 70 72 6F 67 72 65 73 73 20 62 61 72 78 E7 E0 D0 0A 7F 11 D1 AD 8D 08 00 07 9F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-2031; classtype:denial-of-service; sid:42413; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Director rcsL chunk parsing denial of service attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|42 00 00 00 4D 0C 70 72 6F 67 72 65 73 73 20 62 61 72 78 E7 E0 D0 0A 7F 11 D1 AD 8D 08 00 07 9F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2031; classtype:denial-of-service; sid:42412; rev:1;)
alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER AfterMidnight post exploitation tool request for aftermidnight.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"a|00|f|00|t|00|e|00|r|00|m|00|i|00|d|00|n|00|i|00|g|00|h|00|t|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; pcre:"/(\x25\x00|\x00\x5C)\x00a\x00f\x00t\x00e\x00r\x00m\x00i\x00d\x00n\x00i\x00g\x00h\x00t\x00\.\x00d\x00l\x00l\x00\x00\x00/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:url,wikileaks.org/vault7/#AfterMidnight; classtype:attempted-user; sid:42891; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER AfterMidnight post exploitation tool aftermidnight.dll dll-load exploit attempt"; flow:to_server,established; content:"/aftermidnight.dll"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,wikileaks.org/vault7/#AfterMidnight; classtype:attempted-user; sid:42890; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Everest Software PeakHMI malicious .bsu file buffer overflow attempt"; flow:to_server,established; file_data; content:"|00 00 00 00 00 00 00 00 58 02 00 00 20 03 00 00 01 00 00 04 00 00 00 00 FE FF 00 00 00 00 00 00 00 00 00 00 FE FF 00 00 00 00 00 00 FE FF 00 00 00 00 00 00 FE FF 00 00 00 00 00 00 00 01 00 00|"; fast_pattern:only; byte_test:4,>,1400,68,little; metadata:service smtp; reference:url,peakhmi.com/; classtype:misc-activity; sid:42936; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Everest Software PeakHMI malicious .bsu file buffer overflow attempt"; flow:to_client,established; file_data; content:"|00 00 00 00 00 00 00 00 58 02 00 00 20 03 00 00 01 00 00 04 00 00 00 00 FE FF 00 00 00 00 00 00 00 00 00 00 FE FF 00 00 00 00 00 00 FE FF 00 00 00 00 00 00 FE FF 00 00 00 00 00 00 00 01 00 00|"; fast_pattern:only; byte_test:4,>,1400,68,little; metadata:service ftp-data, service http, service imap, service pop3; reference:url,peakhmi.com/; classtype:misc-activity; sid:42935; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Schneider Electric VAMSET CFG file heap buffer overflow attempt"; flow:to_server,established; file_data; content:",1999|0D|"; depth:64; content:"A,"; within:7; distance:4; content:"D|0D 0A|"; within:4; distance:1; pcre:"/\x0D\x0A(ASCII|BINARY)[^\x0D\x0A]/"; metadata:service smtp; reference:cve,2014-8390; classtype:attempted-admin; sid:43798; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Schneider Electric VAMSET CFG file heap buffer overflow attempt"; flow:to_client,established; file_data; content:",1999|0D|"; depth:64; content:"A,"; within:7; distance:4; content:"D|0D 0A|"; within:4; distance:1; pcre:"/\x0D\x0A(ASCII|BINARY)[^\x0D\x0A]/"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-8390; classtype:attempted-admin; sid:43797; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Schneider Electric VAMSET CFG file heap buffer overflow attempt"; flow:to_server,established; file_data; content:",1999|0D|"; content:"A,"; within:7; distance:4; content:"D|0D 0A|"; within:4; distance:1; content:!"|0D 0A|"; depth:64; metadata:service smtp; reference:cve,2014-8390; classtype:attempted-admin; sid:43795; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Schneider Electric VAMSET CFG file heap buffer overflow attempt"; flow:to_client,established; file_data; content:",1999|0D|"; content:"A,"; within:7; distance:4; content:"D|0D 0A|"; within:4; distance:1; content:!"|0D 0A|"; depth:64; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-8390; classtype:attempted-admin; sid:43794; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Sorensoft Media Player asz file buffer overflow attempt"; flow:to_server,established; file_data; content:"ASzf"; depth:4; content:"Options.dat"; isdataat:500,relative; metadata:service smtp; reference:url,www.sorensoft.com/ssamp.html; classtype:denial-of-service; sid:43751; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Sorensoft Media Player asz file buffer overflow attempt"; flow:to_server,established; file_data; content:"ASzf"; depth:4; content:"Options.dat"; isdataat:500,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.sorensoft.com/ssamp.html; classtype:denial-of-service; sid:43750; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Xion Media Player AIFF denial of service attempt"; flow:to_server,established; file_data; content:"FORM|00 00|7|A4|AIFFCOMM"; depth:16; content:!"SSND"; within:25; metadata:service smtp; reference:url,support.ixiacom.com/strikes/exploits/browser/xion_audio_player_DoS.xml; classtype:denial-of-service; sid:43683; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Xion Media Player AIFF denial of service attempt"; flow:to_client,established; file_data; content:"FORM|00 00|7|A4|AIFFCOMM"; depth:16; content:!"SSND"; within:25; metadata:service ftp-data, service http, service imap, service pop3; reference:url,support.ixiacom.com/strikes/exploits/browser/xion_audio_player_DoS.xml; classtype:denial-of-service; sid:43682; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Node.js JS-YAML js function tag code execution attempt"; flow:to_server,established; file_data; content:"|3A| !!js/function >"; fast_pattern:only; metadata:service smtp; reference:cve,2013-4660; classtype:attempted-user; sid:43670; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Node.js JS-YAML js function tag code execution attempt"; flow:to_client,established; file_data; content:"|3A| !!js/function >"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-4660; classtype:attempted-user; sid:43669; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Schneider Electric MaxStream Configuration X-CTU code execution attempt"; flow:to_server,established; file_data; flowbits:isset,file.zip; content:"xcite/"; content:".ehx"; within:244; content:"xcite/"; content:".mxi"; within:244; content:"PK|01 02|"; byte_extract:2,20,fname_len,relative,little; content:"../"; within:fname_len; distance:26; metadata:service smtp; reference:url,schneider-electric.com; classtype:attempted-user; sid:43627; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Schneider Electric MaxStream Configuration X-CTU code execution attempt"; flow:to_client,established; file_data; flowbits:isset,file.zip; content:"xcite/"; content:".ehx"; within:244; content:"xcite/"; content:".mxi"; within:244; content:"PK|01 02|"; byte_extract:2,20,fname_len,relative,little; content:"../"; within:fname_len; distance:26; metadata:service ftp-data, service http, service imap, service pop3; reference:url,schneider-electric.com; classtype:attempted-user; sid:43626; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER IBM Informix Client SDK NFX file InformixServerList processing stack buffer overflow attempt"; flow:to_server,established; file_data; content:"[Setnet32]"; fast_pattern; nocase; content:"ServerSize="; distance:0; byte_test:4,>,293,0,relative,dec,string; pcre:"/InformixServerList=([^\r\n\x3B]{,293}\x3B)*[^\r\n\x3B]{294}/i"; metadata:service smtp; reference:bugtraq,36588; reference:cve,2009-3691; classtype:attempted-user; sid:43624; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER IBM Informix Client SDK NFX file HostList processing stack buffer overflow attempt"; flow:to_server,established; file_data; content:"[Setnet32]"; fast_pattern; nocase; content:"HostSize="; distance:0; byte_test:4,>,296,0,relative,dec,string; pcre:"/HostList=([^\r\n\x3B]{,296}\x3B)*[^\r\n\x3B]{297}/i"; metadata:service smtp; reference:bugtraq,36588; reference:cve,2009-3691; classtype:attempted-user; sid:43623; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Orbital Viewer .orb stack buffer overflow attempt"; flow:to_server,established; file_data; content:"OrbitalFileV1.0|0D 0A|"; nocase; isdataat:500,relative; content:!"|00|"; within:500; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,38436; reference:cve,2010-0688; classtype:attempted-user; sid:43615; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt"; flow:to_server,established; file_data; content:"|01 DA 01|"; depth:3; byte_test:2,>,4,8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,19507; reference:cve,2006-4144; reference:cve,2018-5040; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:43609; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt"; flow:to_client,established; file_data; content:"|01 DA 01|"; depth:3; byte_test:2,>,4,8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19507; reference:cve,2006-4144; reference:cve,2018-5040; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:43608; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Schneider Electric ClearSCADA malicious OPF file"; flow:to_server,established; file_data; content:"|10 64 02 09|"; depth:4; byte_jump:4,6,multiplier 2,little; byte_jump:4,0,relative,multiplier 2,little,post_offset 4; byte_test:4,>=,40000000,0,relative,little; metadata:policy security-ips drop, service smtp; reference:cve,2014-0779; classtype:attempted-admin; sid:43604; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Schneider Electric ClearSCADA malicious OPF file"; flow:to_client,established; file_data; content:"|10 64 02 09|"; depth:4; byte_jump:4,6,multiplier 2,little; byte_jump:4,0,relative,multiplier 2,little,post_offset 4; byte_test:4,>=,40000000,0,relative,little; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0779; classtype:attempted-admin; sid:43603; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt"; flow:to_server,established; file_data; content:"|D4 C3 B2 A1|"; depth:4; content:"ESDD"; distance:0; content:"|04 00 0C FE FF 41 FE FF 42 FE FF 43 FE FF 44|"; within:15; distance:2; metadata:service smtp; reference:cve,2010-4538; classtype:attempted-admin; sid:43601; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt"; flow:to_client,established; file_data; content:"|D4 C3 B2 A1|"; depth:4; content:"ESDD"; distance:0; content:"|04 00 0C FE FF 41 FE FF 42 FE FF 43 FE FF 44|"; within:15; distance:2; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-4538; classtype:attempted-admin; sid:43600; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER multiple vulnerabilities malformed .wav file buffer overflow attempt"; flow:to_server,established; content:"Content-Type: audio/x-wav|3B|"; fast_pattern:only; file_data; content:!"WAVEfmt"; depth:15; offset:8; metadata:service smtp; reference:cve,2009-4659; reference:cve,2009-4962; classtype:attempted-user; sid:43582; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"FILE-OTHER Oracle Outside-In JPEG2000 QCD segment processing heap buffer overflow attempt"; flow:established,to_server; file_data; content:"|00 00 00 0C 6A 50 20 20|"; depth:8; content:"|6A 70 32 63|"; distance:0; content:"|FF 5C|"; within:70; byte_test:2,>,840,0,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,54500; reference:cve,2012-1769; classtype:attempted-admin; sid:43560; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER multiple vulnerabilities malformed .m3u file buffer overflow attempt"; flow:to_server,established; content:"Content-Disposition: attachment|3B| filename="; content:".m3u"; within:25; fast_pattern; nocase; file_data; content:!"|23|EXTM3U"; depth:7; metadata:service smtp; reference:cve,2006-6251; reference:cve,2009-0262; reference:cve,2009-3969; reference:cve,2009-4756; classtype:attempted-user; sid:43543; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Aktiv Player wma file buffer overflow attempt"; flow:to_client,established; content:"Content-Type|3A| audio/x-ms-wma|3B|"; fast_pattern:only; http_header; file_data; content:!"|30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,support.ixiacom.com/strikes/exploits/misc/aktiv_player_file_BO.xml; classtype:attempted-user; sid:43541; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Aktiv Player wma file buffer overflow attempt"; flow:to_server,established; content:"Content-Type|3A| audio/x-ms-wma|3B|"; fast_pattern:only; file_data; content:!"|30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|"; metadata:service smtp; reference:url,support.ixiacom.com/strikes/exploits/misc/aktiv_player_file_BO.xml; classtype:attempted-user; sid:43540; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Vim modelines remote command execution attempt"; flow:to_client,established; file_data; content:"vi"; content:"|3A|"; within:2; content:"=|00|!"; within:25; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1248; classtype:attempted-user; sid:43482; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Vim modelines remote command execution attempt"; flow:to_server,established; file_data; content:"vi"; content:"|3A|"; within:2; content:"=|00|!"; within:25; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-1248; classtype:attempted-user; sid:43481; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Compface xbm long declaration buffer overflow attempt"; flow:to_server,established; file_data; content:"|23|define"; nocase; content:"_width"; within:25; nocase; content:"|23|define"; nocase; content:"_height"; within:25; content:"static"; nocase; isdataat:100,relative; content:!"char = {"; within:100; nocase; metadata:service smtp; reference:cve,2009-2286; classtype:denial-of-service; sid:43369; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Compface xbm long declaration buffer overflow attempt"; flow:to_client,established; file_data; content:"|23|define"; nocase; content:"_width"; within:25; nocase; content:"|23|define"; nocase; content:"_height"; within:25; content:"static"; nocase; isdataat:100,relative; content:!"char = {"; within:100; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2286; classtype:denial-of-service; sid:43368; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Cytel Studio USE command overflow attempt"; flow:to_server,established; flowbits:isset,file.cyb; file_data; content:"USE"; isdataat:512,relative; content:!")|3B|"; within:512; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,49924; reference:url,aluigi.altervista.org/adv/cytel_1-adv.txt; classtype:attempted-user; sid:43341; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Cytel Studio row overflow attempt"; flow:to_server,established; flowbits:isset,file.cy3; file_data; content:"90"; depth:2; content:"|0A|"; within:2; pcre:"/90\x0D?\x0A\w{8}/s"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,49924; reference:url,aluigi.altervista.org/adv/cytel_1-adv.txt; classtype:attempted-user; sid:43340; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Cytel Studio string stack overflow attempt"; flow:to_server,established; flowbits:isset,file.cy3; file_data; content:"90"; depth:2; content:"|0A|"; within:2; isdataat:512,relative; pcre:"/\w{512}/Rs"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,49924; reference:url,aluigi.altervista.org/adv/cytel_1-adv.txt; classtype:attempted-user; sid:43339; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER ProShow Gold PSH file handling overflow attempt"; flow:to_server,established; file_data; content:"Photodex|28|R|29| ProShow|28|TM|29| Show File"; depth:33; content:"cell[0].images[0].image="; distance:0; isdataat:512,relative; content:!"|0A|"; within:512; metadata:service smtp; reference:cve,2009-3214; classtype:attempted-user; sid:43333; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Hangul Word Processor type confusion attempt"; flow:to_server,established; file_data; content:"|38 F3 B4 C3 4D 9A F9 63 32 37 73 27 99 9B 73 DE E4 D9 F2 ED FD AD 95 EC DF 5E EB BF F5 06 A4 9D|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-6585; classtype:attempted-admin; sid:43264; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Hangul Word Processor type confusion attempt"; flow:to_client,established; file_data; content:"|38 F3 B4 C3 4D 9A F9 63 32 37 73 27 99 9B 73 DE E4 D9 F2 ED FD AD 95 EC DF 5E EB BF F5 06 A4 9D|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6585; classtype:attempted-admin; sid:43263; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Hangul Word Processor type confusion attempt"; flow:to_server,established; file_data; content:"|5E A8 43 A9 BB 3B D0 52 A8 40 85 52 28 D4 DD DD DD DD DD 7D 2E 98 9E 84 CC 8F C9 9C CC 99 64 4E|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-6585; classtype:attempted-admin; sid:43262; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Hangul Word Processor type confusion attempt"; flow:to_client,established; file_data; content:"|5E A8 43 A9 BB 3B D0 52 A8 40 85 52 28 D4 DD DD DD DD DD 7D 2E 98 9E 84 CC 8F C9 9C CC 99 64 4E|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6585; classtype:attempted-admin; sid:43261; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Hangul Word Processor type confusion attempt"; flow:to_server,established; file_data; content:"|4C CC 4E 6C 27 66 4A EC 38 C6 24 8E 31 8E 13 33 CD 4A C6 57 BA 9A A7 B9 9A 3B D2 8C CE F9 A5 B5|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-6585; classtype:attempted-admin; sid:43260; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Hangul Word Processor type confusion attempt"; flow:to_client,established; file_data; content:"|4C CC 4E 6C 27 66 4A EC 38 C6 24 8E 31 8E 13 33 CD 4A C6 57 BA 9A A7 B9 9A 3B D2 8C CE F9 A5 B5|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6585; classtype:attempted-admin; sid:43259; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.dir; content:"loadProxyTemplate"; fast_pattern:only; nocase; pcre:"/=[\w\x0d\x0a\x20\x22\x26\x27]{100}/si"; metadata:service smtp; reference:cve,2013-1383; classtype:attempted-user; sid:43236; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.dir; content:"createRigidBody"; fast_pattern:only; nocase; pcre:"/=[\w\x0d\x0a\x20\x22\x26\x27]{100}/si"; metadata:service smtp; reference:cve,2013-1383; classtype:attempted-user; sid:43235; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.dir; content:"loadProxyTemplate"; fast_pattern:only; nocase; pcre:"/\.loadProxyTemplate\x28\s*((\w+[\\r\n\s]*\x2c)|([\w\r\n\s\x22&\x27\x2e]{100})|(\w+\x2ename\s*&\s*\w+)|([\w\r\n\s\x22\x27\x2e]*&[\w\r\n\s\x22\x27\x2e]*&))/si"; metadata:service smtp; reference:cve,2013-1383; classtype:attempted-user; sid:43234; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.dir; content:"createRigidBody"; fast_pattern:only; nocase; pcre:"/\.createRigidBody\x28\s*((\w+[\r\n\s]*\x2c)|([\w\r\n\s\x22&\x27\x2e]{100})|(\w+\x2ename\s*&\s*\w+)|([\w\r\n\s\x22\x27\x2e]*&[\w\r\n\s\x22\x27\x2e]*&))/si"; metadata:service smtp; reference:cve,2013-1383; classtype:attempted-user; sid:43233; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.dir; content:"loadProxyTemplate"; fast_pattern:only; nocase; pcre:"/=[\w\x0d\x0a\x20\x22\x26\x27]{100}/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1383; classtype:attempted-user; sid:43232; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.dir; content:"createRigidBody"; fast_pattern:only; nocase; pcre:"/=[\w\x0d\x0a\x20\x22\x26\x27]{100}/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1383; classtype:attempted-user; sid:43231; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.dir; content:"loadProxyTemplate"; fast_pattern:only; nocase; pcre:"/\.loadProxyTemplate\x28\s*((\w+[\r\n\s]*\x2c)|([\w\r\n\s\x22\&\x27\x2e]{100})|(\w+\x2ename\s*&\s*\w+)|([\w\r\n\s\x22\x27\x2e]*&[\w\x0d\x0a\x20\x22\x27\x2e]*&))/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1383; classtype:attempted-user; sid:43230; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.dir; content:"createRigidBody"; fast_pattern:only; nocase; pcre:"/\.createRigidBody\x28\s*((\w+[\r\n\s]*\x2c)|([\w\r\n\s\x22&\x27\x2e]{100})|(\w+\x2ename\s*&\s*\w+)|([\w\r\n\s\x22\x27\x2e]*&[\w\r\n\s\x22\x27\x2e]*&))/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1383; classtype:attempted-user; sid:43229; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Oniguruma expression parser out of bounds write attempt"; flow:to_server,established; file_data; content:"77|10|777|7F 7F 5C|777777[|B7|7|5C|77|5C|7777"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-9226; classtype:attempted-user; sid:43182; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Oniguruma expression parser out of bounds write attempt"; flow:to_client,established; file_data; content:"77|10|777|7F 7F 5C|777777[|B7|7|5C|77|5C|7777"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-9226; classtype:attempted-user; sid:43181; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER INSAT MasterSCADA malicious project command execution attempt"; flow:to_server,established; file_data; content:"DynamicObject"; nocase; content:"MasterSCADA.Script"; distance:0; nocase; content:"CodeText"; nocase; metadata:service smtp; reference:url,masterscada.ru/; classtype:misc-activity; sid:43138; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER INSAT MasterSCADA malicious project command execution attempt"; flow:to_client,established; file_data; content:"DynamicObject"; nocase; content:"MasterSCADA.Script"; distance:0; nocase; content:"CodeText"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,masterscada.ru/; classtype:misc-activity; sid:43137; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe malicious IFF memory corruption attempt"; flow:to_server,established; file_data; content:"FOR4"; depth:4; content:"CIMG"; within:8; distance:4; content:"TBHD"; byte_extract:4,8,height,relative; content:"TBMP"; content:"RGBA"; byte_test:2,>,height,10,relative; metadata:service smtp; reference:cve,2011-0590; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:43133; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe malicious IFF memory corruption attempt"; flow:to_server,established; file_data; content:"FOR4"; depth:4; content:"CIMG"; within:4; distance:4; content:"TBHD"; byte_extract:4,4,width,relative; byte_extract:4,0,height,relative; content:"TBMP"; content:"RGBA"; byte_test:2,>,width,8,relative; metadata:service smtp; reference:cve,2011-0590; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:43132; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe malicious IFF memory corruption attempt"; flow:to_client,established; file_data; content:"FOR4"; depth:4; content:"CIMG"; within:8; distance:4; content:"TBHD"; byte_extract:4,8,height,relative; content:"TBMP"; content:"RGBA"; byte_test:2,>,height,10,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0590; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:43131; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe malicious IFF memory corruption attempt"; flow:to_client,established; file_data; content:"FOR4"; depth:4; content:"CIMG"; within:4; distance:4; content:"TBHD"; byte_extract:4,4,width,relative; byte_extract:4,0,height,relative; content:"TBMP"; content:"RGBA"; byte_test:2,>,width,8,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0590; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:43130; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows OTF parsing memory corruption attempt"; flow:to_server,established; file_data; content:"|D3 C7 80 20 C9 82 47 C1 54 D0 FB 98 40 E5 7C 08 0A 54 CE C3 98 AD DD C7 98 AD FD C7 98 AD C3 37|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7256; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-132; classtype:attempted-admin; sid:43115; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows OTF parsing memory corruption attempt"; flow:to_client,established; file_data; content:"|D3 C7 80 20 C9 82 47 C1 54 D0 FB 98 40 E5 7C 08 0A 54 CE C3 98 AD DD C7 98 AD FD C7 98 AD C3 37|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7256; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-132; classtype:attempted-admin; sid:43114; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER FreeBSD bspatch utility remote code execution attempt"; flow:to_server,established; file_data; content:"|42 5A 68 39 31 41 59 26 53 59 61 36 D7 68 00 00 05 C0 58 42 10 40 00 0A 00 60 00 20 00 21 A7 A8 D1 A1 0C 08 08 24 C4 EE 74 F1 77 24 53 85 09 06 13 6D 76 80|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2014-9862; classtype:attempted-user; sid:43108; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER FreeBSD bspatch utility remote code execution attempt"; flow:to_client,established; file_data; content:"|42 5A 68 39 31 41 59 26 53 59 61 36 D7 68 00 00 05 C0 58 42 10 40 00 0A 00 60 00 20 00 21 A7 A8 D1 A1 0C 08 08 24 C4 EE 74 F1 77 24 53 85 09 06 13 6D 76 80|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-9862; classtype:attempted-user; sid:43107; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Hangul Word Processor malicious tab count memory corruption attempt"; flow:to_server,established; file_data; content:"|57 19 77 F1 56 18 32 D9 39 C5 78 8A F1 34 E3 57 8C F3 8C 7F 5A DC 03 A7 38 11 ED F6 B0 8D 7B 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2819; reference:url,www.talosintelligence.com/reports/TALOS-2017-0320/; classtype:attempted-user; sid:35833; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Hangul Word Processor malicious tab count memory corruption attempt"; flow:to_client,established; file_data; content:"|57 19 77 F1 56 18 32 D9 39 C5 78 8A F1 34 E3 57 8C F3 8C 7F 5A DC 03 A7 38 11 ED F6 B0 8D 7B 30|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2819; reference:url,www.talosintelligence.com/reports/TALOS-2017-0320/; classtype:attempted-user; sid:35832; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Wireshark PROFINET DCP request format string exploit attempt"; flow:to_server,established; file_data; content:"|D4 C3 B2 A1|"; depth:4; content:"|01 00 00 00|"; within:4; distance:16; content:"|88 92 FE|"; within:4; distance:32; content:"|88 92 FE FD|"; distance:0; content:"|02 02|"; distance:0; content:"|00 01|"; within:2; distance:2; content:"%"; within:240; metadata:service smtp; reference:cve,2009-1210; classtype:attempted-admin; sid:43845; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Wireshark PROFINET DCP request format string exploit attempt"; flow:to_client,established; file_data; content:"|D4 C3 B2 A1|"; depth:4; content:"|01 00 00 00|"; within:4; distance:16; content:"|88 92 FE|"; within:4; distance:32; content:"|88 92 FE FD|"; distance:0; content:"|02 02|"; distance:0; content:"|00 01|"; within:2; distance:2; content:"%"; within:240; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-1210; classtype:attempted-admin; sid:43844; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Wireshark PROFINET DCP request format string exploit attempt"; flow:to_server,established; file_data; content:"|D4 C3 B2 A1|"; depth:4; content:"|01 00 00 00|"; within:4; distance:16; content:"|88 92 FE FD|"; within:4; distance:32; fast_pattern; content:"|02 02|"; distance:0; content:"|00 01|"; within:2; distance:2; content:"%"; within:240; metadata:service smtp; reference:cve,2009-1210; classtype:attempted-admin; sid:43843; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Wireshark PROFINET DCP response format string exploit attempt"; flow:to_server,established; file_data; content:"|D4 C3 B2 A1|"; depth:4; content:"|01 00 00 00|"; within:4; distance:16; content:"|88 92 FE FF|"; within:4; distance:32; fast_pattern; content:"|02 02|"; distance:0; content:"|00 00|"; within:2; distance:2; content:"%"; within:240; metadata:service smtp; reference:cve,2009-1210; classtype:attempted-admin; sid:43842; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Wireshark PROFINET DCP request format string exploit attempt"; flow:to_client,established; file_data; content:"|D4 C3 B2 A1|"; depth:4; content:"|01 00 00 00|"; within:4; distance:16; content:"|88 92 FE FD|"; within:4; distance:32; fast_pattern; content:"|02 02|"; distance:0; content:"|00 01|"; within:2; distance:2; content:"%"; within:240; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-1210; classtype:attempted-admin; sid:43841; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Wireshark PROFINET DCP response format string exploit attempt"; flow:to_client,established; file_data; content:"|D4 C3 B2 A1|"; depth:4; content:"|01 00 00 00|"; within:4; distance:16; content:"|88 92 FE FF|"; within:4; distance:32; fast_pattern; content:"|02 02|"; distance:0; content:"|00 00|"; within:2; distance:2; content:"%"; within:240; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-1210; classtype:attempted-admin; sid:43840; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Bmxplay malformed BMX buffer overflow attempt"; flow:to_server,established; content:"Content-Disposition: attachment|3B| filename="; content:".bmx"; within:25; fast_pattern; nocase; file_data; content:!"Buzz"; depth:4; metadata:service smtp; reference:cve,2009-4759; classtype:denial-of-service; sid:43834; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Snackamp malformed AIFF buffer overflow attempt"; flow:to_server,established; content:"Content-Disposition: attachment|3B| filename="; content:".aiff"; within:25; fast_pattern; nocase; file_data; content:!"FORM"; depth:4; content:!"AIFF"; depth:12; offset:8; metadata:service smtp; reference:cve,2012-5917; classtype:denial-of-service; sid:43828; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Power Software PowerISO invalid primary volume descriptor header use after free attempt"; flow:to_server,established; flowbits:isset,file.iso; file_data; content:"|01|CD001"; fast_pattern; content:"|00 00 00 00 00 00 00|"; within:7; distance:153; byte_test:1,<,23,-8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2823; reference:url,www.talosintelligence.com/reports/TALOS-2017-0324; classtype:attempted-user; sid:42322; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Power Software PowerISO invalid primary volume descriptor header use after free attempt"; flow:to_client,established; flowbits:isset,file.iso; file_data; content:"|01|CD001"; fast_pattern; content:"|00 00 00 00 00 00 00|"; within:7; distance:153; byte_test:1,<,23,-8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2823; reference:url,www.talosintelligence.com/reports/TALOS-2017-0324; classtype:attempted-user; sid:42321; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Power Software PowerISO stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.iso; file_data; content:"|00 00 00 00 00 00 00 00|"; content:"NM|04 01|"; within:200; fast_pattern; isdataat:255,relative; content:!"|00|"; within:255; metadata:service smtp; reference:cve,2017-2817; reference:url,www.talosintelligence.com/reports/TALOS-2017-0318/; classtype:attempted-user; sid:42272; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Power Software PowerISO stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.iso; file_data; content:"|00 00 00 00 00 00 00 00|"; content:"NM|03 01|"; within:200; fast_pattern; isdataat:255,relative; content:!"|00|"; within:255; metadata:service smtp; reference:cve,2017-2817; reference:url,www.talosintelligence.com/reports/TALOS-2017-0318/; classtype:attempted-user; sid:42271; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Power Software PowerISO stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.iso; file_data; content:"|00 00 00 00 00 00 00 00|"; content:"NM|02 01|"; within:200; fast_pattern; isdataat:255,relative; content:!"|00|"; within:255; metadata:service smtp; reference:cve,2017-2817; reference:url,www.talosintelligence.com/reports/TALOS-2017-0318/; classtype:attempted-user; sid:42270; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Power Software PowerISO stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.iso; file_data; content:"|00 00 00 00 00 00 00 00|"; content:"NM|01 01|"; within:200; fast_pattern; isdataat:255,relative; content:!"|00|"; within:255; metadata:service smtp; reference:cve,2017-2817; reference:url,www.talosintelligence.com/reports/TALOS-2017-0318/; classtype:attempted-user; sid:42269; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Power Software PowerISO stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.iso; file_data; content:"|00 00 00 00 00 00 00 00|"; content:"NM|00 01|"; within:200; fast_pattern; isdataat:255,relative; content:!"|00|"; within:255; metadata:service smtp; reference:cve,2017-2817; reference:url,www.talosintelligence.com/reports/TALOS-2017-0318/; classtype:attempted-user; sid:42268; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Power Software PowerISO stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.iso; file_data; content:"|00 00 00 00 00 00 00 00|"; content:"NM|04 01|"; within:200; fast_pattern; isdataat:255,relative; content:!"|00|"; within:255; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2817; reference:url,www.talosintelligence.com/reports/TALOS-2017-0318/; classtype:attempted-user; sid:42267; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Power Software PowerISO stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.iso; file_data; content:"|00 00 00 00 00 00 00 00|"; content:"NM|03 01|"; within:200; fast_pattern; isdataat:255,relative; content:!"|00|"; within:255; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2817; reference:url,www.talosintelligence.com/reports/TALOS-2017-0318/; classtype:attempted-user; sid:42266; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Power Software PowerISO stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.iso; file_data; content:"|00 00 00 00 00 00 00 00|"; content:"NM|02 01|"; within:200; fast_pattern; isdataat:255,relative; content:!"|00|"; within:255; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2817; reference:url,www.talosintelligence.com/reports/TALOS-2017-0318/; classtype:attempted-user; sid:42265; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Power Software PowerISO stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.iso; file_data; content:"|00 00 00 00 00 00 00 00|"; content:"NM|01 01|"; within:200; fast_pattern; isdataat:255,relative; content:!"|00|"; within:255; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2817; reference:url,www.talosintelligence.com/reports/TALOS-2017-0318/; classtype:attempted-user; sid:42264; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Power Software PowerISO stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.iso; file_data; content:"|00 00 00 00 00 00 00 00|"; content:"NM|00 01|"; within:200; fast_pattern; isdataat:255,relative; content:!"|00|"; within:255; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2817; reference:url,www.talosintelligence.com/reports/TALOS-2017-0318/; classtype:attempted-user; sid:42263; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Tablib yaml.load code execution attempt"; flow:to_server,established; file_data; content:".load"; content:"yaml"; within:5; content:"!!python/object/apply"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2810; reference:url,www.talosintelligence.com/reports/TALOS-2017-0307/; classtype:attempted-user; sid:42196; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Tablib yaml.load code execution attempt"; flow:to_client,established; file_data; content:".load"; content:"yaml"; within:5; content:"!!python/object/apply"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2810; reference:url,www.talosintelligence.com/reports/TALOS-2017-0307/; classtype:attempted-user; sid:42195; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER IrfanView JPEG2000 reference tile width value buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jp2; file_data; content:"ftypjp2"; content:"jp2c|FF 4F FF 51|"; distance:0; byte_test:4,>,0x0cccccce,20,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2813; reference:url,www.talosintelligence.com/reports/TALOS-2017-0310; classtype:attempted-user; sid:42178; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER IrfanView JPEG2000 reference tile width value buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jp2; file_data; content:"ftypjp2"; content:"jp2c|FF 4F FF 51|"; distance:0; byte_test:4,>,0x0cccccce,20,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2813; reference:url,www.talosintelligence.com/reports/TALOS-2017-0310; classtype:attempted-user; sid:42177; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER CorelDRAW X8 EMF invalid ihBrush field value out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:" EMF"; depth:4; offset:40; content:"|27 00 00 00 18 00 00 00|"; distance:0; byte_test:1,>=,0x80,3,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-9043; reference:url,www.talosintelligence.com/reports/TALOS-2016-0261; classtype:attempted-user; sid:41345; rev:5;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER CorelDRAW X8 EMF invalid ihBrush field value out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:" EMF"; depth:4; offset:40; content:"|27 00 00 00 18 00 00 00|"; distance:0; byte_test:1,>=,0x80,3,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-9043; reference:url,www.talosintelligence.com/reports/TALOS-2016-0261; classtype:attempted-user; sid:41344; rev:5;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Dell Precision Optimizer dll-load exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"a|00|t|00|i|00|a|00|d|00|l|00|x|00|x|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,www.talosintelligence.com/reports/TALOS-2016-0247; classtype:attempted-user; sid:41309; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Dell Precision Optimizer dll-load exploit attempt"; flow:to_server,established; content:"/atiadlxx.dll"; fast_pattern:only; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,www.talosintelligence.com/reports/TALOS-2016-0247; classtype:attempted-user; sid:41308; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt"; flow:to_server,established; file_data; content:"|20 41 28 07 60 9E 80 48 30 06 6A AA 07 23 B8 EA 88 04 68 5D 38 D0 70 D6 A3 48 64 96 AA 21 1C 91 C4 AB 76 70 34 1E CB 9A 33 E2 03 AE 20 90 45 B1 A6 80 3C 58 21|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11258; classtype:attempted-user; sid:43894; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt"; flow:to_client,established; file_data; content:"|20 41 28 07 60 9E 80 48 30 06 6A AA 07 23 B8 EA 88 04 68 5D 38 D0 70 D6 A3 48 64 96 AA 21 1C 91 C4 AB 76 70 34 1E CB 9A 33 E2 03 AE 20 90 45 B1 A6 80 3C 58 21|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11258; classtype:attempted-user; sid:43893; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt"; flow:to_server,established; file_data; content:"EMF+|08 40|"; fast_pattern; byte_extract:4,-14,comment_size,relative,little; byte_test:4,>,comment_size,20,relative,little; content:"|02 00 00 00 02 00 00 00|"; within:8; distance:28; metadata:service smtp; reference:cve,2017-11241; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43880; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt"; flow:to_client,established; file_data; content:"EMF+|08 40|"; fast_pattern; byte_extract:4,-14,comment_size,relative,little; byte_test:4,>,comment_size,20,relative,little; content:"|02 00 00 00 02 00 00 00|"; within:8; distance:28; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-11241; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43879; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt"; flow:to_server,established; file_data; content:"|01 00 00 00|"; depth:4; content:"|20|EMF"; within:4; distance:36; content:"|FF DB|"; byte_jump:2,0,relative,post_offset -2; content:"|FF C2|"; within:2; byte_extract:1,7,numComponents,relative; content:"|FF C4|"; within:100; byte_jump:2,0,relative,post_offset -2; content:"|FF DA|"; within:2; byte_test:1,>,numComponents,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11259; classtype:attempted-user; sid:43876; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt"; flow:to_client,established; file_data; content:"|01 00 00 00|"; depth:4; content:"|20|EMF"; within:4; distance:36; content:"|FF DB|"; byte_jump:2,0,relative,post_offset -2; content:"|FF C2|"; within:2; byte_extract:1,7,numComponents,relative; content:"|FF C4|"; within:100; byte_jump:2,0,relative,post_offset -2; content:"|FF DA|"; within:2; byte_test:1,>,numComponents,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11259; classtype:attempted-user; sid:43875; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows Device Guard bypass via compiled help file attempt"; flow:to_server,established; file_data; content:"|10 F4 4B B5 3E C9 12 42 4F F6 89 92 5F F9 4B 09 60 3A 03 5B C3 59 27 B5 79 5C 6A F9 F9 A4 FF 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8625; classtype:attempted-user; sid:43852; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Device Guard bypass via compiled help file attempt"; flow:to_client,established; file_data; content:"|10 F4 4B B5 3E C9 12 42 4F F6 89 92 5F F9 4B 09 60 3A 03 5B C3 59 27 B5 79 5C 6A F9 F9 A4 FF 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8625; classtype:attempted-user; sid:43851; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00|"; content:"EMF+"; within:4; distance:8; byte_test:4,<,10000,-8,relative,little; byte_jump:4,-8,relative,little,post_offset 1; content:!"|00 00 00|"; within:3; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11249; reference:cve,2018-12850; reference:cve,2018-12857; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-34.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43974; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00|"; content:"EMF+"; within:4; distance:8; byte_test:4,<,10000,-8,relative,little; byte_jump:4,-8,relative,little,post_offset 1; content:!"|00 00 00|"; within:3; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11249; reference:cve,2018-12850; reference:cve,2018-12857; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-34.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43973; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt"; flow:to_server,established; file_data; content:"|6D 32 20 3D 20 32 2E 30 30 FF FF FF 21 00 00 00 21 00 00 00 21 00 00 00 20 00 00 00 21 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11239; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43964; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt"; flow:to_client,established; file_data; content:"|6D 32 20 3D 20 32 2E 30 30 FF FF FF 21 00 00 00 21 00 00 00 21 00 00 00 20 00 00 00 21 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11239; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43963; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER VLC Media Player malformed AMR buffer overflow attempt"; flow:to_server,established; file_data; content:"#!AMR"; depth:5; content:!"|0A|"; within:1; metadata:service smtp; reference:cve,2012-0904; classtype:attempted-admin; sid:43953; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER VLC Media Player malformed AMR buffer overflow attempt"; flow:to_client,established; file_data; content:"#!AMR"; depth:5; content:!"|0A|"; within:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-0904; classtype:attempted-admin; sid:43952; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt"; flow:to_server,established; file_data; content:"BCFZ|04 10 01 00|"; depth:8; dsize:>500; metadata:service smtp; reference:cve,2012-6048; classtype:denial-of-service; sid:43947; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt"; flow:to_client,established; file_data; content:"BCFZ|04 10 01 00|"; depth:8; dsize:>500; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-6048; classtype:denial-of-service; sid:43946; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Magic Music Editor malformed CDA buffer overflow attempt"; flow:to_server,established; content:"Content-Disposition: attachment|3B| filename="; content:".cda"; within:25; fast_pattern; nocase; dsize:>1000; metadata:service smtp; reference:url,support.ixiacom.com/strikes/exploits/misc/magic_music_editor_DoS.xml; classtype:attempted-admin; sid:43945; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER multiple products malformed CUE file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.cue; file_data; content:"FILE"; depth:4; content:"|22|"; within:5; isdataat:512,relative; content:!"|22|"; within:512; metadata:service smtp; reference:bugtraq,24140; reference:bugtraq,33960; reference:cve,2007-2888; classtype:attempted-user; sid:43944; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Abbs Media Player LST buffer overflow attempt"; flow:to_server,established; content:"Content-Disposition: attachment|3B| filename="; content:".lst"; within:25; fast_pattern; nocase; dsize:>5000; metadata:service smtp; reference:url,support.ixiacom.com/strikes/exploits/misc/abbs_audio_media_player_BO.xml; classtype:attempted-admin; sid:43942; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt"; flow:to_server,established; file_data; content:"|01 00 00 00|"; depth:4; content:"|46 00 00 00|"; byte_extract:4,4,dataSize,relative,little; content:"EMF+"; within:4; content:"|08 40|"; within:dataSize; distance:-4; content:"|05|"; within:1; distance:1; content:"GIF8"; within:4; distance:36; byte_test:1,!&,0x80,6,relative; content:"|2C|"; within:1; distance:9; byte_test:1,!&,0x80,8,relative; byte_test:1,>,0xc,9,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11260; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43917; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt"; flow:to_client,established; file_data; content:"|01 00 00 00|"; depth:4; content:"|46 00 00 00|"; byte_extract:4,4,dataSize,relative,little; content:"EMF+"; within:4; content:"|08 40|"; within:dataSize; distance:-4; content:"|05|"; within:1; distance:1; content:"GIF8"; within:4; distance:36; byte_test:1,!&,0x80,6,relative; content:"|2C|"; within:1; distance:9; byte_test:1,!&,0x80,8,relative; byte_test:1,>,0xc,9,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11260; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43916; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xps; file_data; content:"|9C F6 65 50 1C 4E F4 B6 09 0F 2E C1 5D 06 82 05 1B 20 38 0C 16 24 B8 BB 0D 04 97 41 82 6B 20 38 84|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11209; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43913; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xps; file_data; content:"|9C F6 65 50 1C 4E F4 B6 09 0F 2E C1 5D 06 82 05 1B 20 38 0C 16 24 B8 BB 0D 04 97 41 82 6B 20 38 84|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11209; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43912; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xps; file_data; content:"|EC 3D 09 40 94 D5 D6 E7 7E DB EC 2B CB B0 0C F0 B1 2B 83 80 80 22 6A 32 2A B8 E1 0E 1A 98 24 23 8C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11210; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43901; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xps; file_data; content:"|EC 3D 09 40 94 D5 D6 E7 7E DB EC 2B CB B0 0C F0 B1 2B 83 80 80 22 6A 32 2A B8 E1 0E 1A 98 24 23 8C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11210; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43900; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1 00 06|Exif|00 00|"; isdataat:10,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11246; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43984; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1 00 06|Exif|00 00|"; isdataat:10,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11246; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43983; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|4C 00 00 00|"; content:"|20 00 CC 00|"; within:4; distance:36; byte_extract:4,-16,ydest,relative; byte_test:4,!=,ydest,16,relative; metadata:service smtp; reference:cve,2017-11241; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44067; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|4C 00 00 00|"; content:"|20 00 CC 00|"; within:4; distance:36; byte_extract:4,-20,xdest,relative; byte_test:4,!=,xdest,16,relative; metadata:service smtp; reference:cve,2017-11241; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44066; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|4C 00 00 00|"; content:"|20 00 CC 00|"; within:4; distance:36; byte_extract:4,-16,ydest,relative; byte_test:4,!=,ydest,16,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-11241; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44065; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|4C 00 00 00|"; content:"|20 00 CC 00|"; within:4; distance:36; byte_extract:4,-20,xdest,relative; byte_test:4,!=,xdest,16,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-11241; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44064; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF file EMR_ALPHABLEND record memory corruption attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:" EMF"; depth:4; offset:40; content:"|72 00 00 00|"; fast_pattern; byte_test:4,>,0,28,relative,little; byte_test:4,>,0,32,relative,little; content:"|00 00 FF 01|"; within:4; distance:36; isdataat:1520,relative; content:"|00 00 25 00|"; within:4; distance:1520; metadata:service smtp; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:misc-activity; sid:44058; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF file EMR_ALPHABLEND record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:" EMF"; depth:4; offset:40; content:"|72 00 00 00|"; fast_pattern; byte_test:4,>,0,28,relative,little; byte_test:4,>,0,32,relative,little; content:"|00 00 FF 01|"; within:4; distance:36; isdataat:1520,relative; content:"|00 00 25 00|"; within:4; distance:1520; metadata:service ftp-data, service http, service imap, service pop3; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:misc-activity; sid:44057; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Professional EMF file JPEG Huffman table memory corrupt attempt"; flow:to_server,established; file_data; content:"|49 41 A4 BA A4 FE F3 96 12 6D BB F4 1A 71 9E 29 7A 57 E0 9F FC 15 1F F6 B0 FD A1 7E 04 7C 76 D0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11268; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44034; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Professional EMF file JPEG Huffman table memory corrupt attempt"; flow:to_client,established; file_data; content:"|49 41 A4 BA A4 FE F3 96 12 6D BB F4 1A 71 9E 29 7A 57 E0 9F FC 15 1F F6 B0 FD A1 7E 04 7C 76 D0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11268; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44033; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt"; flow:to_server,established; file_data; content:"|59 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF 02 00 00 00 0C 01 48 03 B4 00 B0 02|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11242; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44087; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt"; flow:to_client,established; file_data; content:"|59 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF 02 00 00 00 0C 01 48 03 B4 00 B0 02|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11242; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44086; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER EMF EMR_EXTTEXTOUTW record memory corruption attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|54 00 00 00 AC 00 00 00 BB 00 00 00 03 00 00 00 00 02 00 00 30 00 00 00 01 00 00 00 AB 0A 0D 42 00 00 0D 42|"; fast_pattern:only; metadata:service smtp; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:misc-activity; sid:44124; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER EMF EMR_EXTTEXTOUTW record memory corruption attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|54 00 00 00 AC 00 00 00 BB 00 00 00 03 00 00 00 00 02 00 00 30 00 00 00 01 00 00 00 AB 0A 0D 42 00 00 0D 42|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:44123; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record memory corruption attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|FF ED|"; byte_extract:2,0,section_size,relative; content:"8BIM"; distance:0; content:!"|00|"; within:1; distance:2; byte_jump:1,2,relative; byte_test:4,>,section_size,0,relative; metadata:service smtp; reference:cve,2017-11267; reference:cve,2018-4981; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:misc-activity; sid:44122; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record memory corruption attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|FF ED|"; byte_extract:2,0,section_size,relative; content:"8BIM"; distance:0; content:!"|00|"; within:1; distance:2; byte_jump:1,2,relative; byte_test:4,>,section_size,0,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-11267; reference:cve,2018-4981; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:misc-activity; sid:44121; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|FF ED|"; byte_extract:2,0,section_size,relative; content:"8BIM"; distance:0; content:"|00 00|"; within:2; distance:2; byte_test:4,>,section_size,0,relative; metadata:service smtp; reference:cve,2017-11267; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:misc-activity; sid:44120; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|FF ED|"; byte_extract:2,0,section_size,relative; content:"8BIM"; distance:0; content:"|00 00|"; within:2; distance:2; byte_test:4,>,section_size,0,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-11267; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:misc-activity; sid:44119; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00|"; content:"EMF+"; within:4; distance:8; byte_extract:4,-12,size,relative,little; content:"|4D 4D 00 2A|"; within:size; distance:-8; content:"|01 00 00 03 00 00 00 01|"; distance:0; byte_test:2,>,10000,0,relative; metadata:service smtp; reference:cve,2017-11261; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44115; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00|"; content:"EMF+"; within:4; distance:8; byte_extract:4,-12,size,relative,little; content:"|4D 4D 00 2A|"; within:size; distance:-8; content:"|01 00 00 03 00 00 00 01|"; distance:0; byte_test:2,>,10000,0,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-11261; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44114; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00|"; content:"EMF+"; within:4; distance:8; byte_extract:4,-12,size,relative,little; content:"|4D 4D 00 2A|"; within:size; distance:-8; content:"|01 01 00 03 00 00 00 01|"; distance:0; byte_test:2,>,10000,0,relative; metadata:service smtp; reference:cve,2017-11261; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44113; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00|"; content:"EMF+"; within:4; distance:8; byte_extract:4,-12,size,relative,little; content:"|4D 4D 00 2A|"; within:size; distance:-8; content:"|01 01 00 03 00 00 00 01|"; distance:0; byte_test:2,>,10000,0,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-11261; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44112; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00|"; content:"EMF+"; within:4; distance:8; byte_extract:4,-12,size,relative,little; content:"|49 49 2A 00|"; within:size; distance:-8; content:"|01 01 03 00 01 00 00 00|"; distance:0; byte_test:2,>,10000,0,relative,little; metadata:service smtp; reference:cve,2017-11261; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44111; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00|"; content:"EMF+"; within:4; distance:8; byte_extract:4,-12,size,relative,little; content:"|49 49 2A 00|"; within:size; distance:-8; content:"|01 01 03 00 01 00 00 00|"; distance:0; byte_test:2,>,10000,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-11261; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44110; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00|"; content:"EMF+"; within:4; distance:8; byte_extract:4,-12,size,relative,little; content:"|49 49 2A 00|"; within:size; distance:-8; content:"|00 01 03 00 01 00 00 00|"; distance:0; byte_test:2,>,10000,0,relative,little; metadata:service smtp; reference:cve,2017-11261; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44109; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00|"; content:"EMF+"; within:4; distance:8; byte_extract:4,-12,size,relative,little; content:"|49 49 2A 00|"; within:size; distance:-8; content:"|00 01 03 00 01 00 00 00|"; distance:0; byte_test:2,>,10000,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-11261; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44108; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Bluezone Desktop buffer overflow attempt"; flow:to_server,established; dsize:>20; file_data; content:"BZ"; depth:2; content:"K"; within:1; distance:6; pcre:"/BZ(MD215AK|MP215AK|VT100AK|A[PD]200BK)/"; metadata:service smtp; reference:url,support.ixiacom.com/strikes/denial/misc/bluezone_desktop_DoS.xml; classtype:attempted-user; sid:44181; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Bluezone Desktop buffer overflow attempt"; flow:to_client,established; dsize:>20; file_data; content:"BZ"; depth:2; content:"K"; within:1; distance:6; pcre:"/BZ(MD215AK|MP215AK|VT100AK|A[PD]200BK)/"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,support.ixiacom.com/strikes/denial/misc/bluezone_desktop_DoS.xml; classtype:attempted-user; sid:44180; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows Media Player malformed au denial of service attempt"; flow:to_server,established; file_data; content:"|2E 73 6E 64 00 00 01 18 00 00 42 DC 00 00 00 01 00 00 1F 40 00 00 00 00 69 61 70 65 74 75 73 2E|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,25236; reference:cve,2007-4288; classtype:denial-of-service; sid:44159; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Media Player malformed au denial of service attempt"; flow:to_client,established; file_data; content:"|2E 73 6E 64 00 00 01 18 00 00 42 DC 00 00 00 01 00 00 1F 40 00 00 00 00 69 61 70 65 74 75 73 2E|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,25236; reference:cve,2007-4288; classtype:denial-of-service; sid:44158; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER VideoLAN VLC Media Player Ogg/Vorbis denial of service attempt"; flow:to_server,established; file_data; content:"OggS"; depth:4; content:"|03|vorbis"; byte_extract:4,0,vendor_length,relative; content:"%"; within:vendor_length; metadata:service smtp; reference:cve,2007-3316; classtype:attempted-admin; sid:44205; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER VideoLAN VLC Media Player Ogg/Vorbis denial of service attempt"; flow:to_client,established; file_data; content:"OggS"; depth:4; content:"|03|vorbis"; byte_extract:4,0,vendor_length,relative; content:"%"; within:vendor_length; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-3316; classtype:attempted-admin; sid:44204; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER ZIP file malformed header antivirus evasion attempt"; flow:to_server,established; content:".zip"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2ezip[\x22\x27\x3b\s]/i"; file_data; content:!"PK"; depth:2; metadata:service smtp; reference:cve,2012-1462; classtype:misc-activity; sid:44325; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER RAR file malformed header antivirus evasion attempt"; flow:to_server,established; content:".rar"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2erar[\x22\x27\x3b\s]/i"; file_data; content:"MZ"; depth:2; metadata:service smtp; reference:cve,2012-1443; classtype:misc-activity; sid:44323; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER WSDL soap endpoint location code injection attempt"; flow:to_server,established; file_data; content:"definitions"; nocase; content:"xmlns:tns"; nocase; content:"microsoft.com/clr"; nocase; content:"<soap:address"; fast_pattern:only; content:"location"; nocase; pcre:"/<soap:address\s[^>]*?location\s*=\s*[\x22\x27][^\x22\x27]*?[\x3B\r\n]/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8759; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8759; classtype:attempted-user; sid:44354; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER WSDL soap endpoint location code injection attempt"; flow:to_client,established; file_data; content:"definitions"; nocase; content:"xmlns:tns"; nocase; content:"microsoft.com/clr"; nocase; content:"<soap:address"; fast_pattern:only; content:"location"; nocase; pcre:"/<soap:address\s[^>]*?location\s*=\s*[\x22\x27][^\x22\x27]*?[\x3B\r\n]/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8759; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8759; classtype:attempted-user; sid:44353; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1234 (msg:"FILE-OTHER InduSoft Web Studio insecure visual basic code execution attempt"; flow:to_server,established; content:"|02 33|"; depth:40; content:"|28|"; within:50; content:"|29|"; within:50; content:"|03|"; within:50; metadata:ruleset limited; classtype:policy-violation; sid:35876; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER ZIP file name overflow attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"PK|03 04|"; depth:4; byte_test:2,>,128,22,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,41333; reference:bugtraq,46059; reference:bugtraq,46375; reference:cve,2004-1094; reference:cve,2010-3227; reference:cve,2011-4535; reference:cve,2015-7939; reference:cve,2016-4519; classtype:attempted-user; sid:44473; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Graphics remote code execution attempt"; flow:to_server,established; file_data; content:"|18 E8 00 00 11 94 63 6D 61 70 40 E5 70 4D 00 00 12 E0 00 00 03 28 63 76 74 20 32 6F 42 A3 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11763; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11763; classtype:attempted-admin; sid:44529; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Graphics remote code execution attempt"; flow:to_client,established; file_data; content:"|18 E8 00 00 11 94 63 6D 61 70 40 E5 70 4D 00 00 12 E0 00 00 03 28 63 76 74 20 32 6F 42 A3 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11763; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11763; classtype:attempted-admin; sid:44528; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt"; flow:to_server,established; file_data; content:"--- %TAG !"; fast_pattern:only; content:"%"; content:"%"; within:2; distance:2; content:"%"; within:2; distance:2; content:"%"; within:2; distance:2; pcre:"/(%[A-Z0-9]{2,3}){16}/i"; metadata:service smtp; reference:cve,2014-2525; classtype:attempted-user; sid:44759; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt"; flow:to_client,established; file_data; content:"--- %TAG !"; fast_pattern:only; content:"%"; content:"%"; within:2; distance:2; content:"%"; within:2; distance:2; content:"%"; within:2; distance:2; pcre:"/(%[A-Z0-9]{2,3}){16}/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-2525; classtype:attempted-user; sid:44758; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt"; flow:to_server,established; file_data; content:"--- !"; fast_pattern:only; content:"%"; content:"%"; within:2; distance:2; content:"%"; within:2; distance:2; content:"%"; within:2; distance:2; pcre:"/(%[A-Z0-9]{2,3}){16}/i"; metadata:service smtp; reference:cve,2014-2525; classtype:attempted-user; sid:44757; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro PNG file buffer over-read vulnerability attempt"; flow:to_server,established; flowbits:isset, file.xps; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"tEXt"; distance:0; byte_extract:4,-8,textLength,relative; content:"|FE FF|"; within:textLength; distance:4; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16384; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44860; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro PNG file buffer over-read vulnerability attempt"; flow:to_client,established; flowbits:isset, file.xps; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"tEXt"; distance:0; byte_extract:4,-8,textLength,relative; content:"|FE FF|"; within:textLength; distance:4; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16384; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44859; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt"; flow:to_client,established; file_data; flowbits:isset,file.xps; content:"|C4 FC 7C DF 23 BE AB 97 1D 8E 80 F7 7D 9F B7 50 00 20 7B B5 7F E7 81 5F 56 CC CF 03 BF 0C 3C 41|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16385; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44984; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt"; flow:to_server,established; file_data; flowbits:isset,file.xps; content:"|C4 FC 7C DF 23 BE AB 97 1D 8E 80 F7 7D 9F B7 50 00 20 7B B5 7F E7 81 5F 56 CC CF 03 BF 0C 3C 41|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16385; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44983; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro security bypass attempt"; flow:to_client,established; file_data; content:"file|3A|///C/"; fast_pattern:only; content:".contentWindow.document.body.innerText"; nocase; content:"iframe"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16369; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44966; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro security bypass attempt"; flow:to_server,established; file_data; content:"file|3A|///C/"; fast_pattern:only; content:".contentWindow.document.body.innerText"; nocase; content:"iframe"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16369; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44965; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|28 00 00 00 12 00 00 00 13 00 00 00 01 00 20 00 03 00 00 00 58 05 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16397; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44954; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|28 00 00 00 12 00 00 00 13 00 00 00 01 00 20 00 03 00 00 00 58 05 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16397; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44953; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Reader FDF file security bypass attempt"; flow:to_server,established; flowbits:isset,file.fdf; file_data; content:"/FDF"; nocase; content:"/F|20|"; within:100; fast_pattern; nocase; content:"tp"; within:15; nocase; pcre:"/\x2fF\s{1,10}?\x28(http|ftp)/i"; metadata:service smtp; reference:cve,2017-16361; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:misc-activity; sid:44942; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Reader FDF file security bypass attempt"; flow:to_client,established; flowbits:isset,file.fdf; file_data; content:"/FDF"; nocase; content:"/F|20|"; within:100; fast_pattern; nocase; content:"tp"; within:15; nocase; pcre:"/\x2fF\s{1,10}?\x28(http|ftp)/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-16361; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:misc-activity; sid:44941; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat EMFPlus out of bounds buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"EMF+|08 40|"; byte_extract:4,2,Size,little,relative; byte_test:4,>,Size,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16404; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44938; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat EMFPlus out of bounds buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"EMF+|08 40|"; byte_extract:4,2,Size,little,relative; byte_test:4,>,Size,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16404; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44937; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro XPS out of bounds read attempt"; flow:to_server,established; file_data; content:"|E6 DF 8B FC FC B1 2D 7B 52 C8 77 C9 65 20 47 92 C9 10 C9 43 9F C8 58 BE C8 5C 76 64 43 46 52 B1|"; fast_pattern:only; metadata:service smtp; reference:cve,2017-16418; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44936; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro XPS out of bounds read attempt"; flow:to_client,established; file_data; content:"|E6 DF 8B FC FC B1 2D 7B 52 C8 77 C9 65 20 47 92 C9 10 C9 43 9F C8 58 BE C8 5C 76 64 43 46 52 B1|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-16418; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44935; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro XPS file embedded JPEG invalid SOS data memory corruption attempt"; flow:to_server,established; file_data; content:"|F3 03 21 C7 2E B7 7C F8 B4 D5 2B D7 33 3E DF AD E4 C2 AA 95 DB 96 6E B6 B9 E6 71 4B 53 52 D6 CB|"; fast_pattern:only; metadata:service smtp; reference:cve,2017-16412; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44932; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro XPS file embedded JPEG invalid SOS data memory corruption attempt"; flow:to_client,established; file_data; content:"|F3 03 21 C7 2E B7 7C F8 B4 D5 2B D7 33 3E DF AD E4 C2 AA 95 DB 96 6E B6 B9 E6 71 4B 53 52 D6 CB|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-16412; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44931; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro WebCapture out of bounds read attempt"; flow:to_server,established; file_data; content:"GlobalEventHandlers"; nocase; content:"WindowBase64"; within:75; content:"WindowTimers"; within:100; fast_pattern; nocase; content:"SVGAnimatedString"; within:150; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16411; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-16411; classtype:misc-activity; sid:44928; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro WebCapture out of bounds read attempt"; flow:to_client,established; file_data; content:"GlobalEventHandlers"; nocase; content:"WindowBase64"; within:75; content:"WindowTimers"; within:100; fast_pattern; nocase; content:"SVGAnimatedString"; within:150; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16411; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-16411; classtype:misc-activity; sid:44927; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat EMF Bezier curve out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"EMF+|19 40|"; byte_test:2,>,2000,10,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16403; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44924; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat EMF Bezier curve out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"EMF+|19 40|"; byte_test:2,>,2000,10,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16403; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44923; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EmfPlusRectF out of bounds read attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|46 00 00 00|"; content:"EMF+"; within:4; distance:8; content:"|0B 40|"; within:2; byte_test:1,!&,1,1,relative,bitmask 0x40; byte_extract:4,18,y_val,relative,little; byte_test:4,>,y_val,4,relative,little; metadata:service smtp; reference:cve,2017-16401; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44920; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EmfPlusRectF out of bounds read attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|46 00 00 00|"; content:"EMF+"; within:4; distance:8; content:"|0B 40|"; within:2; byte_test:1,!&,1,1,relative,bitmask 0x40; byte_extract:4,18,y_val,relative,little; byte_test:4,>,y_val,4,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-16401; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44919; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Professional EMF out of bounds read attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|53 00 00 00 4C 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF 01 00 00 00 B0 82 F3 40|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16409; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44894; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Professional EMF out of bounds read attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|53 00 00 00 4C 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF 01 00 00 00 B0 82 F3 40|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16409; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44893; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat JPEG2000 out of bounds buffer overflow attempt"; flow:to_server,established; file_data; content:"|00 00 00 0C 6A 50 20 20 0D 0A 87 0A|"; fast_pattern; content:"ihdr"; distance:0; byte_extract:2,8,numComp,relative; content:"opct"; within:200; byte_test:1,>,numComp,1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16400; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:45032; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat JPEG2000 out of bounds buffer overflow attempt"; flow:to_client,established; file_data; content:"|00 00 00 0C 6A 50 20 20 0D 0A 87 0A|"; fast_pattern; content:"ihdr"; distance:0; byte_extract:2,8,numComp,relative; content:"opct"; within:200; byte_test:1,>,numComp,1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16400; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:45031; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Jackson databind deserialization remote code execution attempt"; flow:to_client,established; file_data; content:"{"; content:"com.sun.rowset.JdbcRowSetImpl"; distance:0; content:"}"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-15095; reference:cve,2017-7525; reference:url,github.com/FasterXML/jackson-databind; classtype:attempted-user; sid:45016; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-OTHER Jackson databind deserialization remote code execution attempt"; flow:to_server,established; content:"{"; content:"com.sun.rowset.JdbcRowSetImpl"; distance:0; content:"}"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-15095; reference:cve,2017-7525; reference:url,github.com/FasterXML/jackson-databind; classtype:attempted-user; sid:45015; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Jackson databind deserialization remote code execution attempt"; flow:to_server,established; content:"{"; content:"com.sun.rowset.JdbcRowSetImpl"; distance:0; content:"}"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-15095; reference:cve,2017-7525; reference:url,github.com/FasterXML/jackson-databind; classtype:attempted-user; sid:45014; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Jackson databind deserialization remote code execution attempt"; flow:to_client,established; file_data; content:"{"; content:"org.apache.commons.collections"; distance:0; content:".functors."; within:11; content:"Transformer"; within:15; distance:7; content:"}"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-15095; reference:cve,2017-7525; reference:url,github.com/FasterXML/jackson-databind; classtype:attempted-user; sid:45013; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-OTHER Jackson databind deserialization remote code execution attempt"; flow:to_server,established; file_data; content:"{"; content:"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"; distance:0; content:"}"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-15095; reference:cve,2017-7525; reference:url,attack.mitre.org/techniques/T1220; reference:url,github.com/FasterXML/jackson-databind; classtype:attempted-user; sid:45012; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Jackson databind deserialization remote code execution attempt"; flow:to_client,established; file_data; content:"{"; content:"org.springframework.beans.factory.ObjectFactory"; distance:0; content:"}"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-15095; reference:cve,2017-7525; reference:url,github.com/FasterXML/jackson-databind; classtype:attempted-user; sid:45011; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Jackson databind deserialization remote code execution attempt"; flow:to_client,established; file_data; content:"org.codehaus.groovy.runtime."; content:"Closure"; within:10; distance:6; content:"}"; distance:0; pcre:"/org\.codehaus\.groovy\.runtime\.(Converted|Method)Closure(.|\n)*?}/"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-15095; reference:cve,2017-7525; reference:url,github.com/FasterXML/jackson-databind; classtype:attempted-user; sid:45010; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Jackson databind deserialization remote code execution attempt"; flow:to_server,established; content:"{"; content:"org.apache.commons.collections"; distance:0; content:".functors."; within:11; content:"Transformer"; within:15; distance:7; content:"}"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-15095; reference:cve,2017-7525; reference:url,github.com/FasterXML/jackson-databind; classtype:attempted-user; sid:45009; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Jackson databind deserialization remote code execution attempt"; flow:to_server,established; content:"{"; content:"org.codehaus.groovy.runtime."; distance:0; content:"Closure"; within:10; distance:6; content:"}"; distance:0; pcre:"/org\.codehaus\.groovy\.runtime\.(Converted|Method)Closure(.|\n)*?}/"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-15095; reference:cve,2017-7525; reference:url,github.com/FasterXML/jackson-databind; classtype:attempted-user; sid:45008; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Jackson databind deserialization remote code execution attempt"; flow:to_server,established; content:"{"; content:"org.springframework.beans.factory.ObjectFactory"; distance:0; content:"}"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-15095; reference:cve,2017-7525; reference:url,github.com/FasterXML/jackson-databind; classtype:attempted-user; sid:45007; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Jackson databind deserialization remote code execution attempt"; flow:to_server,established; content:"{"; content:"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"; distance:0; content:"}"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-15095; reference:cve,2017-7525; reference:url,attack.mitre.org/techniques/T1220; reference:url,github.com/FasterXML/jackson-databind; classtype:attempted-user; sid:45006; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Jackson databind deserialization remote code execution attempt"; flow:to_client,established; file_data; content:"{"; content:"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"; distance:0; content:"}"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-15095; reference:cve,2017-7525; reference:url,attack.mitre.org/techniques/T1220; reference:url,github.com/FasterXML/jackson-databind; classtype:attempted-user; sid:45005; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-OTHER Jackson databind deserialization remote code execution attempt"; flow:to_server,established; content:"{"; content:"org.springframework.beans.factory.ObjectFactory"; distance:0; content:"}"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-15095; reference:cve,2017-7525; reference:url,github.com/FasterXML/jackson-databind; classtype:attempted-user; sid:45004; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-OTHER Jackson databind deserialization remote code execution attempt"; flow:to_server,established; content:"{"; content:"org.codehaus.groovy.runtime."; distance:0; content:"Closure"; within:10; distance:6; content:"}"; distance:0; pcre:"/org\.codehaus\.groovy\.runtime\.(Converted|Method)Closure(.|\n)*?}/"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-15095; reference:cve,2017-7525; reference:url,github.com/FasterXML/jackson-databind; classtype:attempted-user; sid:45003; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-OTHER Jackson databind deserialization remote code execution attempt"; flow:to_server,established; content:"{"; content:"org.apache.commons.collections"; distance:0; content:".functors."; within:11; content:"Transformer"; within:15; distance:7; content:"}"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-15095; reference:cve,2017-7525; reference:url,github.com/FasterXML/jackson-databind; classtype:attempted-user; sid:45002; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows UAC bypass attempt"; flow:to_server,established; file_data; content:"|6A 00 68 00 38 00 10 6A 00 FF 15 0C 20 00 10 85 C0 0F 84 88 00 00 00 C7 85 DC FC FF FF 03 00 01|"; fast_pattern:only; metadata:service smtp; classtype:attempted-admin; sid:45059; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows UAC bypass attempt"; flow:to_client,established; file_data; content:"|6A 00 68 00 38 00 10 6A 00 FF 15 0C 20 00 10 85 C0 0F 84 88 00 00 00 C7 85 DC FC FF FF 03 00 01|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-admin; sid:45058; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Shockwave newModel memory disclosure attempt"; flow:to_server,established; flowbits:isset,file.dir; file_data; content:"& |22| %x|22 0D|  end repeat"; content:"member.newModel("; within:400; metadata:service smtp; reference:cve,2013-1385; classtype:attempted-recon; sid:45126; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Shockwave newModel memory disclosure attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"& |22| %x|22 0D|  end repeat"; content:"member.newModel("; within:400; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1385; classtype:attempted-recon; sid:45125; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Word DDEauto code execution attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"DDEAUTO"; nocase; content:".exe"; within:250; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,sensepost.com/blog/2017/macro-less-code-exec-in-msword; classtype:attempted-admin; sid:45215; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Word DDEauto code execution attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"DDEAUTO"; nocase; content:".exe"; within:250; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,sensepost.com/blog/2017/macro-less-code-exec-in-msword; classtype:attempted-admin; sid:45214; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Audition Session file stack buffer overflow attempt"; flow:to_client,established; file_data; content:"COOLNESS"; depth:8; content:"hdr "; within:4; distance:4; content:!"|00 00 00 00|"; within:4; distance:44; byte_test:4,<,362,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,47841; reference:cve,2011-0614; reference:url,www.adobe.com/support/security/bulletins/apsb11-10.html; classtype:attempted-user; sid:45203; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Audition Session file stack buffer overflow attempt"; flow:to_server,established; file_data; content:"COOLNESS"; depth:8; content:"hdr "; within:4; distance:4; content:!"|00 00 00 00|"; within:4; distance:44; byte_test:4,<,362,0,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,47841; reference:cve,2011-0614; reference:url,www.adobe.com/support/security/bulletins/apsb11-10.html; classtype:attempted-user; sid:45202; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows MPEG Layer-3 audio heap corruption attempt"; flow:to_server,established; file_data; content:"|4D 61 5F 52 61 69 6E 65 79 54 50 45 31 00 00 00 0A 00 00 00 4D 61 20 52 61 69 6E 65 79 54 49 54|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-1882; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-052; classtype:attempted-user; sid:45316; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows MPEG Layer-3 audio heap corruption attempt"; flow:to_client,established; file_data; content:"|4D 61 5F 52 61 69 6E 65 79 54 50 45 31 00 00 00 0A 00 00 00 4D 61 20 52 61 69 6E 65 79 54 49 54|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1882; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-052; classtype:attempted-user; sid:45315; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Photoshop asset elements stack based buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.collada; content:"<COLLADA"; content:"<asset>"; distance:0; content:">"; distance:0; isdataat:2048,relative; content:!"</"; within:2048; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,53464; classtype:attempted-user; sid:45399; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER WinAce RAR file directory traversal attempt"; flow:to_server,established; file_data; content:"Rar!|1A 07 00|"; depth:7; content:"|74|"; within:1; distance:15; byte_extract:1,23,name_length,relative; content:"../"; within:name_length; distance:5; metadata:service smtp; reference:cve,2006-0981; classtype:attempted-user; sid:45544; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER WinAce RAR file directory traversal attempt"; flow:to_client,established; file_data; content:"Rar!|1A 07 00|"; depth:7; content:"|74|"; within:1; distance:15; byte_extract:1,23,name_length,relative; content:"../"; within:name_length; distance:5; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-0981; classtype:attempted-user; sid:45543; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER WinAce TAR file directory traversal attempt"; flow:to_server,established; file_data; content:"../"; depth:100; content:"ustar  |00|"; within:265; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-0981; classtype:attempted-user; sid:45542; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER WinAce TAR file directory traversal attempt"; flow:to_client,established; file_data; content:"../"; depth:100; content:"ustar  |00|"; within:265; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0981; classtype:attempted-user; sid:45541; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Ghostscript eqproc type confusion attempt"; flow:to_server,established; flowbits:isset,file.eps; file_data; content:".eqproc"; fast_pattern:only; content:"16#"; content:"16#"; within:250; content:"16#"; within:250; metadata:service smtp; reference:bugtraq,98476; reference:cve,2017-8291; reference:url,ghostscript.com/doc/9.22/History9.htm; classtype:attempted-user; sid:45536; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Ghostscript eqproc type confusion attempt"; flow:to_client,established; flowbits:isset,file.eps; file_data; content:".eqproc"; fast_pattern:only; content:"16#"; content:"16#"; within:250; content:"16#"; within:250; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,98476; reference:cve,2017-8291; reference:url,ghostscript.com/doc/9.22/History9.htm; classtype:attempted-user; sid:45535; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Ghostscript rsdparams type confusion attempt"; flow:to_client,established; flowbits:isset,file.eps; file_data; content:".rsdparams"; fast_pattern:only; content:"16#"; content:"16#"; within:250; content:"16#"; within:250; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,98476; reference:cve,2017-8291; reference:url,ghostscript.com/doc/9.22/History9.htm; classtype:attempted-user; sid:45534; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Ghostscript rsdparams type confusion attempt"; flow:to_server,established; flowbits:isset,file.eps; file_data; content:".rsdparams"; fast_pattern:only; content:"16#"; content:"16#"; within:250; content:"16#"; within:250; metadata:service smtp; reference:bugtraq,98476; reference:cve,2017-8291; reference:url,ghostscript.com/doc/9.22/History9.htm; classtype:attempted-user; sid:45533; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Multiple products XML Import Command buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xml; file_data; content:"<classify"; nocase; content:"name"; distance:0; nocase; isdataat:1500,relative; pcre:"/name\s*?=\s*?[\x27\x22][^\x27\x22]{1500}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,97237; reference:cve,2017-7310; classtype:attempted-user; sid:45559; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Multiple products XML Import Command buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"<classify"; nocase; content:"name"; distance:0; nocase; isdataat:1500,relative; pcre:"/name\s*?=\s*?[\x27\x22][^\x27\x22]{1500}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,97237; reference:cve,2017-7310; classtype:attempted-user; sid:45558; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt"; flow:to_server,established; flowbits:isset,file.xps; file_data; content:"II|2A 00|"; content:"|31 01|"; distance:0; content:!"|02 00|"; within:2; metadata:service smtp; reference:cve,2018-4904; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-admin; sid:45672; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt"; flow:to_server,established; flowbits:isset,file.xps; file_data; content:"MM|00 2A|"; content:"|01 31|"; distance:0; content:!"|00 02|"; within:2; metadata:service smtp; reference:cve,2018-4904; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-admin; sid:45671; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt"; flow:to_client,established; flowbits:isset,file.xps; file_data; content:"II|2A 00|"; content:"|31 01|"; distance:0; content:!"|02 00|"; within:2; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-4904; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-admin; sid:45670; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt"; flow:to_client,established; flowbits:isset,file.xps; file_data; content:"MM|00 2A|"; content:"|01 31|"; distance:0; content:!"|00 02|"; within:2; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-4904; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-admin; sid:45669; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.tiff; file_data; content:"|31 01 02 00|"; fast_pattern; byte_extract:4,0,SftLen,relative,little; byte_extract:4,0,SftOffset,relative,little; content:"II|2A 00|"; depth:4; isdataat:SftOffset; content:!"|00|"; within:SftLen; distance:SftOffset; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4903; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45668; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|31 01 02 00|"; fast_pattern; byte_extract:4,0,SftLen,relative,little; byte_extract:4,0,SftOffset,relative,little; content:"II|2A 00|"; depth:4; isdataat:SftOffset; content:!"|00|"; within:SftLen; distance:SftOffset; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4903; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45667; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.xps; file_data; content:"|31 01 02 00|"; fast_pattern; byte_extract:4,0,SftLen,relative,little; byte_extract:4,0,SftOffset,relative,little; content:"II|2A 00|"; within:500; distance:-500; isdataat:SftOffset,relative; content:!"|00|"; within:SftLen; distance:SftOffset; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4903; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45666; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.xps; file_data; content:"|31 01 02 00|"; fast_pattern; byte_extract:4,0,SftLen,relative,little; byte_extract:4,0,SftOffset,relative,little; content:"II|2A 00|"; within:500; distance:-500; isdataat:SftOffset,relative; content:!"|00|"; within:SftLen; distance:SftOffset; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4903; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45665; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro malformed EMF EmfPlustDrawImagePoints out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|1B 40|"; content:"|40 00 00 00 34 00 00 00|"; within:8; distance:2; content:"|02 00 00 00|"; within:4; distance:4; byte_test:4,<,0x80000000,4,relative,little; byte_extract:4,4,srcrect_y,relative,little; content:"|03 00 00 00|"; within:4; distance:8; byte_test:4,<,srcrect_y,20,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4906; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45664; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro malformed EMF EmfPlustDrawImagePoints out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|1B 40|"; content:"|40 00 00 00 34 00 00 00|"; within:8; distance:2; content:"|02 00 00 00|"; within:4; distance:4; byte_test:4,<,0x80000000,4,relative,little; byte_extract:4,4,srcrect_y,relative,little; content:"|03 00 00 00|"; within:4; distance:8; byte_test:4,<,srcrect_y,20,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4906; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45663; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|7D 02 78 30 50 D9 FC F0 16 E2 3E 70 B7 A3 B8 2B 37 50 0A 00 75 54 D5 25 24 01 6E 0C 59 14 76 33|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4912; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-recon; sid:45662; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|7D 02 78 30 50 D9 FC F0 16 E2 3E 70 B7 A3 B8 2B 37 50 0A 00 75 54 D5 25 24 01 6E 0C 59 14 76 33|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-4912; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-recon; sid:45661; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows CLFS privilege escalation attempt"; flow:to_server,established; file_data; content:"|F8 03 00 00 0A 10 E0 00 01 00 00 00 00 00 00 00 1C 5F 00 00 F5 C1 F5 C1 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-0844; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0844; classtype:attempted-user; sid:45631; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows CLFS privilege escalation attempt"; flow:to_client,established; file_data; content:"|F8 03 00 00 0A 10 E0 00 01 00 00 00 00 00 00 00 1C 5F 00 00 F5 C1 F5 C1 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-0844; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0844; classtype:attempted-user; sid:45630; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00|"; content:"EMF+|1C 40|"; within:6; distance:8; byte_test:4,>,0x7FFFFFEB,18,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4879; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45681; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00|"; content:"EMF+|1C 40|"; within:6; distance:8; content:"|00 00|"; within:2; distance:4; content:"|00 00|"; within:2; distance:2; isdataat:12,relative; content:!"|00 00|"; within:2; distance:10; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4879; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45680; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00|"; content:"EMF+|1C 40|"; within:6; distance:8; byte_test:4,>,0x7FFFFFEB,18,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4879; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45679; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00|"; content:"EMF+|1C 40|"; within:6; distance:8; content:"|00 00|"; within:2; distance:4; content:"|00 00|"; within:2; distance:2; isdataat:12,relative; content:!"|00 00|"; within:2; distance:10; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4879; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45678; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt"; flow:to_server,established; file_data; content:"|6E 74 5F 54 79 70 65 73 5D 2E 78 6D 6C A5 94 CF 4E C3 30 0C C6 EF 48 BC 43 95 2B EA 32 38 20 84|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-19702; reference:cve,2018-19705; reference:cve,2018-19706; reference:cve,2018-4891; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-recon; sid:45692; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt"; flow:to_client,established; file_data; content:"|6E 74 5F 54 79 70 65 73 5D 2E 78 6D 6C A5 94 CF 4E C3 30 0C C6 EF 48 BC 43 95 2B EA 32 38 20 84|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-19702; reference:cve,2018-19705; reference:cve,2018-19706; reference:cve,2018-4891; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-recon; sid:45691; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro embedded JPEG out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.xps; file_data; content:"|FF D8 FF E0|"; content:"|FF ED|"; distance:0; content:"8BIM|04 04|"; distance:0; byte_jump:1,0,relative; content:!"|00|"; within:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-4889; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-admin; sid:45687; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro embedded JPEG out of bounds read attempt"; flow:to_server,established; file_data; content:"|FF D8 FF E0|"; content:"|FF ED|"; distance:0; content:"8BIM|04 04|"; distance:0; byte_jump:1,0,relative; content:!"|00|"; within:1; metadata:service smtp; reference:cve,2018-4889; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-admin; sid:45686; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER EMF embedded image out of bound read attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"EMF+"; fast_pattern; byte_extract:4,-8,RecSize,relative,little; content:"|08 40|"; within:RecSize; content:"|01 00 00 00|"; within:4; distance:14; content:"BM"; within:2; distance:20; byte_test:2,<,8,26,relative,little; byte_test:4,>,0,44,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4884; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:misc-activity; sid:45812; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER EMF embedded image out of bound read attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"EMF+"; fast_pattern; byte_extract:4,-8,RecSize,relative,little; content:"|08 40|"; within:RecSize; content:"|01 00 00 00|"; within:4; distance:14; content:"BM"; within:2; distance:20; byte_test:2,<,8,26,relative,little; byte_test:4,>,0,44,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4884; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:misc-activity; sid:45811; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro out of bounds read attempt"; flow:to_server,established; file_data; content:"|F5 E3 09 AC CB A7 EB F4 21 D8 FF 6F 96 80 BF 51 0A BF 59 CE D3 05 E9 85 14 20 87 E9 82 76 FD A2|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-4894; classtype:attempted-recon; sid:45803; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro out of bounds read attempt"; flow:to_client,established; file_data; content:"|F5 E3 09 AC CB A7 EB F4 21 D8 FF 6F 96 80 BF 51 0A BF 59 CE D3 05 E9 85 14 20 87 E9 82 76 FD A2|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-4894; classtype:attempted-recon; sid:45802; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro nested IFD out of bounds read attempt"; flow:to_server,established; file_data; content:"|4D 4D 00 2A 00 00 09 9C 40 44 51 55 51 45 55 55 55 55 55 55 55 55 55 55 55 55 40 00 04 51 45 55|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4897; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45794; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro nested IFD out of bounds read attempt"; flow:to_client,established; file_data; content:"|4D 4D 00 2A 00 00 09 9C 40 44 51 55 51 45 55 55 55 55 55 55 55 55 55 55 55 55 40 00 04 51 45 55|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4897; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45793; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.xps; file_data; content:"|01 31 00 02|"; fast_pattern; byte_extract:4,0,SftLen,relative,big; byte_extract:4,0,SftOffset,relative,big; content:"MM|00 2A|"; within:500; distance:-500; isdataat:SftOffset,relative; content:!"|00|"; within:SftLen; distance:SftOffset; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4903; reference:url,helpx.adobe.com/security/products/reader/apsb18-02.html; classtype:attempted-user; sid:45787; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 31 00 02|"; fast_pattern; byte_extract:4,0,SftLen,relative,big; byte_extract:4,0,SftOffset,relative,big; content:"MM|00 2A|"; depth:4; isdataat:SftOffset; content:!"|00|"; within:SftLen; distance:SftOffset; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4903; reference:url,helpx.adobe.com/security/products/reader/apsb18-02.html; classtype:attempted-user; sid:45786; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER EMF EmrText object out of bounds read attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; content:"|53 00 00 00|"; within:4; distance:-72; content:"|4C 00 00 00|"; within:4; distance:44; byte_test:1,>,0x96,0,relative; content:!"|00|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4883; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45783; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER EMF EmrText object out of bounds read attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; content:"|53 00 00 00|"; within:4; distance:-72; content:"|4C 00 00 00|"; within:4; distance:44; byte_test:1,>,0x96,0,relative; content:!"|00|"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4883; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45782; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro XPS out of bounds read attempt"; flow:to_server,established; file_data; content:"|F1 55 CC 83 1E 49 45 B5 C5 F8 A1 24 BA 2C E3 0E 97 01 3D 1A 68 A1 94 B6 98 17 33 82 73 58 AF BC|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-4893; classtype:attempted-recon; sid:45781; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro XPS out of bounds read attempt"; flow:to_client,established; file_data; content:"|F1 55 CC 83 1E 49 45 B5 C5 F8 A1 24 BA 2C E3 0E 97 01 3D 1A 68 A1 94 B6 98 17 33 82 73 58 AF BC|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-4893; classtype:attempted-recon; sid:45780; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro XPS file malformed Source attribute buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xps&file.zip; file_data; content:"<PageContent"; nocase; content:"Source"; within:7; nocase; content:"="; within:2; content:"%"; within:15; isdataat:15; content:!"|22 2F 3E|"; within:15; metadata:service smtp; reference:cve,2018-4899; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45777; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro XPS file malformed Source attribute buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xps&file.zip; file_data; content:"<PageContent"; nocase; content:"Source"; within:7; nocase; content:"="; within:2; content:"%"; within:15; isdataat:15; content:!"|22 2F 3E|"; within:15; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-4899; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45776; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_server,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|02|"; within:1; distance:1; byte_math:bytes  4,offset 4,oper /,rvalue 16,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45822; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_client,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|00|"; within:1; distance:1; byte_math:bytes  4,offset 4,oper /,rvalue 8,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45821; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_server,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|00|"; within:1; distance:1; byte_math:bytes  4,offset 4,oper /,rvalue 8,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45820; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_client,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|02|"; within:1; distance:1; byte_math:bytes  4,offset 4,oper /,rvalue 16,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45819; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro XPS malformed TIFF data out of bounds access attempt"; flow:to_server,established; file_data; content:"|4D 4D 00 2A 00 00 09 9C 40 44 51 55 51 45 55 55 55 55 55 55 55 55 55 55 55 55 40 00 04 51 45 55|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4907; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45861; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro XPS malformed TIFF data out of bounds access attempt"; flow:to_client,established; file_data; content:"|4D 4D 00 2A 00 00 09 9C 40 44 51 55 51 45 55 55 55 55 55 55 55 55 55 55 55 55 40 00 04 51 45 55|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4907; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45860; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF out of bounds write attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|45 4D 46 2B 15 40|"; fast_pattern; content:"|FF|"; within:1; distance:-14; content:"|46|"; within:1; distance:-5; content:"|10 00 00 00 04 00 00 00|"; within:8; distance:19; metadata:service smtp; reference:cve,2018-4895; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45856; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF out of bounds write attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|45 4D 46 2B 15 40|"; fast_pattern; content:"|FF|"; within:1; distance:-14; content:"|46|"; within:1; distance:-5; content:"|10 00 00 00 04 00 00 00|"; within:8; distance:19; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-4895; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45855; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt"; flow:to_server,established; file_data; content:"|4D 00 00 00 24 02 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF 18 15 00 00 40 15 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4886; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45852; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt"; flow:to_client,established; file_data; content:"|4D 00 00 00 24 02 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF 18 15 00 00 40 15 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4886; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45851; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt"; flow:to_server,established; file_data; content:"|4D 00 00 00 A4 00 00 00 EC 00 00 00 5C 01 00 00 ED 00 00 00 5D 01 00 00 4D 0F 00 00 DD 04 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4886; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45850; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt"; flow:to_client,established; file_data; content:"|4D 00 00 00 A4 00 00 00 EC 00 00 00 5C 01 00 00 ED 00 00 00 5D 01 00 00 4D 0F 00 00 DD 04 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4886; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45849; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Sophos Tester Tool dll-load exploit attempt"; flow:to_server,established; content:"/tester86.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6318; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,community.sophos.com/products/intercept/early-access-preview/b/blog/posts/sophos-tester; classtype:attempted-user; sid:45928; rev:2;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Sophos Tester Tool dll-load exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"t|00|e|00|s|00|t|00|e|00|r|00|8|00|6|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; pcre:"/(\x1B\x00|\x00\x5C)\x00t\x00e\x00s\x00t\x00e\x00r\x008\x006\x00\.\x00d\x00l\x00l\x00\x00\x00/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2018-6318; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,community.sophos.com/products/intercept/early-access-preview/b/blog/posts/sophos-tester; classtype:attempted-user; sid:45927; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER ZIP file directory traversal attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"PK|03 04|"; byte_test:2,<,20,4,relative,little; byte_extract:2,22,length,relative,little; content:"..|5C|"; within:length; distance:3; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-0883; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0883; classtype:attempted-user; sid:45895; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER ZIP file directory traversal attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"PK|03 04|"; byte_test:2,<,20,4,relative,little; byte_extract:2,22,length,relative,little; content:"..|5C|"; within:length; distance:3; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0883; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0883; classtype:attempted-user; sid:45894; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER ZIP file directory traversal attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"PK|03 04|"; byte_test:2,<,20,4,relative,little; byte_extract:2,22,length,relative,little; content:"../"; within:length; distance:3; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-0883; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0883; classtype:attempted-user; sid:45893; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER ZIP file directory traversal attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"PK|03 04|"; byte_test:2,<,20,4,relative,little; byte_extract:2,22,length,relative,little; content:"../"; within:length; distance:3; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0883; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0883; classtype:attempted-user; sid:45892; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro path element out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.xps; file_data; content:"Path Data"; content:"L"; within:30; pcre:"/<Path Data\s*=\s*[\x27|\x22]\s*L/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4898; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45990; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro path element out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.xps; file_data; content:"Path Data"; content:"L"; within:30; pcre:"/<Path Data\s*=\s*[\x27|\x22]\s*L/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4898; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-admin; sid:45989; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows Remote Assistance external entity remote file download attempt"; flow:to_server,established; flowbits:isset,file.xml; file_data; content:"RCTICKETENCRYPTED"; fast_pattern:only; content:"<!DOCTYPE"; nocase; content:"<!ENTITY"; within:25; nocase; content:"remote"; within:25; nocase; content:"SYSTEM"; within:25; nocase; content:"http"; within:25; nocase; metadata:service smtp; reference:cve,2018-0878; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0878; classtype:attempted-recon; sid:46075; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Remote Assistance external entity remote file download attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"RCTICKETENCRYPTED"; fast_pattern:only; content:"<!DOCTYPE"; nocase; content:"<!ENTITY"; within:25; nocase; content:"remote"; within:25; nocase; content:"SYSTEM"; within:25; nocase; content:"http"; within:25; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-0878; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0878; classtype:attempted-recon; sid:46074; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Python lib wave.py wav zero channel denial of service attempt"; flow:to_server,established; flowbits:isset,file.wav; file_data; content:"WAVEfmt|20|"; depth:8; offset:8; content:"|00 00|"; within:2; distance:6; metadata:service smtp; reference:cve,2017-18207; reference:url,bugs.python.org/issue32056; classtype:attempted-user; sid:46073; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Python lib wave.py wav zero channel denial of service attempt"; flow:to_client,established; flowbits:isset,file.wav; file_data; content:"WAVEfmt|20|"; depth:8; offset:8; content:"|00 00|"; within:2; distance:6; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-18207; reference:url,bugs.python.org/issue32056; classtype:attempted-user; sid:46072; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat EMF malformed Object record out-of-bounds access attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|01 03 84 09 00 00 78 09 00 00 02 10 C0 DB 0C 01 00 00 00 00 00 00 FC 9B 99 42 B5 8D 90 42 B1 58|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-4885; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:46054; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat EMF malformed Object record out-of-bounds access attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|01 03 84 09 00 00 78 09 00 00 02 10 C0 DB 0C 01 00 00 00 00 00 00 FC 9B 99 42 B5 8D 90 42 B1 58|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4885; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:46053; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro JPEG embedded XPS file heap overflow attempt"; flow:to_server,established; file_data; content:"|FF E1|"; content:"Exif|00 00|MM|00 2A|"; content:"|01 12 00 03|"; within:100; fast_pattern; byte_test:4,>,0x01,0,relative,big; byte_extract:4,4,dataOffset,relative,big; isdataat:!dataOffset,relative; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-4890; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:46118; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro JPEG embedded XPS file heap overflow attempt"; flow:to_client,established; file_data; content:"|FF E1|"; content:"Exif|00 00|MM|00 2A|"; content:"|01 12 00 03|"; within:100; fast_pattern; byte_test:4,>,0x01,0,relative,big; byte_extract:4,4,dataOffset,relative,big; isdataat:!dataOffset,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4890; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:46117; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows Defender malformed RAR memory corruption attempt"; flow:to_server,established; flowbits:isset,file.rar; file_data; content:"|BF 88 5F DA E9 FF BB 69 70 00 80 00 41 A9 08 7F 32 B8 A0 33 48 32 B9 34 C9 B7 49 62 81 5E 93 70|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0986; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0986; classtype:attempted-user; sid:46164; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Defender malformed RAR memory corruption attempt"; flow:to_client,established; flowbits:isset,file.rar; file_data; content:"|BF 88 5F DA E9 FF BB 69 70 00 80 00 41 A9 08 7F 32 B8 A0 33 48 32 B9 34 C9 B7 49 62 81 5E 93 70|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0986; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0986; classtype:attempted-user; sid:46163; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows malformed TTF integer overflow attempt"; flow:to_server,established; file_data; content:"|00 02 00 73 00 00 00 08 00 03 00 02 00 00 00 04 00 00 00 07 00 11 00 1D 00 28 00 35 00 43 00 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-1013; reference:url,portal.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1013; classtype:attempted-admin; sid:46189; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows malformed TTF integer overflow attempt"; flow:to_client,established; file_data; content:"|00 02 00 73 00 00 00 08 00 03 00 02 00 00 00 04 00 00 00 07 00 11 00 1D 00 28 00 35 00 43 00 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1013; reference:url,portal.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1013; classtype:attempted-admin; sid:46188; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER TrueType Font Windows EOT font engine remote code execution attempt"; flow:to_server,established; file_data; content:"|32 6B 15 36 5F 3F 49 01 0C 34 64 62 5D 2C DD F2 70 69 A0 52 28 53 5E 6C 40 86 9C 10 08 98 19 4C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-1016; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1016; classtype:attempted-admin; sid:46187; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER TrueType Font Windows EOT font engine remote code execution attempt"; flow:to_client,established; file_data; content:"|32 6B 15 36 5F 3F 49 01 0C 34 64 62 5D 2C DD F2 70 69 A0 52 28 53 5E 6C 40 86 9C 10 08 98 19 4C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1016; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1016; classtype:attempted-admin; sid:46186; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Office Outlook 2003 OLE information disclosure attempt detected"; flow:to_client,established; file_data; content:"|78 9F 3E 22|"; depth:4; content:"Package"; content:"|5C 5C|"; within:100; content:"METAFILE"; distance:0; fast_pattern; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0950; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0950; classtype:policy-violation; sid:46267; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Office Outlook 2003 OLE information disclosure attempt detected"; flow:to_server,established; file_data; content:"|78 9F 3E 22|"; depth:4; content:"Package"; content:"|5C 5C|"; within:100; content:"METAFILE"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0950; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0950; classtype:policy-violation; sid:46266; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Flash Player ATF image file out of bounds read attempt"; flow:to_client,established; file_data; content:"|41 54 46 00 00 1E 0A 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 02 02 02 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4933; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-08.html; classtype:attempted-user; sid:46265; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Flash Player ATF image file out of bounds read attempt"; flow:to_server,established; file_data; content:"|41 54 46 00 00 1E 0A 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 02 02 02 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4933; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-08.html; classtype:attempted-user; sid:46264; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|E1 04 03 1D 00 D0 9A FF 34 06 40 2B 98 E8 E0 13 A0 15 A3 D6 90 11 CE A3 81 36 1A 68 64 84 00 19|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4986; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46734; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|E1 04 03 1D 00 D0 9A FF 34 06 40 2B 98 E8 E0 13 A0 15 A3 D6 90 11 CE A3 81 36 1A 68 64 84 00 19|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4986; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46733; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Professional XPS out of bounds read attempt"; flow:to_server,established; file_data; content:"|F0 C2 84 D6 6D 33 B4 09 24 29 DB AF F1 C0 27 F1 0B 48 B2 B3 35 2D B4 E5 B2 CC D0 7B 5B C7 B2 25|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-4975; classtype:attempted-recon; sid:46730; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Professional XPS out of bounds read attempt"; flow:to_client,established; file_data; content:"|F0 C2 84 D6 6D 33 B4 09 24 29 DB AF F1 C0 27 F1 0B 48 B2 B3 35 2D B4 E5 B2 CC D0 7B 5B C7 B2 25|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-4975; classtype:attempted-recon; sid:46729; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat EMF embedded GIF LZW compression out of bound read attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|4E FF 78 BA DC FE 30 CA 49 AB BD 38 EB CD BB FF 60 28 8E 64 69 9E 68 AA AE 6C EB BE 70 2C CF 74|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4969; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46728; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat EMF embedded GIF LZW compression out of bound read attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|4E FF 78 BA DC FE 30 CA 49 AB BD 38 EB CD BB FF 60 28 8E 64 69 9E 68 AA AE 6C EB BE 70 2C CF 74|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4969; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46727; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Professional BMP embedded image heap overflow attempt"; flow:to_server,established; flowbits:isset,file.bmp; file_data; content:"BM"; depth:2; byte_extract:4,0,FileSize,relative,little; isdataat:!FileSize; metadata:service smtp; reference:cve,2018-4982; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-09.html; classtype:attempted-user; sid:46712; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Professional BMP embedded image heap overflow attempt"; flow:to_client,established; flowbits:isset,file.bmp; file_data; content:"BM"; depth:2; byte_extract:4,0,FileSize,relative,little; isdataat:!FileSize; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-4982; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-09.html; classtype:attempted-user; sid:46711; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"EMF+|22 40|"; fast_pattern; byte_extract:4,6,DataSize,relative,little; content:"BM"; within:150; byte_test:4,>,DataSize,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12851; reference:cve,2018-4982; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-09.html; classtype:attempted-user; sid:46710; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"EMF+|22 40|"; fast_pattern; byte_extract:4,6,DataSize,relative,little; content:"BM"; within:150; byte_test:4,>,DataSize,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12851; reference:cve,2018-4982; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-09.html; classtype:attempted-user; sid:46709; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat EMF malformed EmfPlusPointF object buffer overflow attempt"; flow:to_server,established; file_data; content:"|02 10 C0 DB 02 00 00 00 00 00 00 00 07 D0 00 44 4D A6 58 44 80 56 F8 43 4D A6 58 44|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4965; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46708; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat EMF malformed EmfPlusPointF object buffer overflow attempt"; flow:to_client,established; file_data; content:"|02 10 C0 DB 02 00 00 00 00 00 00 00 07 D0 00 44 4D A6 58 44 80 56 F8 43 4D A6 58 44|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4965; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46707; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt"; flow:to_server,established; file_data; content:"|51 00 00 00 B8 B0 00 00 00 00 00 00 00 00 00 00 5F 00 00 00 77 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4964; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46704; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt"; flow:to_client,established; file_data; content:"|51 00 00 00 B8 B0 00 00 00 00 00 00 00 00 00 00 5F 00 00 00 77 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4964; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46703; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat EMF embedded DIB out of bound read attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|77 77 77 77 BB BB BB BB DD DD DD DD EE EE EE EE 77 77 77 77 BB BB BB BB DD DD DD DD EE EE EE EE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4968; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46699; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat EMF embedded DIB out of bound read attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|77 77 77 77 BB BB BB BB DD DD DD DD EE EE EE EE 77 77 77 77 BB BB BB BB DD DD DD DD EE EE EE EE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4968; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46698; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF embedded GIF memory corruption attempt"; flow:to_server,established; file_data; content:"|E9 8F 87 6A BA 67 28 9D 42 D8 00 A8 A1 32 C9 58 8D 8B 3D 49 6A 79 89 46 B1 E8 AA 2D 61 A3 40 87|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4966; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46695; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF embedded GIF memory corruption attempt"; flow:to_client,established; file_data; content:"|E9 8F 87 6A BA 67 28 9D 42 D8 00 A8 A1 32 C9 58 8D 8B 3D 49 6A 79 89 46 B1 E8 AA 2D 61 A3 40 87|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4966; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46694; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro path rendertransform out of bound write attempt"; flow:to_server,established; file_data; flowbits:isset,file.xps; content:"|43 C6 E6 D3 23 22 C4 D9 C0 98 E6 F9 BB 73 BD 5E 36 9C CA 79 98 75 E7 D1 30 4D B2 64 9C 77 87 C9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4967; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46691; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro path rendertransform out of bound write attempt"; flow:to_client,established; file_data; flowbits:isset,file.xps; content:"|43 C6 E6 D3 23 22 C4 D9 C0 98 E6 F9 BB 73 BD 5E 36 9C CA 79 98 75 E7 D1 30 4D B2 64 9C 77 87 C9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4967; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46690; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Reader jp2 double free attempt"; flow:to_server,established; file_data; content:"jp2h|00 00 00 16|ihdr"; content:"cmap"; within:100; content:"pclr"; within:2000; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4990; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46660; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Reader jp2 double free attempt"; flow:to_client,established; file_data; content:"jp2h|00 00 00 16|ihdr"; content:"cmap"; within:100; content:"pclr"; within:2000; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4990; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46659; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat XPS2PDF conversion buffer over-read attempt"; flow:to_server,established; file_data; content:"|D3 37 30 34 32 BE 68 7D C9 C6 D6 CE DE 01 E7 E6 EE E1 79 15 7F 2D 30 28 38 24 34 8C 70 23 E6 CF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12803; reference:cve,2018-4960; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-recon; sid:46656; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat XPS2PDF conversion buffer over-read attempt"; flow:to_client,established; file_data; content:"|D3 37 30 34 32 BE 68 7D C9 C6 D6 CE DE 01 E7 E6 EE E1 79 15 7F 2D 30 28 38 24 34 8C 70 23 E6 CF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12803; reference:cve,2018-4960; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-recon; sid:46655; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro PDX malformed index out of bounds memory read attempt"; flow:to_server,established; file_data; content:"/Include 4 0 R>>|0D|endobj|0D|3 0 obj|0D|<</AddDocID false/ExcludeNumbers false/NoModifiedDocMsg"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4984; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46652; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro PDX malformed index out of bounds memory read attempt"; flow:to_client,established; file_data; content:"/Include 4 0 R>>|0D|endobj|0D|3 0 obj|0D|<</AddDocID false/ExcludeNumbers false/NoModifiedDocMsg"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4984; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46651; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat EMF EmfPlusDrawBeziers buffer over-read attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|19 40 00 00 10 00 00 00 04 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4949; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-recon; sid:46648; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat EMF EmfPlusDrawBeziers buffer over-read attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|19 40 00 00 10 00 00 00 04 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4949; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-recon; sid:46647; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Professional EMF compression out of bounds write attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; content:"|20 00 CC 00|"; within:4; distance:64; content:"|28 00 00 00|"; within:4; distance:8; content:"|02 00 00 00|"; within:4; distance:12; content:!"|04 00|"; within:2; distance:-6; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-4950; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46644; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Professional EMF compression out of bounds write attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; content:"|20 00 CC 00|"; within:4; distance:64; content:"|28 00 00 00|"; within:4; distance:8; content:"|02 00 00 00|"; within:4; distance:12; content:!"|04 00|"; within:2; distance:-6; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4950; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46643; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Host Compute Service Shim remote code execution attempt"; flow:to_client,established; file_data; content:"|00 00|Files|5C|../../../../../../../../"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-8115; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8115; classtype:attempted-user; sid:46811; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro out of bounds read attempt"; flow:to_server,established; file_data; content:"<progress"; nocase; content:"<meta"; within:150; nocase; content:"</progress"; distance:0; nocase; pcre:"/<progress[^\x2f]*?<meta/si"; metadata:service smtp; reference:cve,2018-4957; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-admin; sid:46798; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro out of bounds read attempt"; flow:to_client,established; file_data; content:"<progress"; nocase; content:"<meta"; within:150; nocase; content:"</progress"; distance:0; nocase; pcre:"/<progress[^\x2f]*?<meta/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-4957; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-admin; sid:46797; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|53 00 00 00|"; content:"|01 00 00 00|"; within:4; distance:20; content:"|00 00 00 00 4C 00 00 00|"; within:8; distance:16; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4972; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46813; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|53 00 00 00|"; content:"|01 00 00 00|"; within:4; distance:20; content:"|00 00 00 00 4C 00 00 00|"; within:8; distance:16; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4972; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46812; rev:1;)
# alert tcp $EXTERNAL_NET 1935 -> $HOME_NET any (msg:"FILE-OTHER Adobe Flash Player AMF0 Shared Object integer overflow attempt"; flow:to_client,established; file_data; content:"|78 E6 8F D5 85 FF AB 70 FA 5B 5B 34 D4 3E 3C FF 9F 76 15 43 12 CD 68 4E EE DD BE DD 91 BF 10 F3|"; fast_pattern:only; reference:cve,2018-5000; reference:url,helpx.adobe.com/security/products/flash-player/APSB18-19.html; classtype:attempted-user; sid:46960; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows .lnk shortcut file executing system32 executable attempt"; flow:to_server,established; flowbits:isset,file.lnk; file_data; content:"C:|5C|Windows|5C|System32|5C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0978; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0978; classtype:attempted-user; sid:46943; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows .lnk shortcut file executing system32 executable attempt"; flow:to_client,established; flowbits:isset,file.lnk; file_data; content:"C:|5C|Windows|5C|System32|5C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0978; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0978; classtype:attempted-user; sid:46942; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt"; flow:to_server,established; file_data; content:"MSWIM|00 00|"; depth:7; content:"|00|"; within:1; distance:140; byte_extract:4,-5,msb,relative,little; byte_test:4,<=,msb,-20,relative,little; byte_extract:4,-7,lsb,relative,little; byte_test:4,>,lsb,-20,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8210; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8210; reference:url,www.talosintelligence.com/reports/TALOS-2018-0545/; classtype:attempted-user; sid:46059; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt"; flow:to_server,established; file_data; content:"MSWIM|00 00|"; depth:7; content:"|00|"; within:1; distance:140; byte_extract:4,-5,msb,relative,little; byte_test:4,>,msb,-20,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8210; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8210; reference:url,www.talosintelligence.com/reports/TALOS-2018-0545/; classtype:attempted-user; sid:46058; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt"; flow:to_client,established; file_data; content:"MSWIM|00 00|"; depth:7; content:"|00|"; within:1; distance:140; byte_extract:4,-5,msb,relative,little; byte_test:4,<=,msb,-20,relative,little; byte_extract:4,-7,lsb,relative,little; byte_test:4,>,lsb,-20,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8210; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8210; reference:url,www.talosintelligence.com/reports/TALOS-2018-0545/; classtype:attempted-user; sid:46056; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt"; flow:to_client,established; file_data; content:"MSWIM|00 00|"; depth:7; content:"|00|"; within:1; distance:140; byte_extract:4,-5,msb,relative,little; byte_test:4,>,msb,-20,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8210; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8210; reference:url,www.talosintelligence.com/reports/TALOS-2018-0545/; classtype:attempted-user; sid:46055; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER FreeBSD bspatch utility remote code execution attempt"; flow:to_server,established; file_data; content:"|42 5A 68 39 31 41 59 26 53 59 2F 18 72 6E 00 00 05 C0 40 C2 10 40 00 01 00 A0 00 30 C0 04 A7 A8 C8 B5 08 93 78 BE 2E E4 8A 70 A1 20 5E 30 E4 DC|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2014-9862; classtype:attempted-user; sid:47048; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER FreeBSD bspatch utility remote code execution attempt"; flow:to_client,established; file_data; content:"|42 5A 68 39 31 41 59 26 53 59 2F 18 72 6E 00 00 05 C0 40 C2 10 40 00 01 00 A0 00 30 C0 04 A7 A8 C8 B5 08 93 78 BE 2E E4 8A 70 A1 20 5E 30 E4 DC|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-9862; classtype:attempted-user; sid:47047; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|00 00 10 00 98 0A 08 00 40 84 04 F5 5D 00 00 00 FF 19 00 00 00 F0 CF 8F 00 16 AE EC 00 04 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12861; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48125; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|00 00 10 00 98 0A 08 00 40 84 04 F5 5D 00 00 00 FF 19 00 00 00 F0 CF 8F 00 16 AE EC 00 04 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12861; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48124; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft .NET Resources file remote code execution attempt"; flow:to_server,established; file_data; content:"<data"; content:"System.Resources.ResXFileRef"; within:500; fast_pattern; content:"|5C 5C|"; within:500; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8172; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8172; classtype:attempted-user; sid:48123; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft .NET Resources file remote code execution attempt"; flow:to_client,established; file_data; content:"<data"; content:"System.Resources.ResXFileRef"; within:500; fast_pattern; content:"|5C 5C|"; within:500; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8172; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8172; classtype:attempted-user; sid:48122; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|FF 19 00 00 00 70 CF 8F 00 12 AE EC 00 04 00 00 00 84 CF 8F 00 2E 63 ED 00 04 00 00 00 88 CF 8F 00 12 AE EC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12862; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48108; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|FF 19 00 00 00 70 CF 8F 00 12 AE EC 00 04 00 00 00 84 CF 8F 00 2E 63 ED 00 04 00 00 00 88 CF 8F 00 12 AE EC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12862; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48107; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|40 84 04 00 46 00 00 00 2C 00 00 00 20 00 00 00 45 4D 46 2B 80 00 01 00 1C 00 00 00 10 00 F0 00 02 10 C0 DB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12866; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48075; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|40 84 04 00 46 00 00 00 2C 00 00 00 20 00 00 00 45 4D 46 2B 80 00 01 00 1C 00 00 00 10 00 F0 00 02 10 C0 DB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12866; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48074; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Powershell XML instantiation constrained language mode bypass attempt"; flow:to_client,established; file_data; content:"transformNode"; fast_pattern:only; content:"Msxml"; nocase; content:"open"; within:50; nocase; content:"loadXML"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8492; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8492; classtype:attempted-user; sid:48063; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Powershell XML instantiation constrained language mode bypass attempt"; flow:to_server,established; file_data; content:"transformNode"; fast_pattern:only; content:"Msxml"; nocase; content:"open"; within:50; nocase; content:"loadXML"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8492; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8492; classtype:attempted-user; sid:48062; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows malformed .themepack Theme API remote code execution attempt"; flow:to_server,established; file_data; content:"MSCF"; depth:4; content:"..|5C|..|5C|"; distance:0; content:".theme|00|"; within:250; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8413; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8413; classtype:attempted-user; sid:48060; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows malformed .themepack Theme API remote code execution attempt"; flow:to_client,established; file_data; content:"MSCF"; depth:4; content:"..|5C|..|5C|"; distance:0; content:".theme|00|"; within:250; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8413; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8413; classtype:attempted-user; sid:48059; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF file use-after-free attempt"; flow:to_server,established; file_data; content:"|CF 8F 00 12 AE EC 00 04 00 00 00 84 CF 8F 00 2E 63 ED 00 04 00 00 00 88 CF 8F 00 12 AE EC 00 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12863; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48034; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF file use-after-free attempt"; flow:to_client,established; file_data; content:"|CF 8F 00 12 AE EC 00 04 00 00 00 84 CF 8F 00 2E 63 ED 00 04 00 00 00 88 CF 8F 00 12 AE EC 00 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12863; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48033; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Acrobat Adobe Pro XPS out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|F4 4C 15 F4 7B EE 66 01 00 00 F4 01 00 00 19 00 00 00 00 00 00 00 00 00 00 00 B6 81 EE 02 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12878; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47994; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Acrobat Adobe Pro XPS out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|F4 4C 15 F4 7B EE 66 01 00 00 F4 01 00 00 19 00 00 00 00 00 00 00 00 00 00 00 B6 81 EE 02 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12878; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47993; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF out of bounds write attempt"; flow:to_server,established; file_data; content:"|6A ED 0C 3F 9C BA A2 BE 9C BA A2 3E 6A ED 0C 3F 00 00 00 00 00 5C 8B 45 02 00 00 00 12 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-12868; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47990; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF out of bounds write attempt"; flow:to_client,established; file_data; content:"|6A ED 0C 3F 9C BA A2 BE 9C BA A2 3E 6A ED 0C 3F 00 00 00 00 00 5C 8B 45 02 00 00 00 12 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12868; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47989; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|8E B6 19 EF 80 88 A8 58 45 F5 38 7E E2 E4 29 9F 33 67 7D CF 9D 0F BC 70 F1 D2 E5 2B 57 AD D7 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15948; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47988; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt"; flow:to_client, established; file_data; content:"|8E B6 19 EF 80 88 A8 58 45 F5 38 7E E2 E4 29 9F 33 67 7D CF 9D 0F BC 70 F1 D2 E5 2B 57 AD D7 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15948; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47987; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds write attempt"; flow:to_server,established; file_data; content:"|4D 4D 00 2A 00 00 12 08 FF D8 FF C0 00 11 08 00 A0 00 A0 03 00 22 00 01 11 01 02 11 01 FF DB 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15945; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47986; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds write attempt"; flow:to_client,established; file_data; content:"|4D 4D 00 2A 00 00 12 08 FF D8 FF C0 00 11 08 00 A0 00 A0 03 00 22 00 01 11 01 02 11 01 FF DB 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15945; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47985; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF out-of-bounds read attempt"; flow:to_server, established; flowbits:isset,file.emf; file_data; content:"|37 6A CE D2 00 80 D8 B7 00 00 B7 7C D0 C1 00 00 D0 3D 00 80 5C 3D FF 7F FF FF 00 00 FD 06 1D FC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12880; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47984; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF out-of-bounds read attempt"; flow:to_client, established; flowbits:isset,file.emf; file_data; content:"|37 6A CE D2 00 80 D8 B7 00 00 B7 7C D0 C1 00 00 D0 3D 00 80 5C 3D FF 7F FF FF 00 00 FD 06 1D FC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12880; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47983; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF memory corruption attempt"; flow:to_server,established; file_data; content:"|6A ED 0C 3F 9C BA A2 BE 9C BA A2 3E 6A ED 0C 3F 00 00 00 00 00 5C 8B 45 02 00 00 00 12 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15951; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47976; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF memory corruption attempt"; flow:to_client,established; file_data; content:"|6A ED 0C 3F 9C BA A2 BE 9C BA A2 3E 6A ED 0C 3F 00 00 00 00 00 5C 8B 45 02 00 00 00 12 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15951; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47975; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt"; flow:to_client,established; file_data; content:"%document.all.length].appendChild("; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12835; reference:cve,2018-15994; reference:cve,2018-16008; reference:cve,2018-16026; reference:cve,2019-7042; reference:cve,2019-7078; reference:url,helpx.adobe.com/security/products/acrobat/APSB19-07.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:47964; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt"; flow:to_server,established; file_data; content:"%document.all.length].appendChild("; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12835; reference:cve,2018-15994; reference:cve,2018-16008; reference:cve,2018-16026; reference:cve,2019-7042; reference:cve,2019-7078; reference:url,helpx.adobe.com/security/products/acrobat/APSB19-07.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:47963; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out of bounds write attempt"; flow:to_server,established; file_data; content:"|19 40 04 08 7C 07 00 00 70 07 00 00 B5 03 00 00 49 7C 3F 1F 3F 7F 7F 06 3A 7F 00 40 60 40 75 7B|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-12759; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47962; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out of bounds write attempt"; flow:to_client,established; file_data; content:"|19 40 04 08 7C 07 00 00 70 07 00 00 B5 03 00 00 49 7C 3F 1F 3F 7F 7F 06 3A 7F 00 40 60 40 75 7B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12759; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47961; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|24 30 00 00 85 15 00 00 20 45 4D 46 00 00 01 00 88 24 00 00 3E 01 00 00 80 FF FF 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12865; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47960; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt"; flow:to_client, established; flowbits:isset,file.emf; file_data; content:"|24 30 00 00 85 15 00 00 20 45 4D 46 00 00 01 00 88 24 00 00 3E 01 00 00 80 FF FF 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12865; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47959; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawDriverString malformed GlyphCount value integer overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00|"; byte_extract:4,4,emf_size,relative,little; content:"|36 40|"; within:emf_size; content:"|01 00 00 00|"; within:4; distance:14; byte_test:4,>,0x7FFFFFFE,4,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12842; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47958; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawDriverString malformed GlyphCount value integer overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00|"; byte_extract:4,4,emf_size,relative,little; content:"|36 40|"; within:emf_size; content:"|01 00 00 00|"; within:4; distance:14; byte_test:4,>,0x7FFFFFFE,4,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12842; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47957; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Distiller PostScript conversion heap overflow attempt"; flow:to_server,established; file_data; content:"|2F|Action"; fast_pattern; content:"|2F|Launch"; within:10; content:"|2F|URI"; within:10; content:!"|0D 0A|"; within:2047; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12833; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-admin; sid:47952; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Distiller PostScript conversion heap overflow attempt"; flow:to_client,established; file_data; content:"|2F|Action"; fast_pattern; content:"|2F|Launch"; within:10; content:"|2F|URI"; within:10; content:!"|0D 0A|"; within:2047; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12833; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-admin; sid:47951; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|CF 8F 00 CB 4D EB 1F 8C CF 8F 00 8D 61 ED 00 7F 00 00 00 01 00 FF FF 40 00 00 00 FF 07 FF FF A8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12860; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47927; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|CF 8F 00 CB 4D EB 1F 8C CF 8F 00 8D 61 ED 00 7F 00 00 00 01 00 FF FF 40 00 00 00 FF 07 FF FF A8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12860; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47926; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt"; flow:to_server,established; file_data; content:"|E9 A9 67 72 40 3F 00 9C 7E 9F 90 FF 85 9A 31 C5 79 BA ED 30 BC DF CC 9D 63 D9 ED C7 9F 46 FB 8A|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-8423; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8423; classtype:attempted-user; sid:47886; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt"; flow:to_client,established; file_data; content:"|E9 A9 67 72 40 3F 00 9C 7E 9F 90 FF 85 9A 31 C5 79 BA ED 30 BC DF CC 9D 63 D9 ED C7 9F 46 FB 8A|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-8423; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8423; classtype:attempted-user; sid:47885; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF image conversion memory corruption attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|40 6E 1B 00 02 10 C0 DB 02 00 00 00 04 00 00 00 30 6E 1B 00 01 00 00 00 6C 00 00 00 B1 FF FF FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5030; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47884; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF image conversion memory corruption attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|40 6E 1B 00 02 10 C0 DB 02 00 00 00 04 00 00 00 30 6E 1B 00 01 00 00 00 6C 00 00 00 B1 FF FF FF|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-5030; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47883; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Ghostscript -dSAFER sandbox bypass attempt"; flow:to_client,established; file_data; content:"/OutputFile"; fast_pattern; nocase; content:"%pipe%"; within:10; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16509; classtype:attempted-admin; sid:47882; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat HTML invalid pointer out-of-bounds read attempt"; flow:to_server,established; file_data; content:"<marquee>"; fast_pattern; content:"<tt>"; within:50; content:"zoom:"; byte_test:10,>,59,0,relative,string,dec; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12778; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-34.html; classtype:attempted-user; sid:47855; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat HTML invalid pointer out-of-bounds read attempt"; flow:to_client,established; file_data; content:"<marquee>"; fast_pattern; content:"<tt>"; within:50; content:"zoom:"; byte_test:10,>,59,0,relative,string,dec; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12778; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-34.html; classtype:attempted-user; sid:47854; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro HTML invalid pointer offset out-of-bounds read attempt"; flow:to_server,established; file_data; content:"height: 16vh|3B 22|>o*Rb: VA@6Yfa=*8h}"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-34.html; classtype:attempted-user; sid:47853; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro HTML invalid pointer offset out-of-bounds read attempt"; flow:to_client,established; file_data; content:"height: 16vh|3B 22|>o*Rb: VA@6Yfa=*8h}"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12775; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-34.html; classtype:attempted-user; sid:47852; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|46 00 00 00|"; content:"|08 40|"; within:2; distance:12; byte_test:1,=,4,1,relative,bitmask 0x7f; byte_extract:4,2,regionSize,relative,little; byte_test:4,>,regionSize,8,little,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12762; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47683; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|46 00 00 00|"; content:"|08 40|"; within:2; distance:12; byte_test:1,=,4,1,relative,bitmask 0x7f; byte_extract:4,2,regionSize,relative,little; byte_test:4,>,regionSize,8,little,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12762; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47682; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro untrusted pointer dereference attempt"; flow:to_server,established; file_data; content:"|D8 BE 81 74 5A 9A BE 44 00 00 00 01 00 00 00 00 00 41 41 50 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12799; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47631; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro untrusted pointer dereference attempt"; flow:to_client,established; file_data; content:"|D8 BE 81 74 5A 9A BE 44 00 00 00 01 00 00 00 00 00 41 41 50 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12799; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47630; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|72 00 00 00|"; fast_pattern; byte_test:4,>,0x10000000,0,relative,little; content:"|28 00 00 00|"; within:4; distance:4; byte_test:4,>,0x10000000,32,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4982; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-09.html; classtype:attempted-user; sid:47629; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|72 00 00 00|"; fast_pattern; byte_test:4,>,0x10000000,0,relative,little; content:"|28 00 00 00|"; within:4; distance:4; byte_test:4,>,0x10000000,32,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4982; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-09.html; classtype:attempted-user; sid:47628; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Reader EMF path record out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|FF FF FF FF FF 04 00 00 00 00 00 00 00 00 00 31 01 57 07 31 01 57 07 00 00 3C 00 00 00 08 00 00 00 43 00 00 00 0C 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12786; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47626; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Reader EMF path record out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|FF FF FF FF FF 04 00 00 00 00 00 00 00 00 00 31 01 57 07 31 01 57 07 00 00 3C 00 00 00 08 00 00 00 43 00 00 00 0C 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-12786; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47625; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Easy MPEG to DVD Burner buffer overflow attempt"; flow:to_server,established; flowbits:isnotset,file.exe; flowbits:isnotset,file.elf; file_data; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern:only; content:"|22 06 4E 40 22|"; metadata:service smtp; classtype:attempted-user; sid:47612; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Easy MPEG to DVD Burner buffer overflow attempt"; flow:to_client,established; flowbits:isnotset,file.exe; flowbits:isnotset,file.elf; file_data; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern:only; content:"|22 06 4E 40 22|"; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:47611; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt"; flow:to_server; flowbits:isset,file.zip; file_data; content:"PK|01 02|"; byte_test:1,=,1,4,relative,little,bitmask 0x01; byte_test:2,>,250,24,relative,little; byte_jump:2,38,relative,little,from_beginning; content:"PK|03 04|"; within:4; byte_test:2,<,10,22,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-1000035; classtype:attempted-user; sid:47587; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt"; flow:to_client; flowbits:isset,file.zip; file_data; content:"PK|01 02|"; byte_test:1,=,1,4,relative,little,bitmask 0x01; byte_test:2,>,250,24,relative,little; byte_jump:2,38,relative,little,from_beginning; content:"PK|03 04|"; within:4; byte_test:2,<,10,22,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1000035; classtype:attempted-user; sid:47586; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Graphics remote code execution attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"|00 0C 00 00|"; fast_pattern; content:"|00 00 00 00 00 00 00 02|"; within:8; distance:4; content:"|00 00 00 00|"; within:4; byte_extract:4,0,endCharCode,relative; byte_test:4,<,endCharCode,4,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8344; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8344; classtype:attempted-user; sid:47520; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Graphics remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|00 0C 00 00|"; fast_pattern; content:"|00 00 00 00 00 00 00 02|"; within:8; distance:4; content:"|00 00 00 00|"; within:4; byte_extract:4,0,endCharCode,relative; byte_test:4,<,endCharCode,4,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8344; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8344; classtype:attempted-user; sid:47519; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft LNK remote code execution attempt"; flow:to_server,established; file_data; flowbits:isset,file.lnk; content:"|4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; depth:20; fast_pattern; byte_test:1,&,0x1,0,relative; byte_test:2,>,0x2710,76,little; isdataat:2000,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8345; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8345; classtype:attempted-admin; sid:47477; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft LNK remote code execution attempt"; flow:to_client,established; file_data; flowbits:isset,file.lnk; content:"|4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; depth:20; fast_pattern; byte_test:1,&,0x1,0,relative; byte_test:2,>,0x2710,76,little; isdataat:2000,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8345; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8345; classtype:attempted-admin; sid:47476; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER InPage reader remote code execution attemptt"; flow:to_server,established; file_data; content:"|52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79|"; content:"|50 00 50 00 69 00 63 00 74 00 73 00 31 00 34 00 62 00 61 00 30 00 36 00 39|"; fast_pattern:only; content:"|44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 49 00 6E 00 66 00 6F|"; content:"|49 00 6E 00 50 00 61 00 67 00 65 00 31 00 30 00 30|"; within:200; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-12824; classtype:attempted-user; sid:47441; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER InPage reader remote code execution attemptt"; flow:to_client,established; file_data; content:"|52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79|"; content:"|50 00 50 00 69 00 63 00 74 00 73 00 31 00 34 00 62 00 61 00 30 00 36 00 39|"; fast_pattern:only; content:"|44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 49 00 6E 00 66 00 6F|"; content:"|49 00 6E 00 50 00 61 00 67 00 65 00 31 00 30 00 30|"; within:200; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-12824; classtype:attempted-user; sid:47440; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER SAP GUI ABAP code arbitrary dll-load attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"|00 5C 00|b|00|a|00|d|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2017-6950; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:47422; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro use after free attempt"; flow:to_server,established; file_data; content:"summary.innerText = String.fromCh"; fast_pattern:only; metadata:service smtp; reference:cve,2018-12772; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47385; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro use after free attempt"; flow:to_client,established; file_data; content:"summary.innerText = String.fromCh"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12772; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47384; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro out of bounds memory access attempt"; flow:to_server,established; file_data; content:"|50 EE B9 0F 2C 44 F0 08 99 60 83 C0 40 7A 15 9E FD DA BF FD DC DF FD DE FF FD E0 1F FE E2 3F FE|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-5037; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47370; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro out of bounds memory access attempt"; flow:to_client,established; file_data; content:"|50 EE B9 0F 2C 44 F0 08 99 60 83 C0 40 7A 15 9E FD DA BF FD DC DF FD DE FF FD E0 1F FE E2 3F FE|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5037; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47369; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawPath out of bounds read attempt"; flow:to_server,established; file_data; content:"|00 D8 94 45 3E 7C 91 4A 00 D8 94 45 3E 7C 91 4A C0 49 EA 49 00 D8 94 45 C0 49 EA 49 00 01 01 81|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-recon; sid:47355; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawPath out of bounds read attempt"; flow:to_client,established; file_data; content:"|00 D8 94 45 3E 7C 91 4A 00 D8 94 45 3E 7C 91 4A C0 49 EA 49 00 D8 94 45 C0 49 EA 49 00 01 01 81|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-recon; sid:47354; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EMR_CREATEDIBPATTERNBRUSHPT record buffer overflow attempt"; flow:to_server,established; file_data; content:"|00 D8 31 00 00 00 00 00 00 20 00 CC 00 3C 00 00 00 37 00 00 00 28 00 00 00 3A 00 00 00 37 00 00 00 01 00 20 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5034; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47346; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EMR_CREATEDIBPATTERNBRUSHPT record buffer overflow attempt"; flow:to_client,established; file_data; content:"|00 D8 31 00 00 00 00 00 00 20 00 CC 00 3C 00 00 00 37 00 00 00 28 00 00 00 3A 00 00 00 37 00 00 00 01 00 20 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5034; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47345; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro out of bounds write attempt"; flow:to_server,established; file_data; content:"|00 01 00 00|"; depth:4; content:"cmap"; within:500; content:"head"; within:150; fast_pattern; content:!"|00 00 00 36|"; within:4; distance:8; metadata:service smtp; reference:cve,2018-5059; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47333; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro out of bounds write attempt"; flow:to_client,established; file_data; content:"|00 01 00 00|"; depth:4; content:"cmap"; within:500; content:"head"; within:150; fast_pattern; content:!"|00 00 00 36|"; within:4; distance:8; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5059; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47332; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EmfPlusDrawPie out-of-bounds write attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|11 40 06 40 1C 00 00 00 10 00 00 00 FF FF 7F 7F 01 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12760; classtype:attempted-user; sid:47317; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EmfPlusDrawPie out-of-bounds write attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|11 40 06 40 1C 00 00 00 10 00 00 00 FF FF 7F 7F 01 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12760; classtype:attempted-user; sid:47316; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF RegionNodeCount out-of-bounds write attempt"; flow:to_server, established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00|"; byte_extract:4,0,emr_size,relative,little; content:"|10 C0 DB|"; within:emr_size; content:"|01 00 00 10 00 00 00 00|"; within:8; distance:4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5020; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47309; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF RegionNodeCount out-of-bounds write attempt"; flow:to_client, established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00|"; byte_extract:4,0,emr_size,relative,little; content:"|10 C0 DB|"; within:emr_size; content:"|01 00 00 10 00 00 00 00|"; within:8; distance:4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5020; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47308; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Distiller PostScript pdfmark out-of-bounds write attempt"; flow:to_server,established; file_data; content:"_objdef"; nocase; content:"/OBJ"; within:100; nocase; content:"pdfmark"; within:15; nocase; content:"/PUT"; distance:0; nocase; content:"pdfmark"; within:15; nocase; pcre:"/\/_objdef\s(?P<nobj>{\w+})\s\/type\s\/dict\s\/OBJ\spdfmark[^>]*?(?P=nobj)[^>]*?(?P=nobj)[^>]*?]\s?>>\s\/PUT\spdfmark/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12758; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47307; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Distiller PostScript pdfmark out-of-bounds write attempt"; flow:to_client,established; file_data; content:"_objdef"; nocase; content:"/OBJ"; within:100; nocase; content:"pdfmark"; within:15; nocase; content:"/PUT"; distance:0; nocase; content:"pdfmark"; within:15; nocase; pcre:"/\/_objdef\s(?P<nobj>{\w+})\s\/type\s\/dict\s\/OBJ\spdfmark[^>]*?(?P=nobj)[^>]*?(?P=nobj)[^>]*?]\s?>>\s\/PUT\spdfmark/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12758; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47306; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Reader HTML to PDF conversion getMatchedCSSRules use-after-free attempt"; flow:to_server,established; file_data; content:"getElementByID"; nocase; content:"write"; within:100; nocase; content:"getMatchedCSSRules"; within:100; nocase; pcre:"/var\s(?P<var1>\w+?)\s?=\s?\w+?\.getElementById\([\x22\x27](?P<var2>\w+?)[\x22\x27]\)[^>]*?\w+?\.write\([\x22\x27]{2}\)[^>]*?(?P=var1)\.getMatchedCSSRules[^&]*?id\s?=\s?[\x22\x27](?P=var2)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12792; reference:cve,2018-12877; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47284; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Reader HTML to PDF conversion getMatchedCSSRules use-after-free attempt"; flow:to_client,established; file_data; content:"getElementByID"; nocase; content:"write"; within:100; nocase; content:"getMatchedCSSRules"; within:100; nocase; pcre:"/var\s(?P<var1>\w+?)\s?=\s?\w+?\.getElementById\([\x22\x27](?P<var2>\w+?)[\x22\x27]\)[^>]*?\w+?\.write\([\x22\x27]{2}\)[^>]*?(?P=var1)\.getMatchedCSSRules[^&]*?id\s?=\s?[\x22\x27](?P=var2)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12792; reference:cve,2018-12877; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47283; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt"; flow:to_server,established; file_data; content:"getMatchedCSSRules"; content:"offsetParent"; within:50; content:"selectorText"; within:150; metadata:service smtp; reference:cve,2018-12779; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47280; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt"; flow:to_client,established; file_data; content:"getMatchedCSSRules"; content:"offsetParent"; within:50; content:"selectorText"; within:150; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12779; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47279; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro XPS file PPDoc out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|41 0A C2 30 14 44 AF 52 02 2E CD 4F 05 45 24 49 37 E2 01 EC 09 24 FD B1 01 93 5F F3 13 E9 F1 2D 42 17 05 99 E5 CC|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5056; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47277; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro XPS file PPDoc out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|41 0A C2 30 14 44 AF 52 02 2E CD 4F 05 45 24 49 37 E2 01 EC 09 24 FD B1 01 93 5F F3 13 E9 F1 2D 42 17 05 99 E5 CC|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5056; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47276; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt"; flow:to_server,established; file_data; content:"window.scroll"; content:"<style"; within:250; nocase; content:"<embed"; within:50; nocase; metadata:service smtp; reference:cve,2018-12777; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47275; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt"; flow:to_client,established; file_data; content:"window.scroll"; content:"<style"; within:250; nocase; content:"<embed"; within:50; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12777; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47274; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt"; flow:to_server,established; file_data; content:"extend"; content:"<table"; within:250; nocase; content:"<caption"; within:100; fast_pattern; nocase; content:"<textarea"; within:50; nocase; metadata:service smtp; reference:cve,2018-12774; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47269; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt"; flow:to_client,established; file_data; content:"extend"; content:"<table"; within:250; nocase; content:"<caption"; within:100; fast_pattern; nocase; content:"<textarea"; within:50; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12774; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47268; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt"; flow:to_server,established; file_data; content:"normalize"; content:"-webkit-text-security"; within:300; nocase; content:"<dd"; within:100; nocase; content:"<iframe"; within:100; nocase; metadata:service smtp; reference:cve,2018-12776; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47267; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt"; flow:to_client,established; file_data; content:"normalize"; content:"-webkit-text-security"; within:300; nocase; content:"<dd"; within:100; nocase; content:"<iframe"; within:100; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12776; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47266; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Excel malicious CSV code execution attempt"; flow:to_server,established; flowbits:isset,file.csv; file_data; content:"=cmd|7C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:47263; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Excel malicious CSV code execution attempt"; flow:to_client,established; flowbits:isset,file.csv; file_data; content:"=cmd|7C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:47262; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Excel malicious CSV code execution attempt"; flow:to_server,established; flowbits:isset,file.csv; file_data; content:"=DDE|28|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:47261; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Excel malicious CSV code execution attempt"; flow:to_client,established; flowbits:isset,file.csv; file_data; content:"=DDE|28|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:47260; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Excel malicious CSV code execution attempt"; flow:to_server,established; flowbits:isset,file.csv; file_data; content:"=Package|7C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:47259; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Excel malicious CSV code execution attempt"; flow:to_client,established; flowbits:isset,file.csv; file_data; content:"=Package|7C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:47258; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Excel malicious CSV code execution attempt"; flow:to_server,established; flowbits:isset,file.csv; file_data; content:"=MSEXCEL|7C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:47257; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Excel malicious CSV code execution attempt"; flow:to_client,established; flowbits:isset,file.csv; file_data; content:"=MSEXCEL|7C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:47256; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Excel malicious CSV code execution attempt"; flow:to_server,established; flowbits:isset,file.csv; file_data; content:"=IMPORTXML"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:47255; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Excel malicious CSV code execution attempt"; flow:to_client,established; flowbits:isset,file.csv; file_data; content:"=IMPORTXML"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:47254; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro use after free attempt"; flow:to_server,established; file_data; content:"linkColor"; content:"String.fromCharCode"; within:50; content:"<ol"; within:150; nocase; content:"<meter"; within:50; nocase; metadata:service smtp; reference:cve,2018-12773; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47252; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro use after free attempt"; flow:to_client,established; file_data; content:"linkColor"; content:"String.fromCharCode"; within:50; content:"<ol"; within:150; nocase; content:"<meter"; within:50; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12773; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47251; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt"; flow:to_server, established; file_data; content:"|20 1C C5 83 86 07 E1 65 3C 4E 0E 2B 61 38 A8 E1 F9 61 74 6E 60 13 9C 07 62 78 56 78 47 F8 67 F2|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-5018; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-recon; sid:47250; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt"; flow:to_client, established; file_data; content:"|20 1C C5 83 86 07 E1 65 3C 4E 0E 2B 61 38 A8 E1 F9 61 74 6E 60 13 9C 07 62 78 56 78 47 F8 67 F2|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5018; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-recon; sid:47249; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt"; flow:to_server, established; file_data; content:"|59 B4 97 78 44 B3 C3 61 70 E1 00 6A 42 D1 B3 36 9B 7C 0C 0E 3F 6C 57 9A 5C E1 C4 17 F3 8A B1 4B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-5019; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-recon; sid:47246; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt"; flow:to_client, established; file_data; content:"|59 B4 97 78 44 B3 C3 61 70 E1 00 6A 42 D1 B3 36 9B 7C 0C 0E 3F 6C 57 9A 5C E1 C4 17 F3 8A B1 4B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5019; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-recon; sid:47245; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|95 8A 4A 87 3A F4 EC 8F 04 D5 EA 7A E8 10 51 1B 2B 82 B0 10 2C 12 21 61 3D 6A DB 95 76 D7 75 DD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5017; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47238; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|95 8A 4A 87 3A F4 EC 8F 04 D5 EA 7A E8 10 51 1B 2B 82 B0 10 2C 12 21 61 3D 6A DB 95 76 D7 75 DD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5017; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47237; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt"; flow:to_server,established; file_data; content:"-webkit-user-modify"; nocase; content:"<textarea"; within:150; content:"<shadow"; within:150; content:"<marquee"; within:150; metadata:service smtp; reference:cve,2018-12780; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47233; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt"; flow:to_client,established; file_data; content:"-webkit-user-modify"; nocase; content:"<textarea"; within:150; content:"<shadow"; within:150; content:"<marquee"; within:150; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12780; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47232; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro out-of-bounds write attempt"; flow:to_server,established; file_data; content:"outerHTML"; content:"autofocus"; within:150; nocase; content:"<summary"; within:150; fast_pattern; nocase; content:"autofocus"; within:150; nocase; content:"true"; within:10; nocase; metadata:service smtp; reference:cve,2018-12771; classtype:attempted-user; sid:47231; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro out-of-bounds write attempt"; flow:to_client,established; file_data; content:"outerHTML"; content:"autofocus"; within:150; nocase; content:"<summary"; within:150; fast_pattern; nocase; content:"autofocus"; within:150; nocase; content:"true"; within:10; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12771; classtype:attempted-user; sid:47230; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows OTF parsing memory corruption attempt"; flow:to_server,established; flowbits:isset,file.otf; file_data; content:"CFF|20|"; fast_pattern; byte_jump:4,4,relative,from_beginning; content:"|01 00 04|"; within:3; content:"|00 01 01|"; within:3; distance:1; byte_test:1,>,128,1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7256; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-132; classtype:attempted-admin; sid:47220; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows OTF parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"CFF|20|"; fast_pattern; byte_jump:4,4,relative,from_beginning; content:"|01 00 04|"; within:3; content:"|00 01 01|"; within:3; distance:1; byte_test:1,>,128,1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7256; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-132; classtype:attempted-admin; sid:47219; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro XPS heap overflow attempt"; flow:to_server,established; file_data; content:"|E0 02 F8 06 5C 04 DF 84 6F FD 97 F4 44 D1 A0 29 01 02 7F 82 B9 50 2E 9C 6B C9 45 71 31 5C 2C 67|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5015; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47218; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro XPS heap overflow attempt"; flow:to_client,established; file_data; content:"|E0 02 F8 06 5C 04 DF 84 6F FD 97 F4 44 D1 A0 29 01 02 7F 82 B9 50 2E 9C 6B C9 45 71 31 5C 2C 67|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5015; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47217; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|3A 68 BA 9A 31 C7 34 9A 31 3F 4B 01 31 3F D3 74 2B 63 21 F1 4C CC E7 64 05 67 0C 66 45 83 98 BF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5016; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-recon; sid:47209; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|3A 68 BA 9A 31 C7 34 9A 31 3F 4B 01 31 3F D3 74 2B 63 21 F1 4C CC E7 64 05 67 0C 66 45 83 98 BF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5016; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-recon; sid:47208; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro out of bounds read attempt"; flow:to_server,established; file_data; content:"getMatchedCSSRules"; content:"selector"; within:100; content:"vlinkColor"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12781; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47198; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro out of bounds read attempt"; flow:to_client,established; file_data; content:"getMatchedCSSRules"; content:"selector"; within:100; content:"vlinkColor"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12781; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47197; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|94 33 E7 CC 9C 36 B3 F6 82 A7 CF 56 6F 16 0E 46 6B 56 FE BA F5 E3 A5 34 99 EA F4 1B 07 36 27 95|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-5014; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47196; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|94 33 E7 CC 9C 36 B3 F6 82 A7 CF 56 6F 16 0E 46 6B 56 FE BA F5 E3 A5 34 99 EA F4 1B 07 36 27 95|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5014; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47195; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF use-after-free attempt"; flow:to_server, established; flowbits:isset,file.emf; file_data; content:"|C0 80 00 3C 00 C1 40 3C A0 80 80 3C C0 A0 A0 3C E0 C0 C0 3C 00 E1 E0 3C 90 80 00 3D A0 90 10 3D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12796; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47194; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF use-after-free attempt"; flow:to_client, established; flowbits:isset,file.emf; file_data; content:"|C0 80 00 3C 00 C1 40 3C A0 80 80 3C C0 A0 A0 3C E0 C0 C0 3C 00 E1 E0 3C 90 80 00 3D A0 90 10 3D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12796; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47193; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusFillRects type confusion attempt"; flow:to_server,established; file_data; content:"|FF FF FF 04 00 00 00 1F 0A 06 02 35 0A 06 02 35 0A 1C 02 1F 0A 1C 02 3D 00 00 00 08 00 00 00 1B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5057; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47184; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusFillRects type confusion attempt"; flow:to_client,established; file_data; content:"|FF FF FF 04 00 00 00 1F 0A 06 02 35 0A 06 02 35 0A 1C 02 1F 0A 1C 02 3D 00 00 00 08 00 00 00 1B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5057; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47183; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF file uninitialized pointer dereference attempt"; flow:to_server,established; file_data; content:"|35 3F F3 04 35 3F 13 8D AE 42 53 5E F6 43 08 40 02 03 5C 0F 00 00 50 0F 00 00 02 10 C0 DB B2 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5012; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47182; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF file uninitialized pointer dereference attempt"; flow:to_client,established; file_data; content:"|35 3F F3 04 35 3F 13 8D AE 42 53 5E F6 43 08 40 02 03 5C 0F 00 00 50 0F 00 00 02 10 C0 DB B2 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5012; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47181; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF invalid EmfPlusFillRects out-of-bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|0A 40 00 F9|"; byte_extract:4,0,record_size,relative,little; byte_test:4,>,record_size,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5010; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47180; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF invalid EmfPlusFillRects out-of-bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|0A 40 00 F9|"; byte_extract:4,0,record_size,relative,little; byte_test:4,>,record_size,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5010; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47179; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro use after free attempt"; flow:to_server,established; file_data; content:"window.frames.find"; content:"insertOrderedList"; within:150; content:"delete"; within:150; content:"document.designMode"; within:150; metadata:service smtp; reference:cve,2018-12783; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47154; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro use after free attempt"; flow:to_client,established; file_data; content:"window.frames.find"; content:"insertOrderedList"; within:150; content:"delete"; within:150; content:"document.designMode"; within:150; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12783; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47153; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt"; flow:to_server,established; file_data; content:"|01 DA 00|"; depth:3; byte_test:2,>,4,8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,19507; reference:cve,2006-4144; reference:cve,2018-5040; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47144; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt"; flow:to_client,established; file_data; content:"|01 DA 00|"; depth:3; byte_test:2,>,4,8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19507; reference:cve,2006-4144; reference:cve,2018-5040; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47143; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out-of-bounds read attempt"; flow:to_server, established; flowbits:isset,file.emf; file_data; content:"EMF+"; byte_extract:4,-8,emr_size,relative,little; content:"|19 40|"; within:emr_size; content:"|00|"; within:1; distance:1; byte_test:4,>,0xF000,8,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-5061; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47140; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out-of-bounds read attempt"; flow:to_client, established; flowbits:isset,file.emf; file_data; content:"EMF+"; byte_extract:4,-8,emr_size,relative,little; content:"|19 40|"; within:emr_size; content:"|00|"; within:1; distance:1; byte_test:4,>,0xF000,8,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5061; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47139; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|E6 D8 CA E8 DA CC CD BB A9 C6 B3 9F CE BD AB CA B8 A5 CF BE AC D5 C4 B2 BD B4 9D AB AC 8B B6 BA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12789; reference:cve,2018-15947; reference:cve,2018-15949; reference:cve,2018-15950; reference:cve,2018-15999; reference:cve,2018-16006; reference:cve,2018-5062; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:47132; rev:5;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|E6 D8 CA E8 DA CC CD BB A9 C6 B3 9F CE BD AB CA B8 A5 CF BE AC D5 C4 B2 BD B4 9D AB AC 8B B6 BA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12789; reference:cve,2018-15947; reference:cve,2018-15949; reference:cve,2018-15950; reference:cve,2018-15999; reference:cve,2018-16006; reference:cve,2018-5062; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:47131; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro XPS embedded JPEG with malformed copyright tag heap overflow attempt"; flow:to_server,established; flowbits:isset,file.xps; file_data; content:"|FF D8 FF E0|"; content:"JFIF"; within:4; distance:2; content:"|FF E1|"; within:100; byte_extract:2,0,size,relative; content:"Exif|00 00|II"; within:8; content:"|98 82 02 00|"; within:size; distance:-12; byte_test:4,>,64000,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5028; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47126; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro XPS embedded JPEG with malformed copyright tag heap overflow attempt"; flow:to_server,established; flowbits:isset,file.xps; file_data; content:"|FF D8 FF E0|"; content:"JFIF"; within:4; distance:2; content:"|FF E1|"; within:100; byte_extract:2,0,size,relative; content:"Exif|00 00|MM"; within:8; content:"|82 98 00 02|"; within:size; distance:-12; byte_test:4,>,64000,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5028; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47125; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro XPS embedded JPEG with malformed copyright tag heap overflow attempt"; flow:to_client,established; flowbits:isset,file.xps; file_data; content:"|FF D8 FF E0|"; content:"JFIF"; within:4; distance:2; content:"|FF E1|"; within:100; byte_extract:2,0,size,relative; content:"Exif|00 00|MM"; within:8; content:"|82 98 00 02|"; within:size; distance:-12; byte_test:4,>,64000,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5028; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47124; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro XPS embedded JPEG with malformed copyright tag heap overflow attempt"; flow:to_client,established; flowbits:isset,file.xps; file_data; content:"|FF D8 FF E0|"; content:"JFIF"; within:4; distance:2; content:"|FF E1|"; within:100; byte_extract:2,0,size,relative; content:"Exif|00 00|II"; within:8; content:"|98 82 02 00|"; within:size; distance:-12; byte_test:4,>,64000,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5028; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47123; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER WECON LeviStudio UMP file stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xml; file_data; content:"<Function "; nocase; content:"FuncName="; within:35; fast_pattern; nocase; isdataat:375,relative; content:!">"; within:375; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-10602; classtype:attempted-user; sid:48159; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER WECON LeviStudio UMP file stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"<Function "; nocase; content:"FuncName="; within:35; fast_pattern; nocase; isdataat:375,relative; content:!">"; within:375; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-10602; classtype:attempted-user; sid:48158; rev:1;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER McAfee True Key dll-load exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"M|00|c|00|A|00|f|00|e|00|e|00|.|00|T|00|r|00|u|00|e|00|K|00|e|00|y|00|.|00|S|00|D|00|K|00|L|00|i|00|b|00|A|00|d|00|a|00|p|00|t|00|e|00|r|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; pcre:"/(\x43\x00|\x00\x5C)\x00M\x00c\x00A\x00f\x00e\x00e\x00\.\x00T\x00r\x00u\x00e\x00K\x00e\x00y\x00\.\x00S\x00D\x00K\x00L\x00i\x00b\x00A\x00d\x00a\x00p\x00t\x00e\x00r\x00\.\x00d\x00l\x00l\x00\x00\x00/i"; metadata:service netbios-ssn; reference:cve,2018-6661; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-admin; sid:48145; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER McAfee True Key dll-load exploit attempt"; flow:to_server,established; content:"/McAfee.TrueKey.SDKLibAdapter.dll"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2018-6661; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-admin; sid:48144; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Reader U3D engine memory corruption attempt"; flow:to_server,established; file_data; content:"|DA E9 F5 FC F1 FF 16 10 07 03 02 01 02 03 06 0C 19 2B 43 5F 7A 97 AD BF D1 DE E9 F2 FA FD F0 FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5038; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:48218; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Reader U3D engine memory corruption attempt"; flow:to_client,established; file_data; content:"|DA E9 F5 FC F1 FF 16 10 07 03 02 01 02 03 06 0C 19 2B 43 5F 7A 97 AD BF D1 DE E9 F2 FA FD F0 FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5038; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:48217; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro malformed EMF out of bounds read attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|00 EB 1F CC CF 8F 00 CB 4D EB 1F 8C CF 8F 00 8D 61 ED 00 7F 00 00 00 01 00 07 00 00 00 00 00 FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12857; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48243; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro malformed EMF out of bounds read attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|00 EB 1F CC CF 8F 00 CB 4D EB 1F 8C CF 8F 00 8D 61 ED 00 7F 00 00 00 01 00 07 00 00 00 00 00 FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12857; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48242; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|5C 04 00 00 02 6E AA 0E 29 02 00 00 02 3F 5C 40 40 00 7F 2D 24 7F 21 40 3F 58 77 40 3F 3F 7C 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12761; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:48292; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|5E 0E 2F F7 AD 1A 2B 3E 48 3C C6 5F B8 FF 36 23 32 6A 24 0A A2 2D 20 51 F1 39 6F 5D 61 FD DF 20|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12761; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:48291; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|5E 0E 2F F7 AD 1A 2B 3E 48 3C C6 5F B8 FF 36 23 32 6A 24 0A A2 2D 20 51 F1 39 6F 5D 61 FD DF 20|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12761; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:48290; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|5C 04 00 00 02 6E AA 0E 29 02 00 00 02 3F 5C 40 40 00 7F 2D 24 7F 21 40 3F 58 77 40 3F 3F 7C 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12761; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:48289; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER out-of-bounds write attempt with malicious MAR file detected"; flow:to_server,established; file_data; content:"MAR1"; depth:4; byte_jump:4,4,from_beginning,big; content:"|FF|"; within:1; metadata:service smtp; reference:cve,2015-4482; reference:cve,2018-12379; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2018-21/#CVE-2018-12379; classtype:misc-activity; sid:48296; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER out-of-bounds write attempt with malicious MAR file detected"; flow:to_client,established; file_data; content:"MAR1"; depth:4; byte_jump:4,4,from_beginning,big; content:"|FF|"; within:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-4482; reference:cve,2018-12379; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2018-21/#CVE-2018-12379; classtype:misc-activity; sid:48295; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Omron CX-Supervisor malicious project file download attempt"; flow:to_client,established; flowbits:isset,file.sr3; file_data; content:"R|00|u|00|n|00|A|00|p|00|p|00|l|00|i|00|c|00|a|00|t|00|i|00|o|00|n|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,industrial.omron.eu/en/products/cx-supervisor; classtype:attempted-user; sid:48557; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|6D 30 AC D4 90 8E 65 8B 9B C1 6D CB F6 3F 82 15 E5 84 D7 CB CB B5 9C B0 43 40 A7 48 9C 51 9B 8E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16028; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48609; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|6D 30 AC D4 90 8E 65 8B 9B C1 6D CB F6 3F 82 15 E5 84 D7 CB CB B5 9C B0 43 40 A7 48 9C 51 9B 8E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16028; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48608; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro out of bounds read attempt"; flow:to_server,established; file_data; content:"|C5 D6 CF 8E 94 30 1C 07 F0 BB 89 EF 30 E1 FE A3 7F 28 B4 35 8B 9B 02 C5 EC C5 98 C9 DE 0D 61 3A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16035; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-41.html; classtype:attempted-user; sid:48605; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro out of bounds read attempt"; flow:to_client,established; file_data; content:"|C5 D6 CF 8E 94 30 1C 07 F0 BB 89 EF 30 E1 FE A3 7F 28 B4 35 8B 9B 02 C5 EC C5 98 C9 DE 0D 61 3A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16035; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-41.html; classtype:attempted-user; sid:48604; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat EMF out of bounds write attempt"; flow:to_server,established; file_data; content:"|7A 7F 81 00 B1 B8 BB 00 6F 73 75 00 A4 AA AD 00 9D A2 A5 00 84 89 8B 00 53 55 56 00 8C 92 95 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15988; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48587; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat EMF out of bounds write attempt"; flow:to_client,established; file_data; content:"|7A 7F 81 00 B1 B8 BB 00 6F 73 75 00 A4 AA AD 00 9D A2 A5 00 84 89 8B 00 53 55 56 00 8C 92 95 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15988; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48586; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|B9 3E D7 E7 FF DD E7 50 A8 21 B4 BC F5 E8 E6 31 1A DA 3C 83 B9 23 0F 19 77 CF DC 31 14 12 A1 D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-19712; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48581; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|B9 3E D7 E7 FF DD E7 50 A8 21 B4 BC F5 E8 E6 31 1A DA 3C 83 B9 23 0F 19 77 CF DC 31 14 12 A1 D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-19712; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48580; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat EMF EMR_CREATEMONOBRUSH out-of-bounds write attempt"; flow:to_server,established; file_data; content:"|00 E2 04 00 80 A9 03 00 5D 00 00 00 88 00 00 00 7A 00 00 00 47 44 49 43 3F 00 00 00 00 03 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16016; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48634; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat EMF EMR_CREATEMONOBRUSH out-of-bounds write attempt"; flow:to_client,established; file_data; content:"|00 E2 04 00 80 A9 03 00 5D 00 00 00 88 00 00 00 7A 00 00 00 47 44 49 43 3F 00 00 00 00 03 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16016; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48633; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|FA D1 E0 88 84 A4 54 4D 0F D8 B1 73 D7 EE 90 BD FB 42 F7 1F 88 3C 78 E8 F0 91 A3 C7 1C 27 62 9C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-19714; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48630; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt"; flow:to_client, established; file_data; content:"|FA D1 E0 88 84 A4 54 4D 0F D8 B1 73 D7 EE 90 BD FB 42 F7 1F 88 3C 78 E8 F0 91 A3 C7 1C 27 62 9C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-19714; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48629; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt"; flow:to_server,established; file_data; content:"%PDF"; nocase; content:"<xsl:stylesheet"; content:"-or-self::*"; within:200; fast_pattern; content:"</xsl:stylesheet"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15995; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48624; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt"; flow:to_client,established; file_data; content:"%PDF"; nocase; content:"<xsl:stylesheet"; content:"-or-self::*"; within:200; fast_pattern; content:"</xsl:stylesheet"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15995; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48623; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro malformed XPS JPEG out of bounds read attempt"; flow:to_server,established; file_data; content:"|4A E9 D5 BD 73 E8 4B 42 DC 7B AF 10 DA 47 23 87 4D 18 FE F8 FC 51 6E 21 EE 4E 15 C2 D2 63 F4 88|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-19703; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48622; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|8C 6C 6B E4 05 6B B3 66 24 83 AD 65 6C C9 C8 1A 69 B4 DB 06 DB DA BD DB C2 BB 8C 09 5E 58 E4 05|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-19711; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48646; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|8C 6C 6B E4 05 6B B3 66 24 83 AD 65 6C C9 C8 1A 69 B4 DB 06 DB DA BD DB C2 BB 8C 09 5E 58 E4 05|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-19711; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48645; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat EMF out of bounds read attempt"; flow:to_server,established; file_data; content:"|7F 88 C3 1C 8B 18 2E 81 41 88 19 23 71 18 6B 98 81 31 8C 84 2D B1 FF FF 3F B1 11 A2 D3 4A 27 59|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16017; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48643; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat EMF out of bounds read attempt"; flow:to_client,established; file_data; content:"|7F 88 C3 1C 8B 18 2E 81 41 88 19 23 71 18 6B 98 81 31 8C 84 2D B1 FF FF 3F B1 11 A2 D3 4A 27 59|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16017; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-41.html; classtype:attempted-user; sid:48642; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|26 26 FF 9F E7 44 B4 00 0D D0 3D 00 80 1D C1 05 C0 F4 A3 65 66 06 3F 07 C3 FC A2 0A 40 00 00 24|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16022; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48641; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|26 26 FF 9F E7 44 B4 00 0D D0 3D 00 80 1D C1 05 C0 F4 A3 65 66 06 3F 07 C3 FC A2 0A 40 00 00 24|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16022; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48640; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|73 AA 63 A9 D3 B1 6D F2 FB 0D A0 36 B1 65 3D 49 76 AB AB 70 92 9B 7C 5E 3C 58 AC A4 75 20 BE E4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16001; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48746; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|73 AA 63 A9 D3 B1 6D F2 FB 0D A0 36 B1 65 3D 49 76 AB AB 70 92 9B 7C 5E 3C 58 AC A4 75 20 BE E4|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16001; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48745; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro out of bounds read attempt"; flow:to_server,established; file_data; content:"|B5 89 83 ED A2 F2 6C 0C 3C 12 AF 80 0B 1D 28 4C 30 C0 E8 B3 7D F7 3B E9 FF FA FC 32 5F 1C 86 5D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16013; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48712; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro out of bounds read attempt"; flow:to_client,established; file_data; content:"|B5 89 83 ED A2 F2 6C 0C 3C 12 AF 80 0B 1D 28 4C 30 C0 E8 B3 7D F7 3B E9 FF FA FC 32 5F 1C 86 5D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16013; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48711; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|EB FC 7E F9 40 8D 88 A2 9D 03 B2 A5 7D CB E8 94 27 84 19 78 31 03 AD 0E 6D B0 FF BF DA 71 5F 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-19704; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48710; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|EB FC 7E F9 40 8D 88 A2 9D 03 B2 A5 7D CB E8 94 27 84 19 78 31 03 AD 0E 6D B0 FF BF DA 71 5F 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-19704; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48709; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro out of bounds read attempt"; flow:to_server,established; file_data; content:"|F6 5C BC 8F 2C 0E 00 80 28 00 00 00 0C 00 00 00 61 00 00 00 25 5F 60 8F FF 18 00 80 43 4F 53 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15989; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48706; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro out of bounds read attempt"; flow:to_client,established; file_data; content:"|F6 5C BC 8F 2C 0E 00 80 28 00 00 00 0C 00 00 00 61 00 00 00 25 5F 60 8F FF 18 00 80 43 4F 53 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15989; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48705; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro out of bounds read attempt"; flow:to_server,established; file_data; content:"|95 A4 96 D4 21 32 CB 49 3D 69 20 8D AC D4 88 B6 1A E4 D5 28 2D 65 9F 63 A8 64 BA B7 57 13 F1 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15985; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48704; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro out of bounds read attempt"; flow:to_client,established; file_data; content:"|95 A4 96 D4 21 32 CB 49 3D 69 20 8D AC D4 88 B6 1A E4 D5 28 2D 65 9F 63 A8 64 BA B7 57 13 F1 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15985; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48703; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EmfPlusFillPath out of bounds read attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|2C 0A 00 00 20 0A 00 00 E8 C7 DE 9A 43 01 00 00 FF FF FF 7F 00 80 FF 7F 00 80 00 80 00 80 FF 7F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12763; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48761; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EmfPlusFillPath out of bounds read attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|2C 0A 00 00 20 0A 00 00 E8 C7 DE 9A 43 01 00 00 FF FF FF 7F 00 80 FF 7F 00 80 00 80 00 80 FF 7F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12763; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48760; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro XPS memory corruption attempt"; flow:to_server,established; file_data; content:"|D9 32 E4 91 F2 0A 65 DA 0C 75 32 B5 43 3D DE 91 3C 7E 3C F0 5E 9E 9E 97 AB CB 78 CA 1E AC 0F 83|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16015; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48759; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro XPS memory corruption attempt"; flow:to_client,established; file_data; content:"|D9 32 E4 91 F2 0A 65 DA 0C 75 32 B5 43 3D DE 91 3C 7E 3C F0 5E 9E 9E 97 AB CB 78 CA 1E AC 0F 83|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16015; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48758; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt"; flow:to_server,established; file_data; content:"|50 A6 25 49 AF FB 62 77 A8 95 73 58 18 9B CF 06 FB A9 81 9D 85 17 19 AD 25 67 8D A4 2E 39 FD F2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16012; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48755; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt"; flow:to_client,established; file_data; content:"|50 A6 25 49 AF FB 62 77 A8 95 73 58 18 9B CF 06 FB A9 81 9D 85 17 19 AD 25 67 8D A4 2E 39 FD F2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16012; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48754; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro out of bounds read attempt"; flow:to_client,established; file_data; content:"s=|22|class1|22|>|0D 0A 20 20|<video>|0D 0A 20 20|<sup contenteditable=|22|plaintext-on"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15997; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48749; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro out of bounds read attempt"; flow:to_server,established; file_data; content:"s=|22|class1|22|>|0D 0A 20 20|<video>|0D 0A 20 20|<sup contenteditable=|22|plaintext-on"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15997; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48748; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro XPS file out of bounds read attempt"; flow:to_server,established; file_data; flowbits:isset,file.xps; content:"|FB 9E FF EC B3 6F D7 D4 74 A8 73 EA 9C 53 E7 54 6A 26 31 C6 7C 04 3A 36 3C B2 60 E1 22 EB 89 D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16002; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48775; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro XPS file out of bounds read attempt"; flow:to_client,established; file_data; flowbits:isset,file.xps; content:"|FB 9E FF EC B3 6F D7 D4 74 A8 73 EA 9C 53 E7 54 6A 26 31 C6 7C 04 3A 36 3C B2 60 E1 22 EB 89 D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16002; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48774; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt"; flow:to_server,established; file_data; content:"<keygen"; fast_pattern:only; content:"outerHTML"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15993; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48825; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt"; flow:to_client,established; file_data; content:"<keygen"; fast_pattern:only; content:"outerHTML"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15993; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48824; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows VCF file remote code execution attempt"; flow:to_server,established; file_data; content:"BEGIN:VCARD"; fast_pattern:only; content:"URL|3B|"; nocase; content:".|5C|"; within:50; metadata:policy max-detect-ips drop, service smtp; reference:url,exploit-db.com/exploits/46167; classtype:attempted-user; sid:48972; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows Contact file remote code execution attempt"; flow:to_server,established; file_data; content:"<c:url"; fast_pattern:only; content:"<c:value>"; nocase; content:".|5C|"; within:50; metadata:policy max-detect-ips drop, service smtp; reference:url,exploit-db.com/exploits/46188; classtype:attempted-user; sid:48971; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows VCF file remote code execution attempt"; flow:to_client,established; file_data; content:"BEGIN:VCARD"; fast_pattern:only; content:"URL|3B|"; nocase; content:".|5C|"; within:50; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,exploit-db.com/exploits/46167; classtype:attempted-user; sid:48970; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Contact file remote code execution attempt"; flow:to_client,established; file_data; content:"<c:url"; fast_pattern:only; content:"<c:value"; nocase; content:".|5C|"; within:50; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,exploit-db.com/exploits/46188; classtype:attempted-user; sid:48969; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows Contact file email address remote code execution attempt"; flow:to_server,established; file_data; content:"<c:ContactIDCollection"; fast_pattern:only; content:"<c:EmailAddress"; nocase; content:"<c:address"; distance:0; nocase; content:"href"; within:30; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,exploit-db.com/exploits/46222; classtype:attempted-user; sid:49039; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Contact file email address remote code execution attempt"; flow:to_client,established; file_data; content:"<c:ContactIDCollection"; fast_pattern:only; content:"<c:EmailAddress"; nocase; content:"<c:address"; distance:0; nocase; content:"href"; within:30; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,exploit-db.com/exploits/46222; classtype:attempted-user; sid:49038; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows device metadata file directory traversal attempt"; flow:to_server,established; file_data; content:"devicemetadata-ms"; fast_pattern:only; content:"MSCF"; depth:4; byte_extract:4,32,coffstart,relative,little; content:"../"; depth:coffstart; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:49080; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows device metadata file directory traversal attempt"; flow:to_server,established; file_data; content:"packageinfo.xml"; fast_pattern:only; content:"MSCF"; depth:4; byte_extract:4,32,coffstart,relative,little; content:"../"; depth:coffstart; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:49079; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows device metadata file directory traversal attempt"; flow:to_client,established; file_data; content:"packageinfo.xml"; fast_pattern:only; content:"MSCF"; depth:4; byte_extract:4,32,coffstart,relative,little; content:"../"; depth:coffstart; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:49078; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows device metadata file directory traversal attempt"; flow:to_client,established; file_data; content:"devicemetadata-ms"; fast_pattern:only; content:"MSCF"; depth:4; byte_extract:4,32,coffstart,relative,little; content:"../"; depth:coffstart; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:49077; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows device metadata file directory traversal attempt"; flow:to_server,established; file_data; content:"devicemetadata-ms"; fast_pattern:only; content:"MSCF"; depth:4; byte_extract:4,32,coffstart,relative,little; content:"..|5C|"; depth:coffstart; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:49076; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows device metadata file directory traversal attempt"; flow:to_client,established; file_data; content:"devicemetadata-ms"; fast_pattern:only; content:"MSCF"; depth:4; byte_extract:4,32,coffstart,relative,little; content:"..|5C|"; depth:coffstart; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:49075; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows device metadata file directory traversal attempt"; flow:to_server,established; file_data; content:"MSCF"; depth:4; content:"..|5C|..|5C|"; within:500; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:49074; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows device metadata file directory traversal attempt"; flow:to_client,established; file_data; content:"MSCF"; depth:4; content:"..|5C|..|5C|"; within:500; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:49073; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Ghostscript PostScript remote code execution attempt"; flow:to_server,established; file_data; content:"/forceput"; fast_pattern; content:"exch def"; within:100; content:"/oget"; content:"/.pdfruncontext"; content:"/pdfdict"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-6116; classtype:attempted-user; sid:49086; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Ghostscript PostScript remote code execution attempt"; flow:to_client,established; file_data; content:"/forceput"; fast_pattern; content:"exch def"; within:100; content:"/oget"; content:"/.pdfruncontext"; content:"/pdfdict"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-6116; classtype:attempted-user; sid:49085; rev:1;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows VCF arbitrary code execution attempt"; flow:to_client,established; file_data; content:"BEGIN:VCARD"; fast_pattern:only; content:"URL|3B|"; content:".|5C|"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:url,exploit-db.com/exploits/46220; classtype:attempted-user; sid:49200; rev:1;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Contact file arbitrary code execution attempt"; flow:to_client,established; file_data; content:"<c:url"; fast_pattern:only; content:"<c:value"; nocase; content:".|5C|"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:url,exploit-db.com/exploits/46220; classtype:attempted-user; sid:49199; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat JavaScript engine security bypass attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"__proto__.app.Priv"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7041; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49247; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat JavaScript engine security bypass attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"__proto__.app.Priv"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7041; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49246; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat PostScript parsing arbitrary code execution attempt"; flow:to_server,established; file_data; content:"%!PS-Adobe"; depth:10; content:"/FontBBox"; distance:0; fast_pattern; content:"{"; within:5; isdataat:50,relative; content:!"}"; within:55; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7085; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49245; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat PostScript parsing arbitrary code execution attempt"; flow:to_client,established; file_data; content:"%!PS-Adobe"; depth:10; content:"/FontBBox"; distance:0; fast_pattern; content:"{"; within:5; isdataat:50,relative; content:!"}"; within:55; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7085; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49244; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat PostScript parsing type confusion attempt"; flow:to_server,established; file_data; content:"B3A6007FB7|0A|12FEA52F4E76CD43>I<EC"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7087; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49243; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat PostScript parsing type confusion attempt"; flow:to_client,established; file_data; content:"B3A6007FB7|0A|12FEA52F4E76CD43>I<EC"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7087; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49242; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro HTML use-after-free attempt"; flow:to_client,established; file_data; content:"|77 69 6E 64 6F 77 2E 67 65 74 53 65 6C 65 63 74 69 6F 6E 28 29 2E 73 65 74 42 61 73 65 41 6E 64 45 78 74 65 6E 74 28|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7077; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49281; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro HTML use-after-free attempt"; flow:to_server,established; file_data; content:"|77 69 6E 64 6F 77 2E 67 65 74 53 65 6C 65 63 74 69 6F 6E 28 29 2E 73 65 74 42 61 73 65 41 6E 64 45 78 74 65 6E 74 28|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7077; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49280; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat out of bounds write attempt"; flow:to_server,established; file_data; content:"|65 2D 32 2E 30 20 45 50 53 46 2D 32 2E 30 0A 25 25 42 6F 75 6E 64 69 6E 67 42 6F 78 3A 30 30 30 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7079; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49271; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat out of bounds write attempt"; flow:to_client,established; file_data; content:"|65 2D 32 2E 30 20 45 50 53 46 2D 32 2E 30 0A 25 25 42 6F 75 6E 64 69 6E 67 42 6F 78 3A 30 30 30 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7079; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49270; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro use-after-free attempt"; flow:to_server,established; file_data; content:"|5B 31 37 38 20 66 75 64 67 65 20 73 75 62 20 20 34 30 20 37 30 34 20 36 38 38 5D 20 64 65 66 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7070; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49269; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro use-after-free attempt"; flow:to_client,established; file_data; content:"|5B 31 37 38 20 66 75 64 67 65 20 73 75 62 20 20 34 30 20 37 30 34 20 36 38 38 5D 20 64 65 66 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7070; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49268; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat out of bounds read attempt"; flow:to_server,established; file_data; content:"|4D FD 75 0D D0 1D 89 E3 5E 83 10 2F 83 5A C9 D1 8E B0 43 0F 3E EB BE 6C 56 23 62 9E 7B A8 AD A2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7049; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49259; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat out of bounds read attempt"; flow:to_client,established; file_data; content:"|4D FD 75 0D D0 1D 89 E3 5E 83 10 2F 83 5A C9 D1 8E B0 43 0F 3E EB BE 6C 56 23 62 9E 7B A8 AD A2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7049; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49258; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER WinRAR ACE remote code execution attempt"; flow:to_server,established; file_data; content:"**ACE**"; depth:7; offset:7; content:"c:|5C|c:|5C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-20250; reference:url,attack.mitre.org/techniques/T1060; classtype:attempted-user; sid:49292; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER WinRAR ACE remote code execution attempt"; flow:to_client,established; file_data; content:"**ACE**"; depth:7; offset:7; content:"c:|5C|c:|5C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-20250; reference:url,attack.mitre.org/techniques/T1060; classtype:attempted-user; sid:49291; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER WinRAR ACE remote code execution attempt"; flow:to_server,established; file_data; content:"**ACE**"; depth:7; offset:7; content:"Microsoft|5C|Windows|5C|Start Menu|5C|Programs|5C|Startup|5C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-20250; reference:url,attack.mitre.org/techniques/T1060; classtype:attempted-user; sid:49290; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER WinRAR ACE remote code execution attempt"; flow:to_client,established; file_data; content:"**ACE**"; depth:7; offset:7; content:"Microsoft|5C|Windows|5C|Start Menu|5C|Programs|5C|Startup|5C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-20250; reference:url,attack.mitre.org/techniques/T1060; classtype:attempted-user; sid:49289; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows Avast Anti-Virus local credentials disclosure attempt"; flow:to_client,established; file_data; content:"AvastUI.exe"; fast_pattern:only; content:"import"; content:"Process"; within:60; content:"password"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12572; classtype:attempted-user; sid:49325; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER IBM Lotus Notes LZH Attachment Viewer buffer overflow attempt"; flow:to_server,established; file_data; content:".lzh|22 0D 0A 0D 0A|"; nocase; base64_decode:bytes 64, relative; base64_data; content:"-lh"; depth:3; offset:2; nocase; byte_test:1,<,19,0; metadata:service smtp; reference:bugtraq,48018; reference:cve,2011-1213; classtype:attempted-user; sid:49297; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Schneider Electric GP-Pro EX ParseAPI heap buffer overflow attempt"; flow:to_client,established; file_data; content:"|7F 77 FE 01 00 00 0A 00 00 00 0C 0C 01 F0 34 12|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-2290; reference:url,profaceamerica.com/en-US/content/gp-pro-ex-hmi-software; classtype:attempted-user; sid:49437; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt"; flow:to_server,established; flowbits:isset,file.doc|file.wri; file_data; content:"|28 00 00 00|"; fast_pattern; content:"|00 00 00 00|"; within:4; distance:8; byte_test:4,>,0,16,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2013-3940; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-089; classtype:attempted-user; sid:49428; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt"; flow:to_client,established; flowbits:isset,file.doc|file.wri; file_data; content:"|28 00 00 00|"; fast_pattern; content:"|00 00 00 00|"; within:4; distance:8; byte_test:4,>,0,16,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3940; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-089; classtype:attempted-user; sid:49427; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt"; flow:to_server,established; flowbits:isset,file.eot; file_data; content:"|01 00 02 00|"; depth:4; offset:8; content:"EBLC"; content:"EBDTK"; metadata:service smtp; reference:cve,2011-3402; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-087; classtype:attempted-user; sid:49423; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt"; flow:to_client,established; flowbits:isset,file.eot; file_data; content:"|01 00 02 00|"; depth:4; offset:8; content:"EBLC"; content:"EBDTK"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-3402; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-087; classtype:attempted-user; sid:49422; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"|00 00 00 00 00 01 00 03 48 0A 01 01 00 00 00 80 01 FF 00 00 00 00 00 01 00 03 40 52 00 02 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2011-3402; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-087; classtype:attempted-user; sid:49421; rev:1;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Elipse Software Elipse32 dll-load exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"w|00|f|00|a|00|p|00|i|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; pcre:"/(\x15\x00|\x00\x5C)\x00w\x00f\x00a\x00p\x00i\x00\.\x00d\x00l\x00l\x00\x00\x00/i"; metadata:service netbios-ssn; reference:url,www.elipse.com.br/en/produtos/; classtype:attempted-user; sid:49410; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Elipse Software Elipse32 dll-load exploit attempt"; flow:to_server,established; content:"/wfapi.dll"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.elipse.com.br/en/produtos/; classtype:attempted-user; sid:49409; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Snapd dirty_sock exploit download attempt"; flow:to_server,established; file_data; content:"/run/snapd.socket"; fast_pattern:only; content:"IyEvYmluL2Jhc2g"; content:"POST /v2/snaps"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7304; reference:url,initblog.com/2019/dirty-sock/; classtype:attempted-user; sid:49489; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Snapd dirty_sock exploit download attempt"; flow:to_client,established; file_data; content:"/run/snapd.socket"; fast_pattern:only; content:"IyEvYmluL2Jhc2g"; content:"POST /v2/snaps"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7304; reference:url,initblog.com/2019/dirty-sock/; classtype:attempted-user; sid:49488; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Snapd dirty_sock exploit download attempt"; flow:to_server,established; file_data; content:"/run/snapd.socket"; fast_pattern:only; content:"POST /v2/create-user"; content:"|22|status|22 3A 22|OK"; within:500; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7304; reference:url,initblog.com/2019/dirty-sock/; classtype:attempted-user; sid:49487; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Snapd dirty_sock exploit download attempt"; flow:to_client,established; file_data; content:"/run/snapd.socket"; fast_pattern:only; content:"POST /v2/create-user"; content:"|22|status|22 3A 22|OK"; within:500; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7304; reference:url,initblog.com/2019/dirty-sock/; classtype:attempted-user; sid:49486; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt"; flow:to_server,established; file_data; content:"|A5 5B 2E FA 55 99 18 90 C8 92 A2 FA 12 CF 05 1F BF 43 8E CE 04 09 42 97 F0 CF BC 58 ED AE 10 59|"; fast_pattern:only; metadata:service smtp; reference:cve,2012-2897; reference:cve,2012-4786; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-075; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-078; classtype:attempted-admin; sid:49483; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt"; flow:to_client,established; file_data; content:"|A5 5B 2E FA 55 99 18 90 C8 92 A2 FA 12 CF 05 1F BF 43 8E CE 04 09 42 97 F0 CF BC 58 ED AE 10 59|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-2897; reference:cve,2012-4786; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-075; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-078; classtype:attempted-admin; sid:49482; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Unix systemd-journald memory corruption attempt"; flow:to_server,established; file_data; content:"b|22|A=|22| + b|22|B|22|*(128*1024*1024) + b|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16864; reference:cve,2018-16865; reference:url,exploit.delivery/systemd_journald_exploit_no_aslr.py; classtype:attempted-admin; sid:49618; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Unix systemd-journald memory corruption attempt"; flow:to_client,established; file_data; content:"b|22|A=|22| + b|22|B|22|*(128*1024*1024) + b|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16864; reference:cve,2018-16865; reference:url,exploit.delivery/systemd_journald_exploit_no_aslr.py; classtype:attempted-admin; sid:49617; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER PHP use after free attempt"; flow:to_server,established; file_data; content:"unset($"; fast_pattern:only; content:"$this->"; content:"return $this|3B|"; pcre:"/unset\(\$(?P<var>\w+).{0,200}\$this->(?P=var)\x3B/si"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:49675; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER PHP use after free attempt"; flow:to_client,established; file_data; content:"unset($"; fast_pattern:only; content:"$this->"; content:"return $this|3B|"; pcre:"/unset\(\$(?P<var>\w+).{0,200}\$this->(?P=var)\x3B/si"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:49674; rev:1;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Go binary bll-load exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"w|00|s|00|2|00|_|00|3|00|2|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; pcre:"/(\x17\x00|\x00\x5C)\x00w\x00s\x002\x00_\x003\x002\x00\.\x00d\x00l\x00l\x00\x00\x00/i"; metadata:service netbios-ssn; reference:cve,2019-9634; reference:url,www.openwall.com/lists/oss-security/2019/04/09/1; classtype:attempted-user; sid:49786; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Go binary dll-load exploit attempt"; flow:to_server,established; content:"/ws2_32.dll"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2019-9634; reference:url,www.openwall.com/lists/oss-security/2019/04/09/1; classtype:attempted-user; sid:49785; rev:1;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Go binary dll-load exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"w|00|i|00|n|00|m|00|m|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; pcre:"/(\x15\x00|\x00\x5C)\x00w\x00i\x00n\x00m\x00m\x00\.\x00d\x00l\x00l\x00\x00\x00/i"; metadata:service netbios-ssn; reference:cve,2019-9634; reference:url,www.openwall.com/lists/oss-security/2019/04/09/1; classtype:attempted-user; sid:49784; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Go binary dll-load exploit attempt"; flow:to_server,established; content:"/winmm.dll"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2019-9634; reference:url,www.openwall.com/lists/oss-security/2019/04/09/1; classtype:attempted-user; sid:49783; rev:1;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-OTHER Go binary dll-load exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"k|00|e|00|r|00|n|00|e|00|l|00|3|00|2|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; pcre:"/(\x1B\x00|\x00\x5C)\x00k\x00e\x00r\x00n\x00e\x00l\x003\x002\x00\.\x00d\x00l\x00l\x00\x00\x00/i"; metadata:service netbios-ssn; reference:cve,2019-9634; reference:url,www.openwall.com/lists/oss-security/2019/04/09/1; classtype:attempted-user; sid:49782; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-OTHER Go binary dll-load exploit attempt"; flow:to_server,established; content:"/kernel32.dll"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2019-9634; reference:url,www.openwall.com/lists/oss-security/2019/04/09/1; classtype:attempted-user; sid:49781; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Multiple products external entity data exfiltration attempt"; flow:to_server,established; file_data; content:"<!ENTITY"; nocase; content:"SYSTEM"; within:50; nocase; content:"://"; within:25; content:"<!ENTITY"; distance:0; nocase; content:"SYSTEM"; within:50; nocase; content:"://"; within:25; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5088; reference:url,attack.mitre.org/techniques/T1020; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; reference:url,hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt; classtype:misc-attack; sid:37313; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Mulitple products external entity data exfiltration attempt"; flow:to_client,established; file_data; content:"<!ENTITY"; nocase; content:"SYSTEM"; within:50; nocase; content:"://"; within:25; content:"<!ENTITY"; distance:0; nocase; content:"SYSTEM"; within:50; nocase; content:"://"; within:25; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5088; reference:url,attack.mitre.org/techniques/T1020; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; reference:url,hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt; classtype:misc-attack; sid:37312; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Multiple Products XML external entity information disclosure attempt"; flow:to_server,established; file_data; content:"ENTITY"; fast_pattern; nocase; content:"://"; within:75; pcre:"/(\x21|%21)ENTITY((?!\x3e|%3e).)*?(SYSTEM|PUBLIC)((?!\x3e|%3e).)*?(file|http|https|ftp|jar)\x3A\x2F\x2F/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-3244; reference:url,attack.mitre.org/techniques/T1020; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; reference:url,hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt; reference:url,www.sugarcrm.com; classtype:misc-attack; sid:49865; rev:1;)
# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"FILE-OTHER Multiple Products XML external entity information disclosure attempt"; flow:to_client,established; file_data; content:"ENTITY"; fast_pattern; nocase; content:"://"; within:75; pcre:"/(\x21|%21)ENTITY((?!\x3e|%3e).)*?(SYSTEM|PUBLIC)((?!\x3e|%3e).)*?(file|http|https|ftp|jar)\x3A\x2F\x2F/i"; metadata:service http; reference:cve,2014-3244; reference:cve,2019-9670; reference:url,attack.mitre.org/techniques/T1020; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; reference:url,hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt; classtype:web-application-attack; sid:49864; rev:2;)