snort2-docker/docker/etc/rules/browser-firefox.rules
2020-02-24 08:56:30 -05:00

305 lines
139 KiB
Plaintext

# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#-----------------------
# BROWSER-FIREFOX RULES
#-----------------------
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-FIREFOX Possible Mozilla Firefox Plugin install from non-Mozilla source"; flow:to_server,established; content:!"mozilla"; http_header; content:".xpi"; nocase; http_uri; pcre:"/\.xpi$/Ui"; metadata:ruleset community, service http; reference:url,research.zscaler.com/2012/09/how-to-install-silently-malicious.html; classtype:bad-unknown; sid:26659; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox 3.5 unicode stack overflow attempt"; flow:to_server,established; file_data; content:"i = Math.ceil(Math.log(num) / Math.LN2),"; fast_pattern:only; content:"return res.slice(0, str.length * num)"; metadata:service smtp; reference:bugtraq,35707; reference:cve,2009-2479; classtype:attempted-user; sid:26188; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript arbitrary memory reading attempt"; flow:to_server,established; file_data; content:"new RegExp|28|"; content:"RegExp.input"; content:"document.write|28|regexp."; fast_pattern:only; pcre:"/for\s*?\x28.*?\x7b(?P<match>\w*).*?\x7d.*?for\s*?\x28.*?\x7b(?P<string>\w*).*?\x7d.*?new\s*?RegExp\x28\s*?(?P=match).*?\x2eexec\x28\s*?(?P=string)/smi"; metadata:service smtp; reference:cve,2011-2983; classtype:attempted-recon; sid:25292; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript arbitrary memory reading attempt"; flow:to_server,established; file_data; content:"new RegExp|28|"; content:"RegExp.input"; content:"document.write|28|regexp."; fast_pattern:only; pcre:"/for\s*?\x28.*?\x7b(?P<string>\w*).*?\x7d.*?for\s*?\x28.*?\x7b(?P<match>\w*).*?\x7d.*?new\s*?RegExp\x28\s*?(?P=match).*?\x2eexec\x28\s*?(?P=string)/smi"; metadata:service smtp; reference:cve,2011-2983; classtype:attempted-recon; sid:25291; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript arbitrary memory reading attempt"; flow:to_client,established; file_data; content:"new RegExp|28|"; content:"RegExp.input"; content:"document.write|28|regexp."; fast_pattern:only; pcre:"/for\s*?\x28.*?\x7b(?P<match>\w*).*?\x7d.*?for\s*?\x28.*?\x7b(?P<string>\w*).*?\x7d.*?new\s*?RegExp\x28\s*?(?P=match).*?\x2eexec\x28\s*?(?P=string)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2983; classtype:attempted-recon; sid:25290; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript arbitrary memory reading attempt"; flow:to_client,established; file_data; content:"new RegExp|28|"; content:"RegExp.input"; content:"document.write|28|regexp."; fast_pattern:only; pcre:"/for\s*?\x28.*?\x7b(?P<string>\w*).*?\x7d.*?for\s*?\x28.*?\x7b(?P<match>\w*).*?\x7d.*?new\s*?RegExp\x28\s*?(?P=match).*?\x2eexec\x28\s*?(?P=string)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2983; classtype:attempted-recon; sid:25289; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt"; flow:to_server,established; file_data; content:"appendChild"; content:"setUserData"; fast_pattern:only; pcre:"/\x2esetUserData\x28.{0,50}?\x7b[^\x7d]*?\x2eappendChild\x28/"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-2378; classtype:attempted-user; sid:25233; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt"; flow:to_client,established; file_data; content:"appendChild"; content:"setUserData"; fast_pattern:only; pcre:"/\x2esetUserData\x28.{0,50}?\x7b[^\x7d]*?\x2eappendChild\x28/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2378; classtype:attempted-user; sid:25232; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt"; flow:to_server,established; file_data; content:"document.createElement|28 27|iframe|27 29|"; fast_pattern:only; content:"<FRAME"; content:".xul"; content:".contentDocument.location.reload|28 29|"; metadata:service smtp; reference:cve,2011-2982; classtype:attempted-user; sid:25228; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt"; flow:to_client,established; file_data; content:"document.createElement|28 27|iframe|27 29|"; fast_pattern:only; content:"<FRAME"; content:".xul"; content:".contentDocument.location.reload|28 29|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2982; classtype:attempted-user; sid:25227; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Multiple Products xdomain object information disclosure attempt"; flow:to_server,established; file_data; content:"window.open("; fast_pattern:only; content:"<script>"; nocase; pcre:"/(?P<var>[a-z0-9_\-]+?)\s*?=\s*?window\.open\(\s*?\'https?\:\/\/[^\']+?\'\,\s*?\'newWin\'[^\)]*?\)\;.*?(?P=var)\.location/smiR"; metadata:service smtp; reference:cve,2012-4192; reference:url,www.mozilla.org/security/announce/2012/mfsa2012-89.html; classtype:attempted-recon; sid:24387; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Multiple Products xdomain object information disclosure attempt"; flow:to_client,established; file_data; content:"window.open("; fast_pattern:only; content:"<script>"; nocase; pcre:"/(?P<var>[a-z0-9_\-]+?)\s*?=\s*?window\.open\(\s*?\'https?\:\/\/[^\']+?\'\,\s*?\'newWin\'[^\)]*?\)\;.*?(?P=var)\.location/smiR"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-4192; reference:url,www.mozilla.org/security/announce/2012/mfsa2012-89.html; classtype:attempted-recon; sid:24386; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:".length = 2197815302"; fast_pattern:only; content:".reduceRight"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:24188; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"len = 0xffffffff"; fast_pattern:only; content:".reduceRight"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:24187; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Multiple Products table frames memory corruption attempt"; flow:to_client,established; file_data; content:"<style>"; nocase; content:"table:after"; fast_pattern:only; pcre:"/table\x3aafter\s*\x7b.*?display\s*\x3a\s*table-(footer|header|row)-group\x3b/smi"; content:"document.body.offset"; distance:0; nocase; content:"<tbody>"; nocase; content:"<colgroup>"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1952; classtype:attempted-user; sid:23790; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox resource URL handling directory traversal attempt"; flow:to_client,established; file_data; content:"resource://"; fast_pattern:only; pcre:"/resource\x3A[^>]*?(\x2E\x2E(%5C|\x5C|%2F|\x2F)){4}/mi"; metadata:service http; reference:cve,2007-3072; reference:cve,2007-3073; classtype:attempted-recon; sid:23625; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox use-after free remote code execution attempt"; flow:established,to_client; file_data; content:"{acceptNode: function(node) { return NodeFilter.FILTER_ACCEPT|3B| }}"; content:".nextNode()|3B|"; distance:0; content:".nextNode()|3B|"; distance:0; content:".previousNode()|3B|"; distance:0; metadata:service http; reference:cve,2011-3659; classtype:attempted-user; sid:23445; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox nSSVGValue memory corruption attempt"; flow:established,to_client; file_data; content:".removeEventListener(|22|DOMAttrModified|22|,"; content:".addEventListener(|22|DOMAttrModified|22|,"; distance:0; content:"<svg id=|22|"; distance:0; nocase; content:"</svg>"; distance:0; nocase; metadata:service http; reference:bugtraq,51138; reference:cve,2011-3658; classtype:attempted-user; sid:23054; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Multiple Products HTML href shell attempt"; flow:to_client,established; file_data; content:"shell:"; fast_pattern:only; pcre:"/<a\s+?href\s*?=\s*?[\x22\x27]*?\s*?shell\x3a/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2004-0648; classtype:policy-violation; sid:21953; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox null byte file remote code execution attempt"; flow:to_client,established; file_data; content:"<form"; nocase; content:"action"; distance:0; nocase; pcre:"/<form[^>]+action\s*=\s*[\x22\x27]?[^>\x22\x27]*?\.[\.a-z]{2,6}(\x2500|\x00)\.[\.a-z]{2,6}/ims"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,24447; reference:cve,2007-3285; classtype:attempted-user; sid:21394; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt"; flow:to_client,established; file_data; content:" = new Array|28 22|audio|22 2C 20 22|a|22 2C 20 22|base|22 29 3B|"; fast_pattern:only; content:"|22|string|22 29|"; content:".push|28|"; within:30; content:"document.body.removeChild|28|"; within:50; content:" < 0x8964"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3765; classtype:attempted-user; sid:21363; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products floating point buffer overflow attempt"; flow:to_client,established; content:"script"; nocase; content:"var"; content:"str|5F|repeat"; nocase; pcre:"/var\s*?\w+?\x3D\s*?\d+?\x2E.*?str\x5Frepeat\x28[\x22\x27]\d[\x22\x27]\x2C\d{2,}\x29/smi"; metadata:service http; reference:bugtraq,37078; reference:cve,2009-0689; classtype:attempted-user; sid:21155; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products floating point buffer overflow attempt"; flow:to_client,established; content:"|3C|script|3E|"; nocase; content:"var"; nocase; pcre:"/var\s*?\w+?\s*?\x3D\s*?\d+?\x2E\d{20}/smi"; metadata:service http; reference:bugtraq,37078; reference:cve,2009-0689; classtype:attempted-user; sid:21154; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla favicon href javascript execution attempt"; flow:to_client,established; file_data; content:"javascript:delayedOpenWindow"; fast_pattern:only; content:"<link"; nocase; pcre:"/<link\s[^>]*?href=[^>]*?(jar\:|view-source\:)?\s*?javascript\:delayedOpenWindow/smi"; metadata:service http; reference:cve,2005-1155; reference:cve,2005-1531; classtype:attempted-user; sid:20814; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla PLUGINSPAGE javascript execution attempt"; flow:to_client,established; file_data; content:"<EMBED"; nocase; content:"PLUGINSPAGE"; distance:0; nocase; pcre:"/<EMBED[^\x3E]*?PLUGINSPAGE\s*=[\x22\x27][^\x3E]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,13228; reference:cve,2005-0752; classtype:attempted-user; sid:20742; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Object.watch parent access attempt"; flow:to_client,established; file_data; content:"|2E|watch"; nocase; content:"arguments|2E|callee|2E|caller"; within:100; nocase; metadata:service http; reference:bugtraq,17516; reference:cve,2006-1734; classtype:attempted-admin; sid:20739; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla XBL.method memory corruption attempt"; flow:to_client,established; file_data; content:"moz|2D|binding"; fast_pattern:only; content:"xbl"; nocase; metadata:service http; reference:bugtraq,17516; reference:cve,2006-1735; classtype:attempted-admin; sid:20730; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla XBL object init code execution attempt"; flow:to_client,established; file_data; content:".init."; fast_pattern:only; content:"document.getElementById"; pcre:"/\x3C[^\x3E]*id\s*\x3D\s*[\x22\x27]\s*(\w*)\s*[\x22\x27].*?var\s*(\w*)\s*\x3D\s*document\.getElementbyId\s*\x28\s*[\x22\x27]\1[\x22\x27]\s*\x29.*?\2\.init\.(valueof\.)?(call|apply)/smi"; metadata:service http; reference:bugtraq,17516; reference:cve,2006-1733; classtype:attempted-user; sid:20729; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox user interface event dispatcher dos attempt"; flow:to_client,established; file_data; content:"document.createEvent("; content:"UIEvents"; within:20; fast_pattern; content:"initUIEvent"; distance:0; pcre:"/var\s+(\w+)\s*=\s*document\.createEvent\(\s*[\x22\x27]UIEvents(.+\1\.initUIEvent\(\s*[\x22\x27](keypress|click|onkeydown|onkeyup|onmousedown|onmouseup)[\x22\x27]){5}/Os"; metadata:service http; reference:bugtraq,31476; reference:cve,2008-4324; classtype:attempted-dos; sid:20727; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Thunderbird / SeaMonkey Content-Type header buffer overflow attempt"; flow:to_server,established; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/^Content-Type\x3a\s*(?![^\r\n]{0,50}boundary=\x22Apple-Mail=)[^\x0d\x0a\x3b]{77}/smi"; metadata:service smtp; reference:cve,2006-6505; classtype:attempted-user; sid:20667; rev:8;)
# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Thunderbird / SeaMonkey Content-Type header buffer overflow attempt"; flow:to_client,established; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/^Content-Type\x3a\s*(?![^\r\n]{0,50}boundary=\x22Apple-Mail=)[^\x0d\x0a\x3b]{77}/smi"; reference:cve,2006-6505; classtype:attempted-user; sid:20666; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla multiple content-disposition headers malicious redirect attempt"; flow:to_client,established; content:"|0A|Content|2D|Disposition|3A|"; nocase; http_header; content:"|0A|Content|2D|Disposition|3A|"; distance:0; nocase; http_header; pcre:"/(300|301|302|303|307)/S"; metadata:service http; reference:cve,2011-3000; classtype:web-application-attack; sid:20586; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla multiple content-length headers malicious redirect attempt"; flow:to_client,established; content:"|0A|Content|2D|Length|3A|"; nocase; http_header; content:"|0A|Content|2D|Length|3A|"; distance:0; nocase; http_header; pcre:"/(300|301|302|303|307)/S"; metadata:service http; reference:cve,2011-3000; classtype:web-application-attack; sid:20585; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla multiple content-type headers malicious redirect attempt"; flow:to_client,established; content:"|0A|Content|2D|Type|3A|"; nocase; http_header; content:"|0A|Content|2D|Type|3A|"; distance:0; nocase; http_header; pcre:"/(300|301|302|303|307)/S"; metadata:service http; reference:cve,2011-3000; classtype:web-application-attack; sid:20584; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla multiple location headers malicious redirect attempt"; flow:to_client,established; content:"|0A|Location|3A|"; nocase; http_header; content:"|0A|Location|3A|"; distance:0; nocase; http_header; pcre:"/(300|301|302|303|307)/S"; metadata:service http; reference:cve,2011-3000; classtype:web-application-attack; sid:20583; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"a.length=0x81000002"; nocase; content:"a.reduceRight|28|callback|2C|0|29|"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:19714; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt"; flow:to_client,established; file_data; content:"cobj|2E|id=|22|testcase|22|"; fast_pattern; nocase; content:"document|2E|body|2E|appendChild|28|cobj|29|"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3765; classtype:attempted-user; sid:19292; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt"; flow:to_client,established; file_data; content:"var cobj=document.createElement(str)"; content:"<script>crashme()|3B|</script>"; distance:0; fast_pattern; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3765; classtype:attempted-user; sid:19077; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt"; flow:to_client,established; file_data; content:"var cobj=document.createElement(str)|3B 0A 20 20 20|cobj.id=|22|testcase|22 3B 0A 20 20 20|document.body.appendChild(cobj)|3B|"; content:"for(p in obj){|0A 20 20 20 20 20 20|if(typeof(obj[p])==|22|string|22|){"; distance:0; content:"document.body.removeChild(cobj)|3B|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3765; classtype:attempted-user; sid:19076; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox JavaScript handler race condition memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E|"; depth:70; metadata:service http; reference:bugtraq,19488; reference:cve,2006-4253; classtype:attempted-user; sid:18486; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox JavaScript handler race condition memory corruption attempt"; flow:to_client,established; file_data; content:"|3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1|"; fast_pattern:only; metadata:service http; reference:bugtraq,19488; reference:cve,2006-4253; classtype:attempted-user; sid:18485; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox JS Web Worker arbitrary code execution attempt"; flow:to_client,established; file_data; content:"postMessage"; fast_pattern; content:"data.concat"; within:50; content:"Worker"; pcre:"/\x2epostMessage\s*\x28\s*([^\s]+)\x2edata\x2econcat\s*\x28\1\x2edata\s*\x29/"; metadata:service http; reference:cve,2009-3371; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=514554; classtype:attempted-user; sid:18332; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox new function garbage collection remote code execution attempt"; flow:to_client,established; file_data; content:"try|20 7B 20|eval|28|e|2B 27 28|buf|2C|buf|29 27 29 3B 20 7D|"; content:"try|20 7B 20|eval|28|e|2B 27 28|buf|2C|buf|2C|buf|29 27 29 3B 20 7D|"; within:200; metadata:service http; reference:bugtraq,19181; reference:cve,2006-3803; classtype:attempted-user; sid:18302; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox GeckoActiveXObject memory corruption attempt"; flow:to_client,established; file_data; content:"str|2B 3D|str|3B|"; content:"window.GeckoActiveXObject|28|str|29 3B|"; within:200; metadata:service http; reference:bugtraq,19181; reference:cve,2006-3803; classtype:attempted-user; sid:18301; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript large regex memory corruption attempt"; flow:to_client,established; file_data; content:"Ocilla|7C|Ocoee|7C|Oconee|7C|Oconomowoc|7C|Ocontoabasadasdasdasdasdasdasdad|7C|x|29 29 2F|i|3B|"; metadata:service http; reference:bugtraq,17516; reference:cve,2006-1737; classtype:attempted-user; sid:18298; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products frame comment objects manipulation memory corruption attempt"; flow:to_client,established; file_data; content:"|25|3C|21 2D 2D 25|20Comment|25|20|2D 2D 25|3E|25|3Csvg|25|20xmlns|3D 25|22http|3A 2F 2F|www|2E|w3|2E|org|2F|2000|2F|svg|25|22|25|20version|3D 25|221|2E|1|25|22|25|20baseProfile|3D 25|22full|25|22|25|3E|25|3C|2F|svg|25|3E"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,21668; reference:cve,2006-6504; classtype:attempted-user; sid:18296; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products element style change memory corruption code execution attempt"; flow:to_client,established; file_data; content:"<q style=|22|position:relative|3B 22|>"; nocase; content:"<q style=|22|position:relative|3B 22|>"; within:75; nocase; content:".style.position=|27|static|27 3B|"; within:250; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,16476; reference:cve,2006-0294; classtype:attempted-user; sid:18286; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript deleted frame or window reference attempt"; flow:to_client,established; file_data; content:"|2E|location|20 3D 20 22|about|3A|blank|22 3B|"; content:"setTimeout|28|b|2C 20|500|29 3B|"; within:100; metadata:service http; reference:cve,2006-3801; classtype:attempted-user; sid:18264; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript deleted frame or window reference attempt"; flow:to_client,established; file_data; content:"editEl|20 3D 20|window|2E|el|3B|"; content:"editEl|2E|innerHTML|20 3D 20|value|3B|"; distance:0; content:"editEl|2E|disabled|20 3D 20|false|3B|"; distance:0; metadata:service http; reference:cve,2006-3801; classtype:attempted-user; sid:18263; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript engine function arguments memory corruption attempt"; flow:to_client,established; file_data; content:"for|28|"; content:"=0|3B|"; within:20; content:"<25|3B|"; within:20; fast_pattern; pcre:"/\=new Function\(\s*(?P<var>\w+)(\x2C\s*(?P=var)){20}/"; metadata:service http; reference:bugtraq,19181; reference:cve,2006-3806; classtype:attempted-user; sid:18262; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript engine String.toSource memory corruption attempt"; flow:to_client,established; file_data; content:"<1024|2A|1024|3B|"; fast_pattern:only; content:"<1024/4|3B|"; pcre:"/\<1024\*1024\x3B\w+\x2B\x2B\)\s*(?P<var1>\w+)\s*\x2B\x3D.*\<1024\/4\x3B\w+\x2B\x2B\)\s*\w+\s*\x2B\x3D\s*(?P=var1)\x3B/"; metadata:service http; reference:bugtraq,19181; reference:cve,2006-3806; classtype:attempted-user; sid:18261; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products EscapeAttributeValue integer overflow attempt"; flow:to_client,established; file_data; content:"alert|28|xx.toXMLString"; fast_pattern:only; content:"for|28|i=0|3B|i<|28|1024*1024|29|/2|3B|i++|29| m += |22 5C|n|22 3B|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,16476; reference:cve,2006-0297; classtype:attempted-user; sid:18250; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Multiple browser marquee tag denial of service attempt"; flow:to_client,established; file_data; content:"document.write|28 27|<html><marquee><h1>|27|"; content:"+"; within:1; content:"+"; within:10; content:"|29 3B|"; within:15; metadata:service http; reference:bugtraq,18165; reference:cve,2006-2723; classtype:attempted-dos; sid:18188; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox InstallTrigger.install memory corruption attempt"; flow:to_client,established; file_data; content:"InstallTrigger.install.call|28|document"; fast_pattern:only; metadata:service http; reference:bugtraq,17516; reference:cve,2006-1790; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=290162; classtype:attempted-user; sid:18187; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products -moz-grid and -moz-grid-group display styles code execution attempt"; flow:to_client,established; file_data; content:"|3C|button onclick|3D 22|document|2E|getElementsByTagName|28 27|row|27 29 5B|0|5D 2E|style|2E|display|3D 27 2D|moz|2D|grid|2D|group|27 22|"; fast_pattern:only; metadata:service http; reference:bugtraq,17516; reference:cve,2006-1738; classtype:attempted-user; sid:18186; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla browsers memory corruption simultaneous XPCOM events code execution attempt"; flow:to_client,established; file_data; content:"|63 6C 61 73 73 3D 22 6D 65 6E 75 22 3E 3C 61 20 68 72 65 66 3D 22 22 20 74 61 72 67 65 74 3D 22 5F 74 6F 70 22 3E 51 51 51 51 51 51 51 51 51 51 3C 2F 61 3E|"; content:"|63 6C 61 73 73 3D 22 6D 65 6E 75 22 3E 3C 61 20 68 72 65 66 3D 22 22 20 74 61 72 67 65 74 3D 22 5F 74 6F 70 22 3E 51 51 51 51 51 51 51 51 51 51 3C 2F 61 3E|"; distance:0; metadata:service http; reference:bugtraq,19197; reference:cve,2006-3113; classtype:attempted-user; sid:18178; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla browsers memory corruption simultaneous XPCOM events code execution attempt"; flow:to_client,established; file_data; content:"|73 72 63 3D 22 64 61 74 61 3A 74 65 78 74 2F 68 74 6D 6C 3B 63 68 61 72 73 65 74 3D 75 74 66 2D 38 2C 25 33 43 68 74 6D 6C 25 33 45 25 30 44 25 30 41|"; content:"|25|3Cscript|25|3E"; within:300; content:"window|2E|addEventListener|28|"; within:500; metadata:service http; reference:bugtraq,19197; reference:cve,2006-3113; classtype:attempted-user; sid:18177; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla browsers memory corruption simultaneous XPCOM events code execution attempt"; flow:to_client,established; file_data; content:"|73 72 63 3D 22 64 61 74 61 3A 74 65 78 74 2F 68 74 6D 6C 3B 63 68 61 72 73 65 74 3D 75 74 66 2D 38 2C 25 33 43 68 74 6D 6C 25 33 45 25 30 44 25 30 41|"; content:"|25|3Cscript|25|3E"; within:300; content:"window|2E|removeEventListener|28|"; within:500; metadata:service http; reference:bugtraq,19197; reference:cve,2006-3113; classtype:attempted-user; sid:18176; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox and SeaMonkey onUnload event handler memory corruption attempt"; flow:to_client,established; file_data; content:"|64 6F 63 75 6D 65 6E 74 2E 77 72 69 74 65 28 27 3C 68 74 6D 6C 3E 3C 62 6F 64 79 20 6F 6E 75 6E 6C 6F 61 64 3D 22|"; content:"|66 6F 72 20 28 69 3D 30 3B 69 3C 32 35 30 3B 69 2B 2B 29|"; distance:0; content:"|64 6F 63 75 6D 65 6E 74 2E 77 72 69 74 65 28 27 3C 73 63 72 69 70 74 3E 64 6F 63 75 6D 65 6E 74 2E 77 72 69 74 65 28 22|"; distance:0; metadata:service http; reference:bugtraq,22679; reference:cve,2007-1092; classtype:attempted-user; sid:18170; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products CSS rendering out-of-bounds array write attempt"; flow:to_client,established; file_data; content:"|3C|HR WIDTH|3D|4444444 COLOR|3D 22 23|000000|22 3E|"; fast_pattern:only; metadata:service http; reference:cve,2006-1739; classtype:attempted-user; sid:18078; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products CSS rendering out-of-bounds array write attempt"; flow:to_client,established; file_data; content:"%n%n%n%n%n%n|22|EWIDTH=left SIZE=|8B 8B 8B 8B 8B|"; fast_pattern:only; metadata:service http; reference:cve,2006-1739; classtype:attempted-user; sid:18077; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox IFRAME style change handling code execution"; flow:to_client,established; file_data; content:"contentDocument.designMode"; nocase; content:"addEvenListener|28|"; distance:0; nocase; content:"iframe.style.position"; within:100; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28448; reference:cve,2008-1236; reference:url,secunia.com/advisories/29526; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-15.html; classtype:attempted-user; sid:17570; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript Engine Information Disclosure attempt"; flow:to_client,established; file_data; content:"var|20|mem|20 3D 20|genGluck|28 20 22|XXX"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,12998; reference:cve,2005-0989; classtype:attempted-user; sid:17415; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Animated PNG Processing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; byte_test:4,>,32767,0,relative; content:"|01|"; within:1; distance:12; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-4064; classtype:attempted-user; sid:17379; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox domain name handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|22|http|3A 2F 2F 22 20 2B 0A|"; nocase; content:"|22|%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD|22|"; within:100; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14784; reference:cve,2005-2871; classtype:attempted-user; sid:17222; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox domain name handling buffer overflow attempt"; flow:to_client,established; file_data; content:"HREF=https|3A|--------------------"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14784; reference:cve,2005-2871; classtype:attempted-user; sid:17221; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox domain name handling buffer overflow attempt"; flow:to_client,established; file_data; content:"HREF=https|3A AD AD AD AD AD AD AD AD AD AD AD AD AD|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14784; reference:cve,2005-2871; classtype:attempted-user; sid:17220; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Chrome Page Loading Restriction Bypass attempt"; flow:to_client,established; file_data; content:"window|2E|open"; nocase; content:"about|3A|mozilla"; within:50; nocase; content:"document|2E|write"; distance:0; nocase; content:"about|3A|config"; within:50; fast_pattern; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2706; reference:url,secunia.com/advisories/16911/; classtype:attempted-user; sid:17213; rev:9;)
# alert tcp $EXTERNAL_NET 1080 -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox oversized SOCKS5 DNS reply memory corruption attempt"; flow:to_client,established; content:"|05 00 00 03|"; depth:4; isdataat:16,relative; reference:bugtraq,35925; reference:cve,2009-2470; classtype:attempted-user; sid:16612; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt"; flow:to_client,established; file_data; content:"|3A|first-letter {float|3A| "; fast_pattern; content:".setAttribute|28|'style', 'display|3A| -moz-box|3B| '|29 3B|"; content:".style.display= 'none'|3B|"; within:60; metadata:service http; reference:bugtraq,36866; reference:cve,2009-3382; classtype:attempted-user; sid:16347; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox tag order memory corruption attempt"; flow:to_client,established; file_data; content:"BGCOLOR=|22|http|3A 22|-|9D 22 22| DP=-|B3| UNITS=|22 E2 E2 E2 E2|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17516; reference:cve,2006-0749; classtype:attempted-user; sid:16050; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox CSS Letter-Spacing overflow attempt"; flow:to_client,established; file_data; content:"style=|22|letter-spacing|3A| -2147483648"; fast_pattern:only; metadata:service http; reference:bugtraq,17516; reference:cve,2006-1730; classtype:attempted-user; sid:16044; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Thunderbird WYSIWYG engine filtering IFRAME JavaScript execution attempt"; flow:to_server,established; content:"<iframe"; nocase; pcre:"/^\s*[^\x3e]*src\s*\x3d\s*[\x22\x27][^\x22\x27]*javascript\x3a/iR"; metadata:service smtp; reference:bugtraq,16770; reference:cve,2006-0884; classtype:attempted-user; sid:16038; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript Function focus overflow attempt"; flow:to_client,established; file_data; content:"window"; nocase; content:"document.designMode"; within:150; fast_pattern; content:"on"; within:10; nocase; content:"window"; nocase; content:"open"; within:15; nocase; content:"window"; within:75; nocase; content:"window"; within:75; nocase; content:"<iframe"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,17671; reference:cve,2006-1993; classtype:attempted-user; sid:16024; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox location spoofing attempt via invalid window.open characters"; flow:to_client,established; file_data; content:"window.open("; fast_pattern; nocase; content:"http:"; within:15; nocase; content:"stop"; distance:0; nocase; pcre:"/window\x2Eopen\x28\s?(\x22|\x26quot\x3B|\x27)\s?http\x3A[^\x27\x22]*(\x25[^0-9a-f]|\x2C).*?stop/smi"; metadata:service http; reference:bugtraq,35803; reference:cve,2009-2654; classtype:misc-attack; sid:15873; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox 3.5 unicode stack overflow attempt"; flow:to_client,established; file_data; content:"i = Math.ceil(Math.log(num) / Math.LN2),"; fast_pattern:only; content:"return res.slice(0, str.length * num)"; metadata:service http; reference:bugtraq,35707; reference:cve,2009-2479; classtype:attempted-user; sid:15699; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox animated PNG processing integer overflow"; flow:to_client,established; file_data; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR|00 00 80 00 00 00 80 00 08 06 00 00 01 B3|{|93|"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-4064; classtype:attempted-user; sid:15191; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Apple Quicktime chrome exploit"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"-chrome"; pcre:"/-chrome\s*javascript/"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-5045; classtype:attempted-user; sid:12593; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla compareTo arbitrary code execution attempt"; flow:to_client,established; file_data; content:"InstallVersion"; nocase; content:"compareTo"; distance:0; nocase; pcre:"/InstallVersion\s*\x29?\s*\.\s*compareTo/smi"; metadata:service http; reference:bugtraq,14242; reference:cve,2005-2265; reference:url,www.mozilla.org/security/announce/2005/mfsa2005-50.html; classtype:attempted-user; sid:10131; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox query interface suspicious function call access attempt"; flow:to_client,established; file_data; content:"location.QueryInterface"; nocase; content:"Components.interfaces.nsIClassInfo"; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,16476; reference:cve,2006-0295; reference:url,www.mozilla.org/security/announce/2006/mfsa2006-04.html; classtype:attempted-user; sid:10063; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox SVG data processing obfuscated memory corruption attempt"; flow:to_client,established; file_data; content:"split|28 22 22 29 2E|reverse|28 29 2E|join|28 22 22 29|"; content:"appendItem"; distance:1; content:"replaceItem"; distance:1; pcre:"/(?P<N1>[a-zA-Z\x5f][a-zA-Z\x5f0-9]*\x2e)appendItem(?!.+?(?P=N1)appendItem).+?(?P=N1)replaceItem/s"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33990; reference:cve,2009-0771; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-07.html; classtype:attempted-user; sid:29580; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt"; flow:to_client,established; file_data; content:"|3A|first-letter { float|3A| "; fast_pattern:only; content:"|5B 22|setAttribute|22 5D 28|'style', 'display|3A| table-cell'"; content:"|5B 22|style|22 5D 5B 22|display|22 5D|= 'none'"; within:60; metadata:service http; reference:bugtraq,36866; reference:cve,2009-3382; classtype:attempted-user; sid:29579; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Products SVG text content element getCharNumAtPosition use after free attempt"; flow:to_client,established; file_data; content:"<svg"; nocase; content:"<text id"; within:400; nocase; content:"getElementByID"; within:300; nocase; content:"removeChild"; within:100; content:"getCharNumAtPosition"; within:200; nocase; pcre:"/removeChild\((?<element>\w{1,20})\).*(?P=element)\.getCharNumAtPosition/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,49213; reference:cve,2011-0084; classtype:attempted-user; sid:29503; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow attempt"; flow:to_client,established; file_data; content:".length"; nocase; content:".reduceRight"; within:300; pcre:"/(?P<var>\w+)\.length\s*?\x3d\s*?([2-9][0-9]{9,11}|0x[8-fF][0-9a-zA-Z]{7}).*?(?P=var)\.reduceRight/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:29625; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow attempt"; flow:to_client,established; file_data; content:".length"; nocase; content:".reduceRight"; within:300; pcre:"/var\s*?(?P<var>\w+)\s*?\x3d\s*?([2-9][0-9]{9,11}|0x[8-fF][0-9a-zA-Z]{7}).*?(?P<var2>\w+)\.length\s*?\x3d\s*?(?P=var).*?(?P=var2)\.reduceRight/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:29624; rev:2;)
# alert tcp $HOME_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox nsTreeRange Use After Free attempt"; flow:to_server,established; file_data; content:"|2E|view|2E|selection"; nocase; content:"|2E|invalidateSelection"; distance:0; nocase; pcre:"/\x2Eview\x2Eselection.*?\x2Etree\s*\x3D\s*null.*?\x2Einvalidate/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-0073; reference:url,www.mozilla.org/security/announce/2011/mfsa2011-13.html; classtype:attempted-user; sid:29617; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox nsTreeRange Use After Free attempt"; flow:to_server,established; file_data; content:".view.selection"; nocase; content:"rangedSelect("; distance:0; content:".adjustSelection"; distance:0; nocase; pcre:"/\x2Eview\x2Eselection.*?\x2ErangedSelect\x28\s*\d+,\s*(0x[a-f0-9]{7}|\d{8}).*?\x2eadjustSelection\x28\s*\d+\s*,\s*\d/smi"; metadata:service smtp; reference:cve,2010-2753; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=571106; classtype:attempted-user; sid:30486; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox nsTreeRange Use After Free attempt"; flow:to_client,established; file_data; content:".view.selection"; nocase; content:"rangedSelect("; distance:0; content:".adjustSelection"; distance:0; nocase; pcre:"/\x2Eview\x2Eselection.*?\x2ErangedSelect\x28\s*\d+,\s*(0x[a-f0-9]{7}|\d{8}).*?\x2eadjustSelection\x28\s*\d+\s*,\s*\d/smi"; metadata:service http; reference:cve,2010-2753; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=571106; classtype:attempted-user; sid:30485; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Multiple browser pressure function denial of service attempt"; flow:to_client, established; file_data; content:"spray()"; nocase; content:"new ArrayBuffer(0x"; content:"000"; within:3; distance:1; content:".toString()"; metadata:service http; reference:cve,2014-1512; classtype:denial-of-service; sid:31513; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox XBM image processing buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xbm; file_data; content:"static|20|char|20|gopher|5F|binary|5F|bits|5B 5D|"; content:"0x71|2C 20|0x26|2C 20|0x01|20 20 20 20 20 20|"; distance:0; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,14916; reference:cve,2005-2701; classtype:attempted-user; sid:32133; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla 1.0 Javascript arbitrary cookie access attempt"; flow:to_client,established; file_data; content:"javascript|3A|//"; fast_pattern:only; content:"document.cookie"; nocase; metadata:ruleset community, service http; reference:bugtraq,5293; reference:cve,2002-2314; classtype:attempted-user; sid:1841; rev:18;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla 1.0 Javascript arbitrary cookie access attempt"; flow:to_server,established; file_data; content:"javascript|3A|//"; fast_pattern:only; content:"document.cookie"; nocase; metadata:ruleset community, service smtp; reference:bugtraq,5293; reference:cve,2002-2314; classtype:attempted-user; sid:32244; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt"; flow:to_client,established; file_data; content:"<xsl:key name=|22|"; depth:15; offset:117; fast_pattern; content:"match=|22|"; within:7; distance:10; content:"use=|22|"; within:5; distance:10; content:"</xsl:stylesheet>"; within:17; distance:101; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34235; reference:cve,2009-1169; reference:url,attack.mitre.org/techniques/T1220; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-12.html; classtype:attempted-user; sid:33566; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox proxy prototype privileged javascript execution attempt"; flow:to_server,established; file_data; content:"chrome|3A|//browser/content/browser.xul"; fast_pattern:only; content:".messageManager"; nocase; content:".loadFrameScript"; nocase; content:".setPrototypeOf"; nocase; content:"Proxy.create"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,72041; reference:cve,2014-8636; classtype:attempted-user; sid:33904; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox proxy prototype privileged javascript execution attempt"; flow:to_client,established; file_data; content:"chrome|3A|//browser/content/browser.xul"; fast_pattern:only; content:".messageManager"; nocase; content:".loadFrameScript"; nocase; content:".setPrototypeOf"; nocase; content:"Proxy.create"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72041; reference:cve,2014-8636; classtype:attempted-user; sid:33903; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox proxy prototype privileged javascript execution attempt"; flow:to_server,established; file_data; content:"Components.classes"; nocase; content:"mozilla.org/file/local"; within:100; nocase; content:"Components.interfaces.nsILocalFile"; within:100; nocase; content:"initWithPath"; within:100; nocase; content:"C|3A 5C 5C|"; within:25; nocase; content:"|2C 20 22|x|22 2C|"; content:"|22|chrome"; within:10; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,72041; reference:cve,2014-8636; classtype:attempted-user; sid:34110; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox proxy prototype privileged javascript execution attempt"; flow:to_client,established; file_data; content:"Components.classes"; nocase; content:"mozilla.org/file/local"; within:100; nocase; content:"Components.interfaces.nsILocalFile"; within:100; nocase; content:"initWithPath"; within:100; nocase; content:"C|3A 5C 5C|"; within:25; nocase; content:"|2C 20 22|x|22 2C|"; content:"|22|chrome"; within:10; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72041; reference:cve,2014-8636; classtype:attempted-user; sid:34109; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt"; flow:to_server,established; file_data; content:"readystatechange"; fast_pattern:only; content:"addEventListener"; content:"ArrayBuffer("; content:"Int32Array"; content:"window.stop"; content:!"ArrayBufferView"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1690; reference:url,pastebin.mozilla.org/2777139; classtype:attempted-user; sid:33090; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt"; flow:to_server,established; file_data; content:"document.onreadystatechange"; content:"window.parent.frames[0].frameElement.ownerDocument.write("; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1690; reference:url,pastebin.mozilla.org/2777139; classtype:attempted-user; sid:33089; rev:5;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt"; flow:to_client,established; file_data; content:"document.onreadystatechange"; content:"window.parent.frames[0].frameElement.ownerDocument.write("; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1690; reference:url,pastebin.mozilla.org/2777139; classtype:attempted-user; sid:33088; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox XMLSerializer serializeToStream use-after-free attempt"; flow:to_server,established; file_data; content:"XMLSerializer()"; nocase; content:"removeChild"; within:100; nocase; content:"serializeToStream"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,57209; reference:cve,2013-0753; reference:url,www.mozilla.org/security/announce/2013/mfsa2013-16.html; classtype:attempted-user; sid:32994; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox XMLSerializer serializeToStream use-after-free attempt"; flow:to_client,established; file_data; content:"XMLSerializer()"; nocase; content:"removeChild"; within:100; nocase; content:"serializeToStream"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57209; reference:cve,2013-0753; reference:url,www.mozilla.org/security/announce/2013/mfsa2013-16.html; classtype:attempted-user; sid:32993; rev:6;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt"; flow:to_client,established; file_data; content:"readystatechange"; fast_pattern:only; content:"addEventListener"; content:"ArrayBuffer("; content:"Int32Array"; content:"window.stop"; content:!"ArrayBufferView"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1690; reference:url,pastebin.mozilla.org/2777139; classtype:attempted-user; sid:27568; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox onChannelRedirect method attempt"; flow:to_client,established; file_data; content:"<object "; nocase; content:"<script"; within:100; content:".onChannelRedirect("; distance:0; metadata:policy max-detect-ips drop, service http; reference:cve,2011-0065; classtype:attempted-user; sid:24994; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt"; flow:established,to_server; file_data; content:"IDBKeyRange"; fast_pattern:only; pcre:"/IDBKeyRange\x2e(only|lowerBound|upperBound|bound)\x28.*?\x29.{0,100}\x2e(lower|upper|lowerOpen|upperOpen)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0469; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=738985; classtype:attempted-user; sid:24574; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt"; flow:established,to_server; file_data; content:"IDBKeyRange.lowerBound("; content:".upper"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0469; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=738985; classtype:attempted-user; sid:24573; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt"; flow:established,to_client; file_data; content:"IDBKeyRange"; fast_pattern:only; pcre:"/IDBKeyRange\x2e(only|lowerBound|upperBound|bound)\x28.*?\x29.{0,100}\x2e(lower|upper|lowerOpen|upperOpen)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0469; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=738985; classtype:attempted-user; sid:24572; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt"; flow:established,to_client; file_data; content:"IDBKeyRange.lowerBound("; content:".upper"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0469; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=738985; classtype:attempted-user; sid:24571; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt"; flow:established,to_server; file_data; content:"IDBKeyRange.only("; content:").lower"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0469; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=738985; classtype:attempted-user; sid:24570; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Multiple Products table frames memory corruption attempt"; flow:to_client,established; file_data; content:"<style>"; nocase; content:"table:after"; fast_pattern:only; pcre:"/table\x3aafter\s*\x7b.*?display\s*\x3a\s*table-(footer|header|row)-group\x3b/smi"; content:"<table contenteditable>"; distance:0; nocase; content:"<col>"; distance:0; nocase; content:"<tfoot>"; nocase; content:"<colgroup>"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1952; classtype:attempted-user; sid:23789; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt"; flow:established,to_client; file_data; content:"IDBKeyRange.only("; content:").lower"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0469; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=738985; classtype:attempted-user; sid:23212; rev:10;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Multiple Products MozOrientation loading attempt"; flow:to_client,established; content:"addEventListener"; nocase; content:"MozOrientation"; distance:0; nocase; pcre:"/addEventListener\s*?\x28(?P<q1>\x22|\x27)\s*?MozOrientation\s*?(?P=q1)/smi"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,49217; reference:cve,2011-2980; classtype:attempted-user; sid:21191; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Multiple Products MozOrientation loading attempt"; flow:to_client,established; file_data; content:"addEventListener"; nocase; content:"MozOrientation"; distance:0; nocase; pcre:"/addEventListener\s*?\x28(?P<q1>\x22|\x27)\s*?MozOrientation\s*?(?P=q1)/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,49217; reference:cve,2011-2980; classtype:attempted-user; sid:21190; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Products SVG text content element getCharNumAtPosition use after free attempt"; flow:to_client,established; file_data; content:"SVGDocument"; fast_pattern; nocase; content:"point"; distance:0; nocase; content:"y"; nocase; content:"x"; nocase; content:"getCharNumAtPosition"; distance:0; nocase; pcre:"/.*?(\w*)\s*=\s*SVGDocument.*var\s*point\s*=.*?get\s*(x|y)\s*\x28\s*\x29\s*\x7B\s*\1\.parentNode\.removeChild\x28\1\x29.*?alert\x28\1\.getCharNumAtPosition\x28point\x29/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,49213; reference:cve,2011-0084; classtype:attempted-user; sid:20600; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox nsTreeRange Use After Free attempt"; flow:to_client,established; file_data; content:"|2E|view|2E|selection"; nocase; content:"|2E|invalidateSelection"; distance:0; nocase; pcre:"/\x2Eview\x2Eselection.*?\x2Etree\s*\x3D\s*null.*?\x2Einvalidate/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-0073; reference:url,www.mozilla.org/security/announce/2011/mfsa2011-13.html; classtype:attempted-user; sid:20072; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"a.length=0xffffffff"; nocase; content:"a.reduceRight|28|callback|2C|0|29|"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:19713; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Products nsCSSValue Array Index Integer Overflow"; flow:to_client,established; file_data; content:"@font-face"; nocase; content:"src|3A 20|url"; distance:0; nocase; isdataat:2000,relative; content:!"|3B|"; within:2000; metadata:policy max-detect-ips drop, service http; reference:bugtraq,41852; reference:cve,2010-2752; classtype:attempted-user; sid:19321; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption"; flow:to_client,established; file_data; content:"var tags = new Array (|22|base|22|, |22|a|22|, |22|audio|22|)"; nocase; content:"tobj.id = |22|telus|22|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3765; classtype:attempted-user; sid:19078; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla EnsureCachedAttrParamArrays integer overflow attempt"; flow:to_client,established; file_data; content:"<applet"; nocase; isdataat:5000,relative; content:!"</applet"; within:5000; nocase; content:"<param"; within:500; distance:1500; nocase; content:"<param"; within:50; nocase; content:"<param"; within:50; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,41842; reference:cve,2010-1214; classtype:attempted-user; sid:18809; rev:13;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption"; flow:to_client,established; file_data; content:"var tags = new Array|28 22|audio|22|, |22|a|22|, |22|base|22 29|"; nocase; content:"var html = |22|<|22| + tags[i] + |22| |22| + atts[j]"; distance:0; fast_pattern; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3765; classtype:attempted-user; sid:17804; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox ClearTextRun exploit attempt"; flow:to_client,established; file_data; content:"white-space|3A| pre"; content:"getElementById|28|'para'|29|.childNodes[0].splitText|28|11|29|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34743; reference:cve,2009-1313; classtype:attempted-user; sid:17719; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox ConstructFrame with floating first-letter memory corruption attempt"; flow:to_client,established; file_data; content:"first-letter"; nocase; content:"float: right"; distance:0; nocase; content:"parentNode.removeAttribute(|22|class|22|)"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35765; reference:cve,2009-2462; classtype:attempted-user; sid:17642; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla multiple products CSSValue array memory corruption attempt"; flow:to_client,established; file_data; content:"counter|2D|reset|3A|"; content:"counter|2D|increment|3A|"; distance:0; content:"|3C|ol|20|id|3D 22|id1|22 3E 0A|"; distance:0; content:"|3C|li|3E 3C 2F|li|3E 0A 3C|li|3E 3C 2F|li|3E 0A 3C|li|3E 3C 2F|li|3E 0A|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,29802; reference:cve,2008-2785; classtype:attempted-user; sid:17630; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Chrome Page Loading Restriction Bypass attempt"; flow:to_client,established; file_data; content:"window|2E|open"; nocase; content:"about:"; within:10; nocase; content:"document|2E|write"; distance:0; nocase; content:"about:"; within:30; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14920; reference:cve,2005-2706; classtype:attempted-user; sid:17629; rev:13;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt"; flow:to_client, established; file_data; content:"first-letter"; nocase; content:"direction"; distance:0; nocase; content:"rtl"; within:8; content:"white"; distance:0; nocase; content:"space"; within:6; nocase; content:"pre"; within:10; nocase; content:"|3C|span"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35326; reference:cve,2009-1392; classtype:attempted-user; sid:17613; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElement"; nocase; content:"type = |22|"; within:70; nocase; byte_extract:4,0,changed_var,relative; content:".blur()"; within:50; content:"input"; within:200; nocase; content:"type=|22|"; within:20; nocase; byte_test:4,!=,changed_var,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32281; reference:cve,2008-5021; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-55.html; classtype:attempted-user; sid:17603; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xul; file_data; content:"style="; content:"<treechildren"; nocase; content:"<treechildren"; distance:0; nocase; content:"ordinal"; content:"event.target.parentNode.removeChild"; fast_pattern:only; pcre:"/onoverflow\s*?=\s*?(\x22|\x27)\s*?event\.target\.parentNode\.removeChild/smi"; pcre:"/<treechildren.*?ordinal=.*?<treechildren/smi"; pcre:"/<tree.*?tree(?!children).*?<treechildren.*?<treechildren/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32281; reference:cve,2008-5016; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-52.html; classtype:attempted-user; sid:17601; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox tag order memory corruption attempt"; flow:to_client,established; file_data; content:"<table>|0A|<html>|0A|<frameset>"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17516; reference:cve,2006-0749; classtype:attempted-user; sid:17581; rev:13;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox UTF-8 URL Handling Stack Buffer Overflow"; flow:to_client,established; file_data; content:"<a href=|22 01 78 78|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,31346; reference:cve,2008-0016; classtype:attempted-user; sid:17519; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla NNTP URL Handling Buffer Overflow attempt"; flow:to_client,established; file_data; content:"news|3A 2F 2F|"; pcre:"/news\x3a\x2f\x2f.*?\x2f?(profile|search).*?\x2f.*?\x5c[^\s\x22\x27]{0,1}/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,12131; reference:cve,2004-1316; classtype:attempted-user; sid:17482; rev:13;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt"; flow:to_client,established; file_data; content:"<xsl|3A|key name=|22|poc|22| match=|22|nodeB|22| use=|22|does_not_exist|28 29 22|/>"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34235; reference:cve,2009-1169; reference:url,attack.mitre.org/techniques/T1220; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-12.html; classtype:attempted-user; sid:17444; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Unicode sequence handling stack corruption attempt"; flow:to_client,established; file_data; content:"|3B 26 23|8204|3B 26 23|8204"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14918; reference:cve,2005-2702; classtype:attempted-user; sid:17434; rev:13;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox IconURL Arbitrary Javascript Execution attempt"; flow:to_client,established; file_data; content:"IconURL|3A 20 22|javascript|3A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13544; reference:cve,2005-1477; classtype:attempted-user; sid:17424; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox defineSetter function pointer memory corruption attempt"; flow:to_client,established; file_data; content:"p.type=|27|xxx|27|"; nocase; content:"__defineSetter__|28|"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35758; reference:cve,2009-2469; classtype:attempted-user; sid:17422; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript Engine Information Disclosure attempt"; flow:to_client,established; file_data; content:"x|20 3D 20|x|2E|replace|28 2F|end|2F|i|2C 20|function|28 24|1|29 7B 20|var|20|y|20 3D 20 22|any|22 3B 20|y|2E|match|28 2F|any|2F|i|29|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,12998; reference:cve,2005-0989; classtype:attempted-user; sid:17414; rev:14;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-FIREFOX Mozilla Products IDN Spoofing Vulnerability Attempt"; flow:to_server,established; content:"xn--"; nocase; pcre:"/^Host\x3A\x20(www\x2e)?xn\x2d\x2d/mi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,12470; reference:cve,2005-0233; classtype:attempted-user; sid:17409; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript array.splice memory corruption attempt"; flow:to_client,established; file_data; content:"a|5B|6|5D 20 3D 20 22|toto|22 3B|"; content:"a|2E|splice|28|6|2C 20|1|29 3B|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,33990; reference:cve,2009-0773; classtype:attempted-user; sid:17399; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript array.splice memory corruption attempt"; flow:to_client,established; file_data; content:"a|5B|10|5D 20 3D 20 22|AAAAAAAAAA|22 3B|"; content:"a|2E|splice|28|10|2C 20|1|29 3B|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,33990; reference:cve,2009-0773; classtype:attempted-user; sid:17398; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox DOMNodeRemoved attack attempt"; flow:to_client,established; file_data; content:"document|2E|addEventListener|28 22|DOMNodeRemoved|22|"; nocase; content:"document|2E|body|2E|appendChild|28|document|2E|getElementById|28|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,18228; reference:cve,2006-2779; classtype:attempted-user; sid:17389; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Animated PNG Processing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; byte_test:4,>,32767,4,relative; content:"|01|"; within:1; distance:12; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-4064; classtype:attempted-user; sid:17378; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox XBM image processing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xbm; file_data; content:"static|20|char|20|gopher|5F|binary|5F|bits|5B 5D|"; content:"0x71|2C 20|0x26|2C 20|0x01|20 20 20 20 20 20|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,14916; reference:cve,2005-2701; classtype:attempted-user; sid:17360; rev:13;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox sidebar panel arbitrary code execution attempt"; flow:to_client,established; file_data; content:"onclick|3D 22|window|2E|sidebar|2E|addPanel|28 27|FSC|20|sidebar"; content:"http|3A 2F 2F|gsx3|2F 7E|swarelis|2F|CAN|2D|2005|2D|0402|2F|poc|2E|html"; distance:4; metadata:policy max-detect-ips drop, service http; reference:bugtraq,12884; reference:cve,2005-0402; classtype:attempted-user; sid:17268; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox plugin access control bypass attempt"; flow:to_client,established; file_data; content:"file|2E|initWithPath|28 22|c|3A 5C 5C 5C 5C|booom|2E|bat"; content:"xpcom|20 2B 3D 20 27|file|2E|createUnique"; content:"outputStream|2E|init|28|file|2C|0x04|7C|0x08|7C|0x20|2C|420"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,12655; reference:cve,2005-0527; reference:url,attack.mitre.org/techniques/T1176; classtype:attempted-user; sid:17265; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript contentWindow in an iframe exploit attempt"; flow:to_client,established; file_data; content:"contentWindow.document"; content:".designMode"; within:100; fast_pattern; content:"on"; within:10; nocase; content:".contentWindow"; distance:0; content:".focus"; within:50; content:"<iframe"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,17671; reference:cve,2006-1993; classtype:attempted-user; sid:17260; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox XUL tree element code execution attempt"; flow:to_client,established; file_data; content:"timedSelect"; fast_pattern:only; content:"view"; content:"selection"; within:25; content:"=null"; within:15; content:"parentNode"; content:"removeChild"; within:25; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,34181; reference:cve,2009-1044; classtype:attempted-user; sid:17258; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox image dragging exploit attempt"; flow:to_client,established; file_data; content:"|3C|img|20|"; content:"|2E|bat"; distance:0; fast_pattern; nocase; pcre:"/\x3cimg\s[^\x3e]*?\x2ebat[\x22\x27]/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,12468; reference:cve,2005-0230; classtype:attempted-user; sid:17245; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox nsPropertyTable PropertyList memory corruption attempt"; flow:to_client,established; file_data; content:"-moz-column-"; fast_pattern:only; content:"documentElement.style.height"; pcre:"/<html[^>]*?height[^>]*?>/smi"; pcre:"/<body[^>]*?position[^>]*?inherit[^>]*?-moz-column-(count|width)[^>]*?documentElement\.style\.height[^>]*?/smiR"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-3070; reference:url,secunia.com/advisories/36671/; classtype:attempted-user; sid:17236; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox domain name handling buffer overflow attempt"; flow:to_client,established; file_data; content:"HREF=http://&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14784; reference:cve,2005-2871; classtype:attempted-user; sid:17219; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox JavaScript eval arbitrary code execution attempt"; flow:to_client,established; file_data; content:"arguments|2E|callee|2E|"; nocase; content:"|5F 5F|parent|5F 5F 2E|eval"; distance:0; fast_pattern; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13645; reference:cve,2005-1532; reference:url,secunia.com/advisories/15528/; classtype:attempted-user; sid:17212; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla multiple products JavaScript string replace buffer overflow attempt"; flow:to_client,established; file_data; content:".substr"; content:"$"; within:25; distance:-30; content:".replace|28|"; within:50; pcre:"/(?P<var>\w+)\x2Ereplace\x28\s*(?P=var)\s*\x2C\s*(?P=var)\s*\x29/"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36343; reference:cve,2009-3075; classtype:attempted-user; sid:17166; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 2"; flow:to_client,established; file_data; content:"<object"; content:"data"; within:200; content:"|27 27|"; within:20; fast_pattern; pcre:"/\x3Cobject(?![^\x3E]+?src)[^\x3E]+?data\s*\x3D\s*\x27\x27/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,41933; reference:cve,2010-2755; reference:url,attack.mitre.org/techniques/T1176; classtype:attempted-user; sid:17154; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 1"; flow:to_client,established; file_data; content:"<object"; content:"data"; within:200; content:"|22 22|"; within:20; fast_pattern; pcre:"/\x3Cobject(?![^\x3E]+?src)[^\x3E]+?data\s*\x3D\s*\x22\x22/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,41933; reference:cve,2010-2755; reference:url,attack.mitre.org/techniques/T1176; classtype:attempted-user; sid:17153; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - CFF-based"; flow:to_client,established; file_data; content:"wOFFOTTO"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{28}([0-9A-Z\x20\x2F]{4}.{8}[^\xFF].{7})*([0-9A-Z\x20\x2F]{4}.{8}\xFF{3})/isR"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,38298; reference:cve,2010-1028; reference:url,www.kb.cert.org/vuls/id/964549; classtype:attempted-user; sid:16502; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt"; flow:to_client,established; file_data; content:"wOFF"; depth:4; content:"|00 00|"; within:2; distance:10; pcre:"/wOFF.{10}\x00\x00.{28}([0-9A-Z\x20\x2F]{4}.{8}[^\xFF].{7})*([0-9A-Z\x20\x2F]{4}.{8}\xFF{3})/is"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,38298; reference:cve,2010-1028; reference:url,www.kb.cert.org/vuls/id/964549; classtype:attempted-user; sid:16501; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox top-level script object offset calculation memory corruption attempt"; flow:to_client,established; file_data; content:".push"; content:"new"; within:10; pcre:"/\s*function\s*(\S+)\s*\x28\s*\S+\s*\x29[^\x7D]+function\s+\S+\s*\x28[^\x28]*\x29.+?for\s*\x28[^\x29]+\x29[^\x7D]*?\x2Epush\s*\x28\s*new\s+\1/sm"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36343; reference:cve,2009-3073; classtype:attempted-user; sid:16344; rev:13;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla CSS value counter overflow attempt"; flow:to_client,established; file_data; content:"counter-reset|3A| section"; nocase; content:"<li></li>|0A|<li></li>|0A|<li></li>|0A|<li></li>|0A|<li></li>|0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,29802; reference:cve,2008-2785; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-34.html; classtype:attempted-user; sid:16292; rev:8;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Network Security Services regexp heap overflow attempt"; flow:to_client,established; ssl_state:server_hello; content:"|16|"; content:"|0B|"; within:1; distance:4; byte_test:3,>,0,3,relative,big; content:"|06 03 55 04 03|"; distance:0; pcre:"/^[\x0c\x13]([\x00-\x7f]|\x81.|\x82.{2})\x28(?=[^\x29]*\x7e)[^\x29]*\x7c/sR"; metadata:policy max-detect-ips drop, service ssl; reference:bugtraq,35891; reference:cve,2009-2404; classtype:attempted-user; sid:16291; rev:13;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox ClearTextRun exploit attempt"; flow:to_client,established; file_data; content:"white-space|3A| pre"; content:"<script>|0A|function doe|28 29|"; content:"getElementById|28|'a'|29|.childNodes[0].splitText|28|1|29|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34743; reference:cve,2009-1313; classtype:attempted-user; sid:16284; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox command line URL shell command injection attempt"; flow:to_server,established; content:"<a href=|22|http|3A|//`echo"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,14888; reference:cve,2005-2968; classtype:attempted-user; sid:16200; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox PKCS11 module installation code execution attempt"; flow:to_client,established; file_data; content:"window.pkcs11.addmodule|28|"; pcre:"/(caption,\x22\x5c\x5c\x5c|\x22\x5cn\x5cn\x5cn\x22\x20\x2b\x20str)/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36343; reference:cve,2009-3076; classtype:attempted-user; sid:16142; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox layout frame constructor memory corruption attempt"; flow:to_client,established; file_data; content:"div|3A 3A|first-letter"; nocase; content:"position|3A| fixed"; nocase; content:"<q>"; nocase; content:"display|3A| -moz-box"; nocase; content:"binding.xml"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2007-5959; classtype:attempted-user; sid:16047; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla browsers CSS moz-binding cross domain scripting attempt"; flow:to_client,established; file_data; content:"<P style=|22|-moz-binding|3A| url|28|http|3A|//gsx2/~rzhan/poc.xml|23|exploit|29 3B 22|></P>"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,16427; reference:cve,2006-0496; classtype:attempted-user; sid:16042; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products graphics and XML features integer overflows attempt"; flow:to_client,established; file_data; content:"<?xml"; content:"<svg"; distance:0; content:"<filter"; distance:0; pcre:"/^[^\x3E]*(width|height)\s*\x3D\s*(\x22|\x27)([3-9]\d{4}|\d{6})/R"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,16476; reference:cve,2006-0297; classtype:attempted-user; sid:16037; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Products QueryInterface method memory corruption attempt"; flow:to_client,established; file_data; content:"Components.interfaces."; content:"|2E|QueryInterface"; distance:0; pcre:"/(?P<var>\S+)\s*\x3D\s*eval\x28\s*(\x22|\x27|)Components\x2Einterfaces\x2E.*?\x2EQueryInterface\x28\s*(?P=var)\s*\x29.*?(location|navigator)/s"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,16476; reference:cve,2006-0295; classtype:attempted-user; sid:16036; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products overflow event handling memory corruption attempt"; flow:to_client,established; file_data; content:"charset=utf-8,%3Chtml%3E"; content:"overflow%28%29%22%3ECrashIt"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,24376; reference:cve,2007-2876; classtype:attempted-user; sid:16009; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla browsers JavaScript argument passing code execution attempt"; flow:to_client,established; file_data; content:"arguments="; content:"for (|3B 3B|) { arguments()|3B|"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,22694; reference:cve,2007-0777; classtype:attempted-user; sid:16005; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products frame comment objects manipulation memory corruption attempt"; flow:to_client,established; file_data; content:"bb.appendChild|28|fr.childNodes[4]|29 3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,21668; reference:cve,2006-6504; classtype:attempted-user; sid:15999; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox JIT escape function memory corruption attempt"; flow:to_client,established; file_data; content:"=data.charAt("; fast_pattern:only; content:"function"; nocase; content:"(data)"; within:50; nocase; content:"if("; distance:0; nocase; content:"=='"; within:125; content:"'"; within:1; distance:1; content:" = escape("; within:135; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35660; reference:cve,2009-2477; reference:url,www.kb.cert.org/vuls/id/443060; classtype:attempted-user; sid:15997; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox defineSetter function pointer memory corruption attempt"; flow:to_client,established; file_data; content:".watch|28|"; nocase; content:"__defineSetter__|28|"; nocase; pcre:"/(?P<obj>\w+)\.watch\((?P<q1>\x22|\x27|)(?P<prop>[A-Z0-9\x2d\x5f]+)(?P=q1).*(?P=obj)\.__defineSetter__\((?P<q2>\x22|\x27|)(?P=prop)(?P=q2)/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35758; reference:cve,2009-2469; classtype:attempted-user; sid:15872; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt"; flow:to_client,established; file_data; content:"<xsl|3A|key name=|22|label|22| match=|22|item2|22| use=|22|w00t|28 29 22|/>"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34235; reference:cve,2009-1169; reference:url,attack.mitre.org/techniques/T1220; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-12.html; classtype:attempted-user; sid:15431; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox SVG data processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.svg; file_data; content:"getElementsByTagName"; content:"pathSegList"; content:"createSVGPathSegMoveto"; fast_pattern; nocase; content:"appendItem"; distance:1; content:"replaceItem"; distance:1; pcre:"/(?P<N1>[a-zA-Z\x5f][a-zA-Z\x5f0-9]*\x2e)appendItem(?!.+?(?P=N1)appendItem).+?(?P=N1)replaceItem/s"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33990; reference:cve,2009-0771; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-07.html; classtype:attempted-user; sid:15428; rev:17;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox XBL Event Handler Tags Removal memory corruption attempt"; flow:to_client,established; file_data; content:"XUL_NS"; content:"child.parentNode.removeChild"; distance:0; content:"onselect=|22|deleteChild|28|event.originalTarget|29|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26132; reference:cve,2007-5339; classtype:attempted-user; sid:15383; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox SVG pathSegList memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementById("; content:"path"; within:10; content:".pathSegList.getItem("; fast_pattern; content:"-"; within:5; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:15164; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox IFRAME style change handling code execution"; flow:to_client,established; file_data; content:"iframe"; nocase; content:"iframe.contentDocument.designMode"; nocase; content:"addEventListener"; nocase; pcre:"/addEventListener\s*\(\s*(?P<q>\x22|\x27|)(mouse(move|down)|keydown)(?P=q)/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28448; reference:cve,2008-1236; reference:url,secunia.com/advisories/29526; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-15.html; classtype:attempted-user; sid:13838; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla regular expression heap corruption attempt"; flow:to_client,established; file_data; content:"new RegExp|28|"; nocase; pcre:"/new\s*?RegExp\x28(?=[^\x29]*\x5c{2}[\x22\x27])[^\x29]*\x5b[^\x5d]*\x5c{2}[\x22\x27]\x29/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,20042; reference:cve,2006-4566; classtype:attempted-user; sid:8443; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla javascript navigator object access"; flow:to_client,established; file_data; content:"window.navigator"; nocase; content:"="; within:2; content:"java."; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,19181; reference:cve,2006-3677; reference:url,www.mozilla.org/security/announce/2006/mfsa2006-45.html; classtype:attempted-user; sid:8058; rev:11;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox automatic user click event attempt"; flow:to_server,established; file_data; content:"document.createEvent("; nocase; content:"MouseEvents"; within:15; content:".initMouseEvent("; within:50; nocase; content:"click"; within:10; content:"window"; within:20; content:".dispatchEvent("; within:60; nocase; metadata:service smtp; reference:cve,2005-0145; reference:url,www.mozilla.org/security/announce/mfsa2005-07.html; classtype:attempted-user; sid:34947; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox automatic user click event attempt"; flow:to_client,established; file_data; content:"document.createEvent("; nocase; content:"MouseEvents"; within:15; content:".initMouseEvent("; within:50; nocase; content:"click"; within:10; content:"window"; within:20; content:".dispatchEvent("; within:60; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2005-0145; reference:url,www.mozilla.org/security/announce/mfsa2005-07.html; classtype:attempted-user; sid:34946; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt"; flow:to_client,established; file_data; content:"mozRTCPeerConnection|28 29|"; content:"createOffer|28|"; within:60; content:"window.open|28 28|function"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1510; reference:url,mozilla.org/security/announce/2014/mfsa2014-29.html; classtype:attempted-user; sid:35052; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt"; flow:to_client,established; file_data; content:"mozRTCPeerConnection|28 29|"; content:"createOffer|28|"; within:40; content:"window.open|28 27|chrome|3A|//browser/content/browser.xul"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1510; reference:url,mozilla.org/security/announce/2014/mfsa2014-29.html; classtype:attempted-user; sid:35051; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox DOMSVGLength initialize use after free attempt"; flow:to_server,established; file_data; content:"<script"; content:"animVal"; distance:0; fast_pattern; content:"initialize"; content:"animVal"; within:350; content:"<svg"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-1563; reference:url,mozilla.org/security/announce/2014/mfsa2014-68.html; classtype:attempted-user; sid:35075; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox DOMSVGLength replaceItem use after free attempt"; flow:to_server,established; file_data; content:"<script"; content:"animVal"; distance:0; fast_pattern; content:"replaceItem"; content:"animVal"; within:350; content:"<svg"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-1563; reference:url,mozilla.org/security/announce/2014/mfsa2014-68.html; classtype:attempted-user; sid:35074; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox DOMSVGLength insertItemBefore use after free attempt"; flow:to_server,established; file_data; content:"<script"; content:"animVal"; distance:0; fast_pattern; content:"insertItemBefore"; content:"animVal"; within:350; content:"<svg"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-1563; reference:url,mozilla.org/security/announce/2014/mfsa2014-68.html; classtype:attempted-user; sid:35073; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox DOMSVGLength initialize use after free attempt"; flow:to_client,established; file_data; content:"<script"; content:"animVal"; distance:0; fast_pattern; content:"initialize"; content:"animVal"; within:350; content:"<svg"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1563; reference:url,mozilla.org/security/announce/2014/mfsa2014-68.html; classtype:attempted-user; sid:35072; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox DOMSVGLength replaceItem use after free attempt"; flow:to_client,established; file_data; content:"<script"; content:"animVal"; distance:0; fast_pattern; content:"replaceItem"; content:"animVal"; within:350; content:"<svg"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1563; reference:url,mozilla.org/security/announce/2014/mfsa2014-68.html; classtype:attempted-user; sid:35071; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox DOMSVGLength insertItemBefore use after free attempt"; flow:to_client,established; file_data; content:"<script"; content:"animVal"; distance:0; fast_pattern; content:"insertItemBefore"; content:"animVal"; within:350; content:"<svg"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1563; reference:url,mozilla.org/security/announce/2014/mfsa2014-68.html; classtype:attempted-user; sid:35070; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox InstallWrapper error handling code execution attempt"; flow:to_server,established; file_data; content:"InstallTrigger."; content:"__exposedProps__"; within:150; content:"defineProperty|3A|"; within:200; metadata:service smtp; reference:bugtraq,56119; reference:cve,2012-3993; classtype:attempted-user; sid:35461; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox InstallWrapper error handling code execution attempt"; flow:to_client,established; file_data; content:"InstallTrigger."; content:"__exposedProps__"; within:150; content:"defineProperty|3A|"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,56119; reference:cve,2012-3993; classtype:attempted-user; sid:35460; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt"; flow:to_server,established; file_data; content:"String.fromCharCode"; nocase; content:"1024"; within:100; content:"1024"; within:100; content:"escape"; distance:0; nocase; metadata:service smtp; reference:bugtraq,14917; reference:cve,2005-2705; classtype:attempted-user; sid:35439; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt"; flow:to_client,established; content:"String.fromCharCode"; nocase; content:"1024"; within:100; content:"1024"; within:100; content:"escape"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14917; reference:cve,2005-2705; classtype:attempted-user; sid:35438; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox PDF.js same origin policy violation attempt"; flow:to_server,established; file_data; content:".location"; nocase; content:"data:application/x-moz-playpreview-pdfjs|3B|,"; within:200; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-4495; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2015-78/; classtype:policy-violation; sid:35676; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox PDF.js same origin policy violation attempt"; flow:to_client,established; file_data; content:".location"; nocase; content:"data:application/x-moz-playpreview-pdfjs|3B|,"; within:200; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-4495; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2015-78/; classtype:policy-violation; sid:35675; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript large regex memory corruption attempt"; flow:to_client,established; content:"Array("; content:".join("; within:100; content:"RegExp("; within:50; content:".exec("; within:20; metadata:service http; reference:bugtraq,17516; reference:cve,2006-1737; classtype:attempted-user; sid:36789; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox location.hostname DOM modification bypass attempt"; flow:to_client, established; file_data; content:"location.hostname"; fast_pattern; nocase; content:"|00|"; within:200; pcre:"/location\x2ehostname\s+=\s+[^\x3b]*?[\x00]/i"; metadata:service http; reference:cve,2007-0981; classtype:attempted-user; sid:37453; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt"; flow:to_client,established; file_data; content:"window"; content:"mozRTC"; within:120; content:"PeerConnection"; within:400; content:"createOffer"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1510; reference:url,mozilla.org/security/announce/2014/mfsa2014-29.html; classtype:attempted-user; sid:37626; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox about field spoofing attempt"; flow:to_client,established; file_data; content:"about:"; fast_pattern; nocase; content:"?"; within:15; content:"<"; within:100; content:"location"; nocase; pcre:"/\babout:[a-z]+?\?[^\n]+?\</i"; metadata:ruleset community, service http; reference:cve,2016-5268; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=1253673; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2016-83/; classtype:attempted-user; sid:40015; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt"; flow:to_server,established; file_data; content:"document.getElement"; nocase; content:"type = |22|"; within:70; nocase; byte_extract:4,0,changed_var,relative; content:".blur()"; within:50; content:"input"; within:200; nocase; content:"type=|22|"; within:20; nocase; byte_test:4,!=,changed_var,0,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,32281; reference:cve,2008-5021; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-55.html; classtype:attempted-user; sid:40280; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox CSP report-uri arbitrary file write attempt"; flow:to_client,established; content:"Content-Security-Policy|3A|"; nocase; http_header; content:"report-uri"; distance:0; nocase; http_header; pcre:"/report-uri\s+(file|resource|chrome)\x3a\x2f\x2f/Hi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-1954; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2016-17; classtype:attempted-user; sid:40363; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox ESR NotifyTimeChange use after free attempt"; flow:to_client,established; file_data; content:".createElementNS"; content:"svg"; within:10; content:".setAttribute"; content:"begin"; within:15; content:".setAttribute"; distance:0; content:"end"; within:10; content:".end"; within:20; content:".setAttribute"; distance:0; content:"end"; within:10; content:".end"; within:20; content:".pauseAnimations"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-9079; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2016-92/; classtype:attempted-user; sid:40888; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox ESR NotifyTimeChange use after free attempt"; flow:to_client,established; file_data; content:".pauseAnimations"; fast_pattern:only; content:"svg"; nocase; content:"animate"; nocase; content:"begin"; within:50; nocase; content:"end"; within:50; nocase; content:".end"; within:30; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-9079; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2016-92/; classtype:attempted-user; sid:40896; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla multiple products SharedWorker MessagePort memory corruption attempt"; flow:to_client,established; file_data; content:"SharedWorker|28|"; fast_pattern; content:".port"; within:400; nocase; content:".close|28|"; within:120; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,68818; reference:cve,2014-1548; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2014-56; classtype:attempted-user; sid:43779; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox nsTreeContentView double-free memory corruption attempt"; flow:to_client,established; file_data; content:"<treechildren"; fast_pattern:only; nocase; content:"optgroup"; nocase; content:"option"; within:60; nocase; content:"document.getElementById"; within:300; content:".parentNode.removeChild"; within:300; nocase; content:"null"; within:75; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,39128; reference:cve,2010-0176; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2010-18.html; classtype:attempted-user; sid:43778; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox floating layer denial of service attempt"; flow:to_server,established; file_data; content:"column-count"; nocase; content:".toppadded"; within:50; nocase; content:".floatbox"; within:50; nocase; content:"column-count"; within:50; nocase; content:"document.createTextNode("; within:250; metadata:service smtp; reference:cve,2007-0755; classtype:attempted-admin; sid:43768; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox floating layer denial of service attempt"; flow:to_client,established; file_data; content:"column-count"; nocase; content:".toppadded"; within:50; nocase; content:".floatbox"; within:50; nocase; content:"document.createTextNode("; within:250; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-0755; classtype:attempted-admin; sid:43767; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox XUL null menu memory corruption attempt"; flow:to_server,established; file_data; content:".getAnonymousNodes("; content:".childNodes"; within:100; content:".menu"; nocase; content:"null"; within:10; nocase; metadata:service smtp; reference:cve,2007-0755; classtype:attempted-admin; sid:43766; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox XUL null menu memory corruption attempt"; flow:to_client,established; file_data; content:".getAnonymousNodes("; content:".childNodes"; within:100; content:".menu"; nocase; content:"null"; within:10; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-0755; classtype:attempted-admin; sid:43765; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox XUL tree node removal memory corruption attempt"; flow:to_server,established; file_data; content:"<tree"; nocase; content:"<treechildren"; within:50; nocase; content:"<richlistbox"; within:50; nocase; content:".parentNode.removeChild("; metadata:service smtp; reference:cve,2007-0755; classtype:attempted-admin; sid:43764; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox XUL tree node removal memory corruption attempt"; flow:to_client,established; file_data; content:"<tree"; nocase; content:"<treechildren"; within:50; fast_pattern; nocase; content:"<richlistbox"; within:50; nocase; content:".parentNode.removeChild("; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-0755; classtype:attempted-admin; sid:43763; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox wyciwgy domain forgery attempt"; flow:to_client,established; content:"Location|3A| wyciwyg|3A|//"; fast_pattern:only; http_header; metadata:service http; reference:cve,2007-3656; classtype:attempted-admin; sid:43761; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox BOM character cross site scripting attempt"; flow:to_server,established; file_data; content:"charset=utf-8"; nocase; content:"<script"; nocase; content:"|EF BB BF|"; within:25; fast_pattern; metadata:service smtp; reference:cve,2008-4065; classtype:attempted-admin; sid:43749; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox BOM character cross site scripting attempt"; flow:to_client,established; file_data; content:"charset=utf-8"; nocase; content:"<script"; nocase; content:"|EF BB BF|"; within:25; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2008-4065; classtype:attempted-admin; sid:43748; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox frame element memory corruption attempt"; flow:to_server,established; file_data; content:"window.frameElement"; content:"removeChild"; within:50; content:"window.frameElement"; within:50; content:"window.frameElement"; distance:0; content:"removeChild"; within:50; content:"window.frameElement"; within:50; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43747; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox frame element memory corruption attempt"; flow:to_client,established; file_data; content:"window.frameElement"; content:"removeChild"; within:50; content:"window.frameElement"; within:50; content:"window.frameElement"; distance:0; content:"removeChild"; within:50; content:"window.frameElement"; within:50; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43746; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox style display inherit memory corruption attempt"; flow:to_server,established; file_data; content:".style.display"; content:"inherit"; within:15; content:"insertBefore("; content:"createElementNS("; content:".appendChild("; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43745; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox style display inherit memory corruption attempt"; flow:to_client,established; file_data; content:".style.display"; content:"inherit"; within:15; content:"insertBefore("; content:"createElementNS("; content:".appendChild("; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43744; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox lookup property memory corruption attempt"; flow:to_server,established; file_data; content:"document.getElementsByTagName("; content:".__proto__"; content:"null"; within:10; content:"dump("; within:50; fast_pattern; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43743; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox lookup property memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName("; content:".__proto__"; content:"null"; within:10; content:"dump("; within:50; fast_pattern; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43742; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox frameset memory corruption attempt "; flow:to_server,established; file_data; content:"<frameset"; content:"cols="; within:50; content:"onload="; within:25; content:"<frame"; within:50; content:"<frame"; within:50; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43741; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox frameset memory corruption attempt"; flow:to_client,established; file_data; content:"<frameset"; content:"cols="; within:50; content:"onload="; within:25; content:"<frame"; within:50; content:"<frame"; within:50; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43740; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox SVGZoom memory corruption attempt"; flow:to_server,established; file_data; content:"data:image/svg+xml|3B|charset=utf-8"; content:"SVGZoom"; fast_pattern:only; content:"documentElement.currentScale"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43739; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox SVGZoom memory corruption attempt"; flow:to_client,established; file_data; content:"data:image/svg+xml|3B|charset=utf-8"; content:"SVGZoom"; fast_pattern:only; content:"documentElement.currentScale"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43738; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox XUL commandDispatcher memory corruption attempt"; flow:to_server,established; content:"Content-Type: application/vnd.mozilla.xul+xml"; file_data; content:"document.createElementNS("; content:".commandDispatcher.addCommandUpdater("; fast_pattern:only; content:".commandDispatcher.updateCommands("; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43737; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox XUL commandDispatcher memory corruption attempt"; flow:to_client,established; content:"Content-Type: application/vnd.mozilla.xul+xml"; file_data; content:"document.createElementNS("; content:".commandDispatcher.addCommandUpdater("; fast_pattern:only; content:".commandDispatcher.updateCommands("; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43736; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox SVG pathSegList memory corruption attempt"; flow:to_server,established; file_data; content:"document.getElementById("; content:"path"; within:10; content:".pathSegList.getItem("; fast_pattern; content:"-"; within:5; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43735; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript contentWindow in an iframe exploit attempt"; flow:to_server,established; file_data; content:"contentWindow.document"; content:".designMode"; within:100; fast_pattern; content:"on"; within:10; nocase; content:".contentWindow"; distance:0; content:".focus"; within:50; content:"<iframe"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,17671; reference:cve,2006-1993; classtype:attempted-user; sid:43706; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla products obfuscated cross site scripting attempt"; flow:to_server,established; file_data; content:"&#xdc"; fast_pattern:only; content:"&#xdc"; content:"&#xdc"; distance:0; content:"&#xdc"; distance:0; metadata:service smtp; reference:bugtraq,31346; reference:cve,2008-4066; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-admin; sid:43673; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products obfuscated cross site scripting attempt"; flow:to_client,established; file_data; content:"&#xdc"; fast_pattern:only; content:"&#xdc"; content:"&#xdc"; distance:0; content:"&#xdc"; distance:0; metadata:service http; reference:bugtraq,31346; reference:cve,2008-4066; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-admin; sid:43672; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox large window null pointer dereference attempt"; flow:to_server,established; file_data; content:"window.open("; nocase; content:"toolbar=yes"; within:100; nocase; content:"width="; within:100; nocase; content:"height="; within:150; distance:-100; nocase; pcre:"/window\x2eopen\x28[^\x29]*?toolbar=yes[^)]*?width=[\d]{9}[^)]*?height=[\d]{9}/i"; metadata:service smtp; reference:url,securityfocus.com/bid/67501; classtype:attempted-admin; sid:43652; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox large window null pointer dereference attempt"; flow:to_client,established; file_data; content:"window.open("; nocase; content:"toolbar=yes"; within:100; nocase; content:"width="; within:100; nocase; content:"height="; within:150; distance:-100; nocase; pcre:"/window\x2eopen\x28[^\x29]*?toolbar=yes[^)]*?width=[\d]{9}[^)]*?height=[\d]{9}/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,securityfocus.com/bid/67501; classtype:attempted-admin; sid:43651; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox display moz-deck style memory corruption attempt"; flow:to_client,established; file_data; content:"-moz-deck"; fast_pattern:only; metadata:service http; reference:cve,2007-3734; classtype:attempted-user; sid:43644; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox design mode deleted style memory corruption attempt"; flow:to_client,established; file_data; content:"designMode"; fast_pattern; content:"on"; within:10; content:"removeAttribute"; content:"style"; within:10; metadata:service http; reference:cve,2007-3734; classtype:attempted-user; sid:43643; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox multiple vulnerabilities memory corruption attempt"; flow:to_client,established; file_data; content:".style.display"; content:"-moz-grid"; within:25; fast_pattern; nocase; metadata:service http; reference:cve,2006-1738; reference:cve,2007-3734; classtype:attempted-user; sid:43642; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox XUL tree element code execution attempt"; flow:to_server,established; file_data; content:"timedSelect"; fast_pattern:only; content:"view"; content:"selection"; within:25; content:"=null"; within:15; content:"parentNode"; content:"removeChild"; within:25; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,34181; reference:cve,2009-1044; classtype:attempted-user; sid:43367; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox domFuzzLite3 table use after free attempt"; flow:to_server,established; file_data; content:"fuzzPriv"; content:"forceGC"; within:25; content:"document.createElement("; content:"table"; within:15; metadata:service smtp; reference:cve,2017-5404; classtype:attempted-admin; sid:43347; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox domFuzzLite3 table use after free attempt"; flow:to_client,established; file_data; content:"fuzzPriv"; content:"forceGC"; within:25; content:"document.createElement("; content:"table"; within:15; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-5404; classtype:attempted-admin; sid:43346; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla products element style change memory corruption code execution attempt"; flow:to_server,established; file_data; content:"<q style=|22|position:relative|3B 22|>"; nocase; content:"<q style=|22|position:relative|3B 22|>"; within:75; nocase; content:".style.position=|27|static|27 3B|"; within:250; nocase; metadata:service smtp; reference:bugtraq,16476; reference:cve,2006-0294; classtype:attempted-user; sid:43960; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla PLUGINSPAGE javascript execution attempt"; flow:to_server,established; file_data; content:"<EMBED"; nocase; content:"PLUGINSPAGE"; distance:0; nocase; pcre:"/<EMBED[^\x3E]*?PLUGINSPAGE\s*=[\x22\x27][^\x3E]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/smi"; metadata:service smtp; reference:bugtraq,13228; reference:cve,2005-0752; classtype:attempted-user; sid:43954; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox empty lookupGetter dangling pointer attempt"; flow:to_server,established; file_data; content:".__lookupGetter__|3B|"; fast_pattern:only; metadata:service smtp; reference:cve,2010-3183; classtype:attempted-admin; sid:44010; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox empty lookupGetter dangling pointer attempt"; flow:to_client,established; file_data; content:".__lookupGetter__|3B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-3183; classtype:attempted-admin; sid:44009; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox memory corruption attempt"; flow:to_server,established; file_data; content:"void 0x10000"; content:"void"; within:50; content:"export undefined"; within:75; content:"void 125"; within:50; content:"eval("; within:25; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-0777; classtype:attempted-admin; sid:44049; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox memory corruption attempt"; flow:to_client,established; file_data; content:"void 0x10000"; content:"void"; within:50; content:"export undefined"; within:75; content:"void 125"; within:50; content:"eval("; within:25; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-0777; classtype:attempted-admin; sid:44048; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox memory corruption attempt"; flow:to_server,established; file_data; content:"Script("; content:".compile("; within:100; content:".join(Array("; within:100; content:".join(Array("; within:25; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-0777; classtype:attempted-admin; sid:44047; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox memory corruption attempt"; flow:to_client,established; file_data; content:"Script("; content:".compile("; within:100; content:".join(Array("; within:100; content:".join(Array("; within:25; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-0777; classtype:attempted-admin; sid:44046; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox invalid watchpoint memory corruption attempt"; flow:to_server,established; file_data; content:".watch("; content:".unwatch("; within:50; content:".unwatch("; within:50; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-0777; classtype:attempted-admin; sid:44045; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox invalid watchpoint memory corruption attempt"; flow:to_client,established; file_data; content:".watch("; content:".unwatch("; within:50; content:".unwatch("; within:50; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-0777; classtype:attempted-admin; sid:44044; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla browsers JavaScript argument passing code execution attempt"; flow:to_server,established; file_data; content:"arguments="; content:"for (|3B 3B|) { arguments()|3B|"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,22694; reference:cve,2007-0777; classtype:attempted-user; sid:44043; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt"; flow:to_server,established; file_data; content:"<a xmlns:v=|5C|"; content:"XML("; content:".toXMLString()"; within:50; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-0297; classtype:attempted-admin; sid:44147; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt"; flow:to_client,established; file_data; content:"<a xmlns:v=|5C|"; content:"XML("; content:".toXMLString()"; within:50; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0297; classtype:attempted-admin; sid:44146; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt"; flow:to_client,established; file_data; content:"|3A|first-letter { float|3A| "; fast_pattern:only; content:"|5B 22|setAttribute|22 5D 28|'style', 'display|3A| table-cell'"; content:"|5B 22|style|22 5D 5B 22|display|22 5D|= 'none'"; within:62; metadata:service http; reference:bugtraq,36866; reference:cve,2009-3382; reference:url,mozilla.org/en-US/security/advisories/mfsa2009-64/; classtype:attempted-user; sid:44978; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products CSS rendering out-of-bounds array write attempt"; flow:to_client,established; file_data; content:"-moz-border-radius-"; content:"|3A|"; within:20; byte_test:10,>,10000,0,relative,string; metadata:service http; reference:cve,2006-1739; classtype:attempted-user; sid:44991; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla SSL certificate spoofing attempt"; flow:to_client,established; file_data; content:"<meta http-equiv=|22|refresh|22| content=|22|1|3B|"; fast_pattern:only; content:"document.write"; nocase; content:"document.close("; within:200; nocase; content:"window.location.reload("; within:200; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2004-0763; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=253121; classtype:misc-attack; sid:45127; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox SOAPParameter integer overflow attempt"; flow:to_server,established; file_data; content:"SOAPParameter("; fast_pattern:only; content:"Array("; nocase; content:"SOAPParameter("; within:200; nocase; content:"Array("; nocase; byte_test:10,>,0x3FFFFFFE,0,relative,string,dec; metadata:policy max-detect-ips drop, service smtp; reference:cve,2004-0722; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=236618; classtype:attempted-user; sid:45184; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox SOAPParameter integer overflow attempt"; flow:to_client,established; file_data; content:"SOAPParameter("; fast_pattern:only; content:"Array("; nocase; content:"SOAPParameter("; within:200; nocase; content:"Array("; nocase; byte_test:10,>,0x3FFFFFFE,0,relative,string,dec; metadata:policy max-detect-ips drop, service http; reference:cve,2004-0722; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=236618; classtype:attempted-user; sid:45183; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox SOAPParameter integer overflow attempt"; flow:to_server,established; file_data; content:"SOAPParameter("; fast_pattern:only; content:"Array("; nocase; content:"SOAPParameter("; within:200; nocase; content:"var"; content:"="; within:30; byte_test:10,>,0x3FFFFFFE,0,relative,string,dec; metadata:policy max-detect-ips drop, service smtp; reference:cve,2004-0722; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=236618; classtype:attempted-user; sid:45182; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox SOAPParameter integer overflow attempt"; flow:to_client,established; file_data; content:"SOAPParameter("; fast_pattern:only; content:"Array("; nocase; content:"SOAPParameter("; within:200; nocase; content:"var"; content:"="; within:30; byte_test:10,>,0x3FFFFFFE,0,relative,string,dec; metadata:policy max-detect-ips drop, service http; reference:cve,2004-0722; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=236618; classtype:attempted-user; sid:45181; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox SOAPParameter integer overflow attempt"; flow:to_server,established; file_data; content:"SOAPParameter("; fast_pattern:only; content:"Array("; nocase; content:"SOAPParameter("; within:200; nocase; content:"Array("; nocase; byte_test:10,>,0x3FFFFFFE,0,relative,string,hex; metadata:policy max-detect-ips drop, service smtp; reference:cve,2004-0722; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=236618; classtype:attempted-user; sid:45180; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox SOAPParameter integer overflow attempt"; flow:to_server,established; file_data; content:"SOAPParameter("; fast_pattern:only; content:"Array("; nocase; content:"SOAPParameter("; within:200; nocase; content:"var"; content:"="; within:30; byte_test:10,>,0x3FFFFFFE,0,relative,string,hex; metadata:policy max-detect-ips drop, service smtp; reference:cve,2004-0722; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=236618; classtype:attempted-user; sid:45179; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox SOAPParameter integer overflow attempt"; flow:to_client,established; file_data; content:"SOAPParameter("; fast_pattern:only; content:"Array("; nocase; content:"SOAPParameter("; within:200; nocase; content:"Array("; nocase; byte_test:10,>,0x3FFFFFFE,0,relative,string,hex; metadata:policy max-detect-ips drop, service http; reference:cve,2004-0722; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=236618; classtype:attempted-user; sid:45178; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox SOAPParameter integer overflow attempt"; flow:to_client,established; file_data; content:"SOAPParameter("; fast_pattern:only; content:"Array("; nocase; content:"SOAPParameter("; within:200; nocase; content:"var"; content:"="; within:30; byte_test:10,>,0x3FFFFFFE,0,relative,string,hex; metadata:policy max-detect-ips drop, service http; reference:cve,2004-0722; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=236618; classtype:attempted-user; sid:45177; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox nsTreeContentView double-free memory corruption attempt"; flow:to_server,established; file_data; content:"<treechildren"; fast_pattern:only; nocase; content:"optgroup"; nocase; content:"option"; within:60; nocase; content:"document.getElementById"; within:300; content:".parentNode.removeChild"; within:300; nocase; content:"null"; within:75; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,39128; reference:cve,2010-0176; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2010-18.html; classtype:attempted-user; sid:45176; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla download directory file deletion attempt"; flow:to_server,established; file_data; content:"<a href=|22|data:application/octet-stream,hello|22|>"; fast_pattern:only; metadata:service smtp; reference:cve,2004-2225; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=259708; classtype:attempted-user; sid:45174; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla download directory file deletion attempt"; flow:to_client,established; file_data; content:"<a href=|22|data:application/octet-stream,hello|22|>"; fast_pattern:only; metadata:service http; reference:cve,2004-2225; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=259708; classtype:attempted-user; sid:45173; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox buffer overflow attempt"; flow:to_server,established; file_data; content:"<a href=|22|http://|E0 90 B6 E0 90 BC E0 90 B8 2D E0 91 81 E0 91 8E E0 90 B4 E0 90|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2004-0902; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=256316; classtype:attempted-user; sid:45172; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox buffer overflow attempt"; flow:to_client,established; file_data; content:"<a href=|22|http://|E0 90 B6 E0 90 BC E0 90 B8 2D E0 91 81 E0 91 8E E0 90 B4 E0 90|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2004-0902; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=256316; classtype:attempted-user; sid:45171; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Multiple browser pressure function denial of service attempt"; flow:to_client, established; file_data; content:"tab_var[tab_var.length]"; content:"new ArrayBuffer(0x"; within:25; content:"000"; within:3; distance:1; content:"onload"; within:100; metadata:service http; reference:cve,2014-1512; classtype:denial-of-service; sid:45206; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox DOM event handler privilege escalation attempt"; flow:to_server,established; file_data; content:".handleEvent"; content:"Components.lookupMethod"; fast_pattern:only; content:".addEventListener"; content:".addEventListener"; within:300; content:"about:blank"; metadata:service smtp; reference:cve,2007-3737; classtype:attempted-admin; sid:45247; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox DOM event handler privilege escalation attempt"; flow:to_client,established; file_data; content:".handleEvent"; content:"Components.lookupMethod"; fast_pattern:only; content:".addEventListener"; content:".addEventListener"; within:300; content:"about:blank"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-3737; classtype:attempted-admin; sid:45246; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox HTTP index format out of bounds read attempt"; flow:to_client,established; content:"application/http-index-format"; fast_pattern:only; http_header; file_data; content:"200:"; content:"201:"; distance:0; pcre:"/201:[^\n]*?[\x22\x27][^\x22\x27]*?[\n]/s"; metadata:service http; reference:cve,2017-5444; classtype:attempted-admin; sid:45476; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript Function focus overflow attempt"; flow:to_server,established; file_data; content:"window"; nocase; content:"document.designMode"; within:150; fast_pattern; content:"on"; within:10; nocase; content:"window"; nocase; content:"open"; within:15; nocase; content:"window"; within:75; nocase; content:"window"; within:75; nocase; content:"<iframe"; metadata:service smtp; reference:bugtraq,17671; reference:cve,2006-1993; classtype:attempted-user; sid:45576; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox nsHTMLDocument SetBody use-after-free attempt"; flow:to_server,established; file_data; content:"addEventListener(|22|DOM"; fast_pattern; nocase; content:"parentNode.removeChild"; within:500; nocase; content:"documentElement"; within:500; nocase; pcre:"/(?P<root>\w+)\.parentNode\.removeChild\(\s*(?P=root)\s*\).*?var\s*(?P=root)\s*=\s*\w+\.documentElement/si"; metadata:service smtp; reference:cve,2016-1961; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=1342258; classtype:attempted-admin; sid:46781; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox nsHTMLDocument SetBody use-after-free attempt"; flow:to_client,established; file_data; content:"addEventListener(|22|DOM"; fast_pattern; nocase; content:"parentNode.removeChild"; within:500; nocase; content:"documentElement"; within:500; nocase; pcre:"/(?P<root>\w+)\.parentNode\.removeChild\(\s*(?P=root)\s*\).*?var\s*(?P=root)\s*=\s*\w+\.documentElement/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-1961; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=1342258; classtype:attempted-admin; sid:46767; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "BROWSER-FIREFOX Mozilla Firefox nsHTMLDocument SetBody use-after-free attempt"; flow:to_server,established; file_data; content:"documentElement"; nocase; content:"addEventListener(|22|DOM"; fast_pattern; nocase; within:500; content:"parentNode.removeChild"; within:500; nocase; pcre:"/var\s*(?P<root>\w+)\s*=\s*\w+\.documentElement.*?(?P=root)\.parentNode\.removeChild\(\s*(?P=root)\s*\)/si"; metadata:service smtp; reference: cve,2016-1961; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=1342258; classtype:attempted-admin; sid:46766; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox nsHTMLDocument SetBody use-after-free attempt"; flow:to_client,established; file_data; content:"documentElement"; nocase; content:"addEventListener(|22|DOM"; fast_pattern; nocase; within:500; content:"parentNode.removeChild"; within: 500; nocase; pcre:"/var\s*(?P<root>\w+)\s*=\s*\w+\.documentElement.*?(?P=root)\.parentNode\.removeChild\(\s*(?P=root)\s*\)/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-1961; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=1342258; classtype:attempted-admin; sid:46765; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla multiple products JavaScript string replace buffer overflow attempt"; flow:to_client,established; file_data; content:"foo.replace|28|foo, foo|29|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36343; reference:cve,2009-3075; classtype:attempted-user; sid:46913; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla multiple products JavaScript string replace buffer overflow attempt"; flow:to_client,established; file_data; content:"str.replace|28|str, str|29|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36343; reference:cve,2009-3075; classtype:attempted-user; sid:46912; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox sandbox escape attempt"; flow:to_server,established; file_data; content:"ContentFrameMessageManager"; content:"sendAsyncMessage("; distance:0; content:"Prompt:Open"; within:15; metadata:service smtp; classtype:attempted-user; sid:48225; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox sandbox escape attempt"; flow:to_client,established; file_data; content:"ContentFrameMessageManager"; content:"sendAsyncMessage("; distance:0; content:"Prompt:Open"; within:15; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:48224; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox javascript type confusion code execution attempt"; flow:to_server,established; file_data; content:"objs[i] = {x: 'asd', p1: {}, p2: {}, p3: {}, p4: x, p5: x, p6: {}}|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12386; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2018-24/#CVE-2018-12386; classtype:attempted-user; sid:48565; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox javascript type confusion code execution attempt"; flow:to_client,established; file_data; content:"objs[i] = {x: 'asd', p1: {}, p2: {}, p3: {}, p4: x, p5: x, p6: {}}|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12386; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2018-24/#CVE-2018-12386; classtype:attempted-user; sid:48564; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox method array.prototype.push remote code execution attempt"; flow:to_server,established; file_data; content:"Array.prototype.push.call(a,"; fast_pattern:only; content:"new Uint32Array(convert)"; content:"new Float64Array(convert)"; within:45; content:"offsets.forEach((offset)"; within:65; distance:1310; content:"document.body.appendChild(el)"; within:75; distance:440; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12387; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-12387; classtype:attempted-user; sid:48626; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox method array.prototype.push remote code execution attempt"; flow:to_client,established; file_data; content:"Array.prototype.push.call(a,"; fast_pattern:only; content:"new Uint32Array(convert)"; content:"new Float64Array(convert)"; within:45; content:"offsets.forEach((offset)"; within:70; distance:960; content:"document.body.appendChild(el)"; within:75; distance:320; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12387; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-12387; classtype:attempted-user; sid:48625; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox DOMSVGLength appendItem use after free attempt"; flow:to_server,established; file_data; content:"<script"; content:"animVal"; distance:0; fast_pattern; content:"appendItem"; content:"animVal"; within:350; content:"<svg"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-1563; reference:url,mozilla.org/security/announce/2014/mfsa2014-68.html; classtype:attempted-user; sid:49918; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox DOMSVGLength appendItem use after free attempt"; flow:to_client,established; file_data; content:"<script"; content:"animVal"; distance:0; fast_pattern; content:"appendItem"; content:"animVal"; within:350; content:"<svg"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1563; reference:url,mozilla.org/security/announce/2014/mfsa2014-68.html; classtype:attempted-user; sid:49917; rev:1;)