2505 lines
1.5 MiB
2505 lines
1.5 MiB
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
|
|
#
|
|
# This file contains (i) proprietary rules that were created, tested and certified by
|
|
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
|
|
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
|
|
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
|
|
# GNU General Public License (GPL), v2.
|
|
#
|
|
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
|
|
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
|
|
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
|
|
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
|
|
# list of third party owners and their respective copyrights.
|
|
#
|
|
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
|
|
# to the VRT Certified Rules License Agreement (v2.0).
|
|
#
|
|
#------------------
|
|
# BROWSER-IE RULES
|
|
#------------------
|
|
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; content:".bat."; fast_pattern:only; http_uri; content:"MSIE "; http_header; pcre:"/^User-Agent:[^\n]*?MSIE\s[56]/Hmi"; metadata:service http; reference:bugtraq,11768; classtype:bad-unknown; sid:26937; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; content:".html."; fast_pattern:only; http_uri; content:"MSIE "; http_header; pcre:"/^User-Agent:[^\n]*?MSIE\s[56]/Hmi"; metadata:service http; reference:bugtraq,11768; classtype:bad-unknown; sid:26936; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; content:".exe."; fast_pattern:only; http_uri; content:"MSIE "; http_header; content:!".lz"; http_uri; pcre:"/^User-Agent:[^\n]*?MSIE\s[56]/Hmi"; metadata:service http; reference:bugtraq,11768; classtype:bad-unknown; sid:26935; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CDocument use after free attempt"; flow:to_client,established; file_data; content:"CollectGarbage()"; fast_pattern:only; content:".createElement"; nocase; content:".createElement"; within:150; nocase; content:".createAttribute"; nocase; content:".setAttributeNode"; within:200; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-3114; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26890; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_server,established; file_data; content:"jquery"; fast_pattern:only; content:"document.createElement"; nocase; content:".document.body.appendChild"; within:100; nocase; content:".replaceAll"; within:150; nocase; pcre:"/css\s*?\x28\s*?[\x22\x27]margin[^\x29]*?[\x22\x27]\s*?\x2c\s*?[\x22\x27]\d{12,}\s*?px/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3142; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26889; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_client,established; file_data; content:"jquery"; fast_pattern:only; content:"document.createElement"; nocase; content:".document.body.appendChild("; within:100; nocase; content:".replaceAll("; within:150; nocase; pcre:"/css\s*?\x28\s*?[\x22\x27]margin[^\x29]*?[\x22\x27]\s*?\x2c\s*?[\x22\x27]\d{12,}\s*?px/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3142; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26888; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_server,established; file_data; content:"<body onload"; nocase; content:"onscroll="; within:50; fast_pattern; content:"location.reload("; pcre:"/<script\s*>((?!<\/script>).)*?function (?P<onload>\w+).*?\{[^}]*?location\.reload\(.*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26887; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_server,established; file_data; content:"<body onload"; nocase; content:"onscroll="; within:50; fast_pattern; content:"history.go(0)"; pcre:"/<script\s*>((?!<\/script>).)*?function (?P<onload>\w+).*?\{[^}]*?history\.go\(\s*0\s*\).*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26886; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_server,established; file_data; content:"<body onload"; nocase; content:"onscroll="; within:50; fast_pattern; content:"<meta"; content:"http-equiv=|22|refresh|22|"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26885; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_client,established; file_data; content:"<body onload"; nocase; content:"onscroll="; within:50; fast_pattern; content:"location.reload("; pcre:"/<script\s*>((?!<\/script>).)*?function (?P<onload>\w+).*?\{[^}]*?location\.reload\(.*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26884; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_client,established; file_data; content:"<body onload"; nocase; content:"onscroll="; within:50; fast_pattern; content:"history.go(0)"; pcre:"/<script\s*>((?!<\/script>).)*?function (?P<onload>\w+).*?\{[^}]*?history\.go\(\s*0\s*\).*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26883; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_client,established; file_data; content:"<body onload"; nocase; content:"onscroll="; within:50; fast_pattern; content:"<meta"; content:"http-equiv=|22|refresh|22|"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26882; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 tree element use after free attempt"; flow:to_client,established; file_data; content:"document.getElementById"; nocase; content:"appendChild"; within:50; nocase; content:"ClientRects"; within:50; fast_pattern; nocase; content:"p id"; distance:0; content:"p id"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-3110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26878; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 cached display node use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|input|22|)[0].focus()"; content:"document.getElementsByTagName(|22|input|22|)[0].applyElement(a)"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3116; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26876; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt"; flow:to_client,established; file_data; content:"div1.removeEventListener( |27|DOMNodeRemoved|27|, callback, true )"; fast_pattern:only; content:"addEventListener"; content:"DOMNodeRemoved"; within:40; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3119; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26875; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 9 CSS rules cache use-after-free attempt"; flow:to_server,established; file_data; content:"document.getElementsByTagName(|22|link|22|)[0].href"; fast_pattern:only; content:"document.createStyleSheet"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3117; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26874; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 CSS rules cache use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|link|22|)[0].href"; fast_pattern:only; content:"document.createStyleSheet"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3117; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26873; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_server,established; file_data; content:"www.w3.org"; nocase; content:"document.getElementsByTagNameNS("; within:100; nocase; content:"removeAttributeNS("; within:100; nocase; content:"null"; within:20; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26872; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"www.w3.org"; nocase; content:"document.getElementsByTagNameNS("; within:100; nocase; content:"removeAttributeNS("; within:100; nocase; content:"null"; within:20; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26871; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_server,established; file_data; content:"document.getElementsByTagNameNS("; nocase; content:"www.w3.org"; within:50; nocase; content:"removeAttributeNS("; nocase; content:"null"; within:20; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26870; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagNameNS("; nocase; content:"www.w3.org"; within:50; nocase; content:"removeAttributeNS("; nocase; content:"null"; within:20; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26869; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 8 select element deleted object access attempt"; flow:to_server,established; file_data; content:"document.body.appendChild(document.createElement('select'))"; fast_pattern:only; content:"document.getElementsByTagName('select')"; nocase; content:"parentNode.removeChild(document.getElementsByTagName('select')"; within:100; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3139; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26868; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 select element deleted object access attempt"; flow:to_client,established; file_data; content:"document.body.appendChild(document.createElement('select'))"; fast_pattern:only; content:"document.getElementsByTagName('select')"; nocase; content:"parentNode.removeChild(document.getElementsByTagName('select')"; within:100; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3139; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26867; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt"; flow:to_server,established; file_data; content:"execCommand('delete',"; fast_pattern:only; content:".addRange("; content:".addRange("; within:1024; content:".addRange("; within:1024; content:".addRange("; within:1024; content:".addRange("; within:1024; content:".createRange()"; content:".createRange()"; within:1024; content:".createRange()"; within:1024; content:".createRange()"; within:1024; content:".createRange()"; within:1024; metadata:service smtp; reference:cve,2013-3124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26853; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt"; flow:to_client,established; file_data; content:"execCommand('delete',"; fast_pattern:only; content:".addRange("; content:".addRange("; within:1024; content:".addRange("; within:1024; content:".addRange("; within:1024; content:".addRange("; within:1024; content:".createRange()"; content:".createRange()"; within:1024; content:".createRange()"; within:1024; content:".createRange()"; within:1024; content:".createRange()"; within:1024; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-3124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26852; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 5 compatibility mode use after free attempt"; flow:to_client,established; file_data; content:"document.getElementById"; content:".runtimeStyle.setExpression"; within:100; content:"width"; within:20; nocase; metadata:policy security-ips drop, service http; reference:cve,2013-3121; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26851; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt"; flow:established,to_client; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=5|22|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blogs.msdn.com/b/askie/archive/2009/03/23/understanding-compatibility-modes-in-internet-explorer-8.aspx; classtype:policy-violation; sid:26850; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer superscript use after free attempt"; flow:to_client,established; file_data; content:"document.execCommand"; nocase; content:"selectall"; within:20; nocase; content:"setTimeout"; nocase; content:"Node("; within:170; nocase; content:"document."; within:20; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3111; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26849; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 10 use after free attempt"; flow:to_client,established; file_data; content:"for (var i = 0|3B| i < param.childNodes.length|3B| i++)"; content:"document.selection.createRange().pasteHTML('<td>2<nobr>')"; fast_pattern:only; content:"document.selection.createRange().pasteHTML('<td>3')"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3125; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26847; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 10 insertImage with designMode on deleted object access attempt"; flow:to_server,established; file_data; content:"window.open"; nocase; content:".eval"; distance:0; content:"document.designMode"; distance:0; nocase; content:"on"; distance:0; nocase; content:"window.getSelection"; distance:0; nocase; content:"document.designMode"; distance:0; nocase; content:"off"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26846; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 10 insertImage with designMode on deleted object access attempt"; flow:to_client,established; file_data; content:"window.open"; nocase; content:".eval"; distance:0; content:"document.designMode"; distance:0; fast_pattern; nocase; content:"on"; distance:0; nocase; content:"window.getSelection"; distance:0; nocase; content:"document.designMode"; distance:0; nocase; content:"off"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26845; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 layout engine memory corruption attempt"; flow:to_client,established; file_data; content:"}catch|28|"; content:"|29|{}try{"; within:10; content:"obj,obj,obj,obj,obj"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-3122; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26844; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 array element property use after free attempt"; flow:to_client,established; file_data; content:"new Array"; content:".push|28|"; distance:0; content:".appendChild|28|"; content:"onpropertychange"; content:"applyElement"; within:50; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-3112; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26843; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_server,established; file_data; content:"<input type=|22|text|22| style=|22|zoom:10|22|/>"; fast_pattern:only; content:"<body onload=|22|history.go(0)|22|>"; content:"<img style=|22|float:right|22|/>"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26754; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_client,established; file_data; content:"<input type=|22|text|22| style=|22|zoom:10|22|/>"; fast_pattern:only; content:"<body onload=|22|history.go(0)|22|>"; content:"<img style=|22|float:right|22|/>"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26753; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_client,established; content:"offsetParent"; fast_pattern; content:"null"; within:10; nocase; content:"createElement"; content:"datalist"; within:20; content:"createElement"; content:"table"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26668; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer ANIMATECOLOR SMIL access attempt"; flow:to_client,established; file_data; content:"<?IMPORT namespace=|22|t|22| implementation=|22|#default#time2|22|>"; fast_pattern:only; content:"<t:ANIMATECOLOR id=|22|myanim|22|/>"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1347; classtype:attempted-user; sid:26666; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer runtimeStyle memory corruption attempt"; flow:to_server,established; file_data; content:"document.createElement("; nocase; content:".runtimeStyle"; within:100; fast_pattern; nocase; content:".border"; within:100; nocase; pcre:"/var\s+?(?P<var>[^\s]+?)\s*?=\s*?document\.createElement\(.*?(?P=var)\.runtimeStyle.*?\.border[^=\x3b]*?=\s*?[^\x3b]*?[\x22\x27](\d+?\s|\s+?\d)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1307; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26642; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer runtimeStyle memory corruption attempt"; flow:to_client,established; file_data; content:"document.createElement("; nocase; content:".runtimeStyle"; within:100; fast_pattern; nocase; content:".border"; within:100; nocase; pcre:"/var\s+?(?P<var>[^\s]+?)\s*?=\s*?document\.createElement\(.*?(?P=var)\.runtimeStyle.*?\.border[^=\x3b]*?=\s*?[^\x3b]*?[\x22\x27](\d+?\s|\s+?\d)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1307; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26641; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer XML digital signature transformation of digest value"; flow:to_server, established; flowbits:isset,file.xml; file_data; content:"<CanonicalizationMethod"; fast_pattern; content:"<xsl"; distance:0; pcre:"/[^>]*\x26lt\x3bCanonicalizationMethod[^>]*\x26lt\x3bDigestValue\x26gt\x3b(?P<DV>[^\x26]+).*[^\x2f]DigestValue>(?!P=DV)/smR"; metadata:service smtp; reference:cve,2013-1336; reference:url,attack.mitre.org/techniques/T1220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-040; classtype:misc-activity; sid:26640; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer XML digital signature transformation of digest value"; flow:to_client, established; flowbits:isset,file.xml; file_data; content:"<CanonicalizationMethod"; fast_pattern; content:"<xsl"; distance:0; pcre:"/[^>]*\x26lt\x3bCanonicalizationMethod[^>]*\x26lt\x3bDigestValue\x26gt\x3b(?P<DV>[^\x26]+).*[^\x2f]DigestValue>(?!P=DV)/smR"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1336; reference:url,attack.mitre.org/techniques/T1220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-040; classtype:misc-activity; sid:26639; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VML array with negative length memory corruption attempt"; flow:to_client,established; file_data; content:"#default#VML"; content:".dashstyle.array.length"; fast_pattern:only; pcre:"/\.dashstyle\.array\.length\s*?=[^\x3b]*?-\s*?\d/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58570; reference:cve,2013-2551; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26638; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt"; flow:to_server,established; file_data; file_data; content:".getSelection"; content:".anchorNode.splitText("; fast_pattern; content:".focusNode"; within:60; content:"CollectGarbage"; within:150; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1312; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26637; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt"; flow:to_client,established; file_data; file_data; content:".getSelection"; content:".anchorNode.splitText("; content:".focusNode"; within:60; content:"CollectGarbage"; within:150; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1312; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26636; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_server,established; file_data; content:"document.createElement|28|"; nocase; content:".innerHTML"; distance:0; nocase; content:"document.body.appendChild|28|"; distance:0; content:"document.styleSheets"; distance:0; nocase; content:"CollectGarbage()"; distance:0; nocase; content:"setTimeout|28|function"; distance:0; nocase; content:"onload=|27|setTimeout"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26635; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_client,established; file_data; content:"document.createElement|28|"; depth:100; nocase; content:".innerHTML"; distance:0; nocase; content:"document.body.appendChild|28|"; distance:0; content:"document.styleSheets"; distance:0; nocase; content:"CollectGarbage()"; distance:0; nocase; content:"setTimeout|28|function"; distance:0; nocase; content:"onload=|27|setTimeout"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26634; rev:5;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer html reload loop attempt"; flow:to_client,established; file_data; content:"onload"; content:"location.reload"; within:25; content:"|3C|iframe"; pcre:"/onload\s*\x3D\s*[\x22\x27]?location\.reload\s*\x28/smi"; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:bugtraq,59745; reference:cve,2013-1306; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-037; classtype:misc-activity; sid:26633; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_server,established; file_data; content:"<q class=|22|border float zoom|22| xml:space=|22|preserve|22|>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26631; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_client,established; file_data; content:"<q class=|22|border float zoom|22| xml:space=|22|preserve|22|>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26630; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer setInterval focus use after free attempt"; flow:to_client,established; file_data; content:"setInterval"; content:".focus()"; within:100; content:"history.go(0)"; fast_pattern:only; pcre:"/setInterval\s*\x28[^\x29]+\x2efocus\x28\x29/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-1308; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-037; classtype:attempted-admin; sid:26629; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 7-9 VBScript JSON reference information disclosure attempt"; flow:to_server,established; file_data; content:"language=vbs"; depth:200; content:"<script"; within:200; distance:-150; pcre:"/<script[^>]*src\s*=\s*[\x22\x27][^\x22\x27]*\.json[\x22\x27][^>]*language=vbs/i"; metadata:service smtp; reference:cve,2013-1297; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-recon; sid:26625; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 7-9 VBScript JSON reference information disclosure attempt"; flow:to_client,established; file_data; content:"language=vbs"; depth:200; content:"<script"; within:200; distance:-150; pcre:"/<script[^>]*src\s*=\s*[\x22\x27][^\x22\x27]*\.json[\x22\x27][^>]*language=vbs/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1297; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-recon; sid:26624; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Windows Live Writer wlw protocol handler information disclosure attempt"; flow:to_client,established; file_data; content:"wlw|3A|//"; fast_pattern; nocase; content:"/proxy"; within:100; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-045; classtype:attempted-recon; sid:26623; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Windows Live Writer wlw protocol handler information disclosure attempt"; flow:to_client,established; file_data; content:"wlw|3A|//"; fast_pattern; nocase; content:"/perflog"; within:100; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-045; classtype:attempted-recon; sid:26622; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_server,established; file_data; content:"Base64.decode"; base64_decode:bytes 10000,offset 2, relative; base64_data; content:"offsetParent"; fast_pattern; content:"null"; within:10; nocase; content:"createElement"; content:"datalist"; within:20; content:"createElement"; content:"table"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26572; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_server,established; file_data; content:"offsetParent"; fast_pattern; content:"null"; within:10; nocase; content:"createElement"; content:"datalist"; within:20; content:"createElement"; content:"table"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26571; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_client,established; file_data; content:"offsetParent"; fast_pattern; content:"null"; within:10; nocase; content:"createElement"; content:"datalist"; within:20; content:"createElement"; content:"table"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26569; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt"; flow:to_server,established; content:"setTimeout('window.print()"; content:"onbeforeprint='document.write"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0092; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26420; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt"; flow:to_client,established; file_data; content:"setTimeout('window.print()"; content:"onbeforeprint='document.write"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0092; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26419; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer expression clause in style tag cross site scripting attempt"; flow:to_client,established; file_data; content:"style"; content:"expression"; within:256; pcre:"/<\s*style[^>]*?(?=.{20,512}<\s*\/\s*style\s*>).{0,500}\{\s*\;\s*\w+\s*=\s*expression\s*\x28/ims"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1289; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-032; classtype:web-application-attack; sid:26354; rev:5;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandvalue("; nocase; content:"copy"; within:5; nocase; content:"onbeforecopy"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26225; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandvalue("; nocase; content:"paste"; within:6; nocase; content:"onbeforepaste"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26224; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandindeterm("; nocase; content:"cut"; within:4; nocase; content:"onbeforecut"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26223; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandindeterm("; nocase; content:"copy"; within:5; nocase; content:"onbeforecopy"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26222; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandindeterm("; nocase; content:"paste"; within:6; nocase; content:"onbeforepaste"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26221; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandenabled("; nocase; content:"cut"; within:4; nocase; content:"onbeforecut"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26220; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandenabled("; nocase; content:"copy"; within:5; nocase; content:"onbeforecopy"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26219; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandenabled("; nocase; content:"paste"; within:6; nocase; content:"onbeforepaste"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26218; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandstate("; nocase; content:"cut"; within:4; nocase; content:"onbeforecut"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26217; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandstate("; nocase; content:"copy"; within:5; nocase; content:"onbeforecopy"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26216; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CCaret use after free attempt"; flow:to_server,established; file_data; content:"onload="; content:"document.onfocusin"; fast_pattern:only; content:"document.open(|22 22|)"; content:"content=|27|IE=9|27|"; metadata:service smtp; reference:cve,2013-0090; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26169; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CCaret use after free attempt"; flow:to_client,established; file_data; content:"onload="; content:"document.onfocusin"; fast_pattern:only; content:"document.open(|22 22|)"; content:"content=|27|IE=9|27|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-0090; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26168; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt"; flow:to_server,established; file_data; content:"document.execCommand"; content:"print"; within:15; nocase; content:"onbeforeprint="; content:"document.write"; within:15; content:"document.write"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0092; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26162; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt"; flow:to_server,established; content:"onbeforeprint"; fast_pattern:only; content:"document.write"; pcre:"/<body.*?onbeforeprint\s*=\s*[\x22\x27]?(?P<func>\w*).*?<script.*?function\s*(?P=func)\s*\x28\x29.*?\x7b[^\x7d]*?document\x2ewrite/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0092; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26161; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt"; flow:to_server,established; file_data; content:"onbeforeprint"; fast_pattern:only; content:"document.write"; pcre:"/<script.*?function\s*(?P<func>\w*)\s*\x28\x29.*?\x7b[^\x7d]*?document\x2ewrite.*?<body.*?onbeforeprint\s*=\s*[\x22\x27]?(?P=func)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0092; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26160; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt"; flow:to_client,established; file_data; content:"document.execCommand"; content:"print"; within:15; nocase; content:"onbeforeprint="; content:"document.write"; within:15; content:"document.write"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0092; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26159; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt"; flow:to_client,established; file_data; content:"onbeforeprint"; fast_pattern:only; content:"document.write"; pcre:"/<body.*?onbeforeprint\s*=\s*[\x22\x27]?(?P<func>\w*).*?<script.*?function\s*(?P=func)\s*\x28\x29.*?\x7b[^\x7d]*?document\x2ewrite/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0092; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26158; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt"; flow:to_client,established; file_data; content:"onbeforeprint"; fast_pattern:only; content:"document.write"; pcre:"/<script.*?function\s*(?P<func>\w*)\s*\x28\x29.*?\x7b[^\x7d]*?document\x2ewrite.*?<body.*?onbeforeprint\s*=\s*[\x22\x27]?(?P=func)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0092; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26157; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 9 onBeforeCopy use after free attempt"; flow:to_server,established; file_data; content:"<body onload=|27|document.execCommand(|22|SelectAll|22|)|3B 27| onbeforecopy="; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26138; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 onBeforeCopy use after free attempt"; flow:to_client,established; file_data; content:"<body onload=|27|document.execCommand(|22|SelectAll|22|)|3B 27| onbeforecopy="; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26137; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_server,established; file_data; content:".saveHistory {behavior|3A|url(#default#savehistory)|3B|}"; fast_pattern:only; content:"CLASS=saveHistory onsave="; nocase; content:"setTimeout"; content:"document.open()"; content:"document.createElement("; within:100; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0089; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26136; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_client,established; file_data; content:".saveHistory {behavior|3A|url(#default#savehistory)|3B|}"; fast_pattern:only; content:"CLASS=saveHistory onsave="; nocase; content:"setTimeout"; content:"document.open()"; content:"document.createElement("; within:100; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0089; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26135; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"<title onreadystatechange ="; content:"style = '-ms-behavior: url("; within:50; distance:10; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0091; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26134; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_server,established; file_data; content:"<meta"; nocase; content:"name="; nocase; content:"save"; within:15; nocase; content:"content="; nocase; content:"history"; within:20; content:"behavior:"; nocase; content:"url"; within:10; nocase; content:"#default#savehistory"; within:50; fast_pattern; nocase; content:"setTimeout"; nocase; content:"history.go(0)"; within:40; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-dos; sid:26133; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_client,established; file_data; content:"<meta"; nocase; content:"name="; nocase; content:"save"; within:15; nocase; content:"content="; nocase; content:"history"; within:20; content:"behavior:"; nocase; content:"url"; within:10; nocase; content:"#default#savehistory"; within:50; fast_pattern; nocase; content:"setTimeout"; nocase; content:"history.go(0)"; within:40; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-dos; sid:26132; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer htc file use after free attempt"; flow:to_server,established; file_data; content:"PUBLIC:COMPONENT>"; content:"<PUBLIC:PROPERTY"; content:"PUT"; distance:0; content:"CollectGarbage()"; fast_pattern:only; pcre:"/<PUBLIC:PROPERTY[^>]*?PUT\s*=\s*[\x22\x27](?P<func>\w*).*?function\s*(?P=func).*?\x7b[^\x7c]*?CollectGarbage\x28\x29/sm"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26130; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer htc file use after free attempt"; flow:to_client,established; file_data; content:"PUBLIC:COMPONENT>"; content:"<PUBLIC:PROPERTY"; content:"PUT"; distance:0; content:"CollectGarbage()"; fast_pattern:only; pcre:"/<PUBLIC:PROPERTY[^>]*?PUT\s*=\s*[\x22\x27](?P<func>\w*).*?function\s*(?P=func).*?\x7b[^\x7c]*?CollectGarbage\x28\x29/sm"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26129; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer text transform use after free attempt"; flow:to_client,established; file_data; content:"contenteditable"; nocase; content:"true"; within:10; nocase; content:"onresize"; distance:0; nocase; content:"javascript:document"; within:30; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58341; reference:cve,2013-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26125; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer bitmap BitmapOffset integer overflow attempt"; flow:to_server,established; flowbits:isset,file.bmp; file_data; content:"BM"; byte_test:4,>,2147480000,8,relative,little; metadata:service smtp; reference:bugtraq,9663; reference:cve,2004-0566; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-025; classtype:attempted-user; sid:25853; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer invalid Shift_JIS character xss attempt"; flow:to_server,established; file_data; content:"<input value="; fast_pattern:only; pcre:"/<input value=[\x22\x27][\x80-\xa0\xe0-\xff][\x22\x27]/i"; metadata:service smtp; reference:cve,2013-0015; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25794; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer invalid Shift_JIS character xss attempt"; flow:to_client,established; file_data; content:"<input value="; fast_pattern:only; pcre:"/<input value=[\x22\x27][\x80-\xa0\xe0-\xff][\x22\x27]/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-0015; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25793; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer SVG object use after free attempt"; flow:to_client,established; file_data; content:"image x=|22|60|22| y=|22|50|22| width=|22|240|22| height=|22|240|22| xlink|3A|href=|22|2.svg"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0023; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-admin; sid:25792; rev:3;)
|
|
alert tcp $HOME_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer compatibility mode invalid memory access attempt"; flow:to_server,established; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=7|22|"; nocase; content:"attachEvent|28|"; content:"onreadystatechange"; within:25; fast_pattern; content:".createElement(|22|div|22|)"; distance:0; nocase; content:".removeChild"; within:256; nocase; content:".createElement(|22|div|22|)"; within:256; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0021; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25791; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer compatibility mode invalid memory access attempt"; flow:to_client,established; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=7|22|"; nocase; content:"attachEvent|28|"; content:"onreadystatechange"; within:25; fast_pattern; content:".createElement(|22|div|22|)"; distance:0; nocase; content:".removeChild"; within:256; nocase; content:".createElement(|22|div|22|)"; within:256; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0021; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25790; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer iframe use after free attempt"; flow:to_server,established; file_data; content:"<iframe"; nocase; content:!"src="; within:40; content:"></iframe"; fast_pattern:only; content:"window.open"; nocase; content:"name"; nocase; pcre:"/<iframe[^>]+name\s*=\s*[\x22\x27](?P<iframe_name>\w+)[\x22\x27].*?><\x2fiframe\s*>.*?window\x2eopen\x28.{1,30}(?P=iframe_name).*?window\x2eopen\x28.{1,60}(?P=iframe_name)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0019; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25789; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer iframe use after free attempt"; flow:to_client,established; file_data; content:"<iframe"; nocase; content:!"src="; within:40; content:"window.open"; nocase; content:"></iframe"; fast_pattern:only; content:"name"; nocase; pcre:"/<iframe(\s*(name|height|width)\s*=\s*[\x22\x27]?(?P<iframe_name>\w+)[\x22\x27]?)*><\x2fiframe\s*>.*?window\x2eopen\x28.{1,30}(?P=iframe_name).*?window\x2eopen\x28.{1,60}(?P=iframe_name)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0019; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25788; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 9 deleted object access memory corruption attempt"; flow:to_server,established; file_data; content:"<script>"; nocase; content:"SelectAll"; within:60; nocase; content:"execCommand|28 22|Justify"; within:40; nocase; content:"execCommand|28 22|Justify"; within:60; nocase; content:"SelectAll"; within:45; nocase; content:"</script>"; within:16; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,57832; reference:cve,2013-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25787; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"<script>"; nocase; content:"SelectAll"; within:60; nocase; content:"execCommand|28 22|Justify"; within:40; nocase; content:"execCommand|28 22|Justify"; within:60; nocase; content:"SelectAll"; within:45; nocase; content:"</script>"; within:16; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57832; reference:cve,2013-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25786; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer text layout calculation use after free attempt"; flow:to_server,established; file_data; content:"<figure"; nocase; content:"dir"; within:50; nocase; content:"rtl"; within:50; nocase; content:"&"; within:50; pcre:"/<figure[^>]+?dir\s*?=\s*?[\x22\x27]\s*?rtl\s*?[\x22\x27].*?(&#?x?[a-z\d]{2,4}\x3b){100}/si"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25785; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer text layout calculation use after free attempt"; flow:to_client,established; file_data; content:"<figure"; nocase; content:"dir"; within:50; nocase; content:"rtl"; within:50; nocase; content:"&"; within:50; pcre:"/<figure[^>]+?dir\s*?=\s*?[\x22\x27]\s*?rtl\s*?[\x22\x27].*?(&#?x?[a-z\d]{2,4}\x3b){100}/si"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25784; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer SVG use after free attempt"; flow:to_client,established; file_data; content:".setCapture("; fast_pattern:only; content:"<svg"; nocase; content:" id="; distance:0; nocase; content:".getElementById("; distance:0; nocase; content:".setCapture("; distance:0; nocase; pcre:"/<svg[^>]*?>.*?<[^>]*?\sid=(?P<q1>(\x22|\x27|))(?P<id1>[^\x22\x27\s>]+?)(?P=q1).*?<[^>]*?\s+id=(?P<q2>(\x22|\x27|))(?P<id2>[^\x22\x27\s>]+?)(?P=q2).*?<\x2fsvg>.*?<script[^>]*?>.*?(document\.getElementById\([^)]*?((?P=id1)|(?P=id2))[^)]*?\).*?\.setCapture\(.*?\).*?){2}/smiO"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-0018; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25778; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos use after free memory corruption attempt"; flow:to_client,established; file_data; content:"document.selection.createRange("; content:"getElementsByTagName("; within:50; content:"moveToElementText("; within:50; content:"collapse("; within:50; content:"select("; within:50; content:"pasteHTML("; within:50; pcre:"/var\s+?(?P<range>[^\s]+?)\s*?=\s*?document\.selection\.createRange\([^\(]*?\).*?var\s+?(?P<elements>[^\s]+?)\s*?=\s*?document\.body\.getElementsByTagName\(\s*?[\x22\x27]\s*?\*\s*?[\x22\x27]\s*?\).*?var\s+?(?P<el>[^\s]+?)\s*?=\s*?(?P=elements)\s*?\[\s*?\d\s*?\].*?(?P=range)\.moveToElementText\(\s*?(?P=el)\s*?\).*?(?P=range)\.collapse\(\s*?true\s*?\).*?(?P=range)\.select\(.*?(?P=range)\.pasteHTML\(/si"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0024; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25777; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos use after free memory corruption attempt"; flow:to_client,established; file_data; content:"getElementsByTagName("; content:"document.selection.createRange("; within:100; content:"moveToElementText("; within:50; content:"collapse("; within:50; content:"select("; within:50; content:"pasteHTML("; within:50; pcre:"/var\s+?(?P<elements>[^\s]+?)\s*?=\s*?document\.body\.getElementsByTagName\(\s*?[\x22\x27]\s*?\*\s*?[\x22\x27]\s*?\).*?var\s+?(?P<el>[^\s]+?)\s*?=\s*?(?P=elements)\s*?\[\s*?\d\s*?\].*?var\s+?(?P<range>[^\s]+?)\s*?=\s*?document\.selection\.createRange\([^\(]*?\).*?(?P=range)\.moveToElementText\(\s*?(?P=el)\s*?\).*?(?P=range)\.collapse\(\s*?true\s*?\).*?(?P=range)\.select\(.*?(?P=range)\.pasteHTML\(/si"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0024; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25776; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer pre-line use after free attempt"; flow:to_client,established; file_data; content:".style.whiteSpace = |22|pre-line|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0025; reference:cve,2013-1288; reference:cve,2015-6050; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-021; classtype:attempted-user; sid:25775; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VML shape object malformed path attempt"; flow:to_client,established; file_data; content:"document.createElement("; nocase; content:"shape"; nocase; content:"setAttribute("; distance:0; fast_pattern; nocase; content:"path"; within:5; distance:1; nocase; isdataat:506,relative; content:!")"; within:506; pcre:"/var\s*?(?P<m1>\w+)s*?=s*?document.createElement\s*?\([\x22\x27][\w]s*?[\x3a\x3b]\s*?shape[\x22\x27]\).*?(?P=m1)s*?.\s*?setAttribute\s*?\(\s*?[\x22\x27]\s*?path\s*?[\x22\x27]\s*?,\s*?[\x22\x27][^\x29]{506}.*?(?P=m1)\.s*?path/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0030; classtype:attempted-user; sid:25773; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt"; flow:to_client,established; file_data; content:"onbeforeeditfocus"; nocase; content:"document.write"; within:30; pcre:"/onbeforeeditfocus\s*?=\s*?[\x22\x27]document\x2ewrite/ism"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0029; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25772; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer custom cursor file use after free attempt"; flow:to_client,established; file_data; content:"location.reload()"; nocase; content:"style"; distance:0; nocase; content:"cursor"; within:256; nocase; content:"|3A|"; within:5; content:"URL"; within:5; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25771; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"DOMParser"; fast_pattern:only; content:"createCDATASection"; nocase; content:"|2E|cloneNode"; nocase; content:"adoptNode"; distance:0; nocase; content:"CollectGarbage()"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-0020; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25770; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandstate("; nocase; content:"paste"; within:6; nocase; content:"onbeforepaste"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25769; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt"; flow:to_server,established; file_data; content:"iframe"; nocase; content:"name"; within:1000; nocase; isdataat:2084,relative; pcre:"/iframe[^>]*?[\s\x3b\x22\x27]name\s*=\s*[\x22\x27]?[^\x22\x27\s]{2000}/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,11515; reference:cve,2004-1050; classtype:attempted-user; sid:25650; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_client,established; file_data; content:"table-layout|3A|"; nocase; content:"fixed"; within:7; nocase; content:"<col id="; within:20; content:"width="; within:50; nocase; content:"span="; within:30; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:25246; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"window.location"; content:"unescape"; within:30; content:"http"; within:30; pcre:"/window\x2elocation\s*=\s*unescape\s*\x28\s*["']\x25[^"']*https?\x3a/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-008; classtype:attempted-user; sid:25235; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"window.location"; content:"unescape"; within:30; content:"http"; within:30; pcre:"/window\x2elocation\s*=\s*unescape\s*\x28\s*["']\x25[^"']*https?\x3a/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-008; classtype:attempted-user; sid:25234; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"appendChild|28|"; content:"document.createElement|28|"; within:50; content:"button"; within:20; content:"outerText"; within:200; pcre:"/appendChild\x28\s*document\x2ecreateElement\x28\s*[\x22\x27]button[\x22\x27].*?outerText\s*=\s*[\x22\x27]{2}/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-008; classtype:attempted-user; sid:25134; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"|EB D7 77 82 93 D0 7C F6 8B 08 73 08 FD 8B 6B FD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-008; classtype:attempted-user; sid:25133; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; content:"<param name=|5C 22|movie|5C 22| value=|5C 22|today.swf|5C 22| />"; fast_pattern:only; content:"<iframe src=news.html></iframe>"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-008; classtype:attempted-user; sid:25132; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"jj76jj61jj72jj20jj65jj30jj20jj3D"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-008; classtype:attempted-user; sid:25131; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:".replace|28|/jj/g,|22|%|22 29 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-008; classtype:attempted-user; sid:25130; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"appendChild|28|"; content:"document.createElement|28|"; within:50; content:"button"; within:20; content:"outerText"; within:200; pcre:"/appendChild\x28\s*document\x2ecreateElement\x28\s*[\x22\x27]button[\x22\x27].*?outerText\s*=\s*[\x22\x27]{2}/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-008; classtype:attempted-user; sid:25129; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"|EB D7 77 82 93 D0 7C F6 8B 08 73 08 FD 8B 6B FD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-008; classtype:attempted-user; sid:25128; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; content:"<param name=|5C 22|movie|5C 22| value=|5C 22|today.swf|5C 22| />"; fast_pattern:only; content:"<iframe src=news.html></iframe>"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-008; classtype:attempted-user; sid:25127; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"jj76jj61jj72jj20jj65jj30jj20jj3D"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25126; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:".replace|28|/jj/g,|22|%|22 29 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-008; classtype:attempted-user; sid:25125; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer sign extension vulnerability exploitation attempt"; flow:to_server,established; file_data; content:"while|28| str2.length < 0x10000000|29|"; fast_pattern:only; content:"if |28|str1.length < 0x40000000|29|"; nocase; content:"setTimeout|28|poc, 10|29|"; distance:0; nocase; metadata:policy security-ips drop, service smtp; reference:cve,2012-2523; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-052; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-056; classtype:attempted-user; sid:25079; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer invalid object property use after free memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElement"; content:".style."; within:100; content:"document.createElement"; within:45; content:"CollectGarbage"; within:75; fast_pattern; content:"HTML"; within:55; pcre:"/(body\s*?onload\s*?\x3d\s*?[\x22\x22](?P<func>\w+).*?function\s*?(?P=func)\s*?\x28[^\x7b]+?\x7b[^\x7d]+?var\s*?(?P<var>\w+)\s*?\x3d\s*?document\.getElement[^\x7d]+?\.style\.\w+\s*?\x3d\s*?document\.createElement[^\x7d]+?CollectGarbage[^\x7d]+?(?P=var)\.(inner|outer)HTML)|(function\s*?(?P<func2>\w+)\s*?\x28[^\x7b]+?\x7b[^\x7d]+?var\s*?(?P<var2>\w+)\s*?\x3d\s*?document\.getElement[^\x7d]+?\.style\.\w+\s*?\x3d\s*?document\.createElement[^\x7d]+?CollectGarbage[^\x7d]+?(?P=var2)\.(inner|outer)HTML.*?body\s*?onload[^\x3e]+?)(?P=func2)/ims"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4787; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-077; classtype:attempted-dos; sid:24956; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer button object use after free memory corruption attempt"; flow:to_server,established; file_data; content:"<fieldset"; fast_pattern:only; content:"<button"; content:".innerHTML"; pcre:"/<fieldset[^>]+?id\s*?\x3d\s*?(?P<quoteVar1>\x22|\x27|)(?P<fieldName>\w+)(?P=quoteVar1).*?button.*(?P=fieldName)\x2einnerHTML.*?button/smi"; metadata:policy security-ips drop, service smtp; reference:cve,2012-1538; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-071; classtype:attempted-user; sid:24663; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer button object use after free memory corruption attempt"; flow:to_client,established; file_data; content:"<fieldset"; fast_pattern:only; content:"<button"; content:".innerHTML"; pcre:"/<fieldset[^>]+?id\s*?\x3d\s*?(?P<quoteVar1>\x22|\x27|)(?P<fieldName>\w+)(?P=quoteVar1).*?button.*(?P=fieldName)\x2einnerHTML.*?button/smi"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1538; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-071; classtype:attempted-user; sid:24662; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 style properties use after free attempt"; flow:to_client,established; file_data; content:"badstyle|3A 3A|first-line|7B|-ms-background-position-x|3A| 1ex|3B 7D|"; fast_pattern:only; content:"javascript:window.location.reload"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1539; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-071; classtype:attempted-user; sid:24661; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 9 style properties use after free attempt"; flow:to_server,established; file_data; content:"badstyle|3A 3A|first-line|7B|-ms-background-position-x|3A| 1ex|3B 7D|"; fast_pattern:only; content:"javascript:window.location.reload"; metadata:policy security-ips drop, service smtp; reference:cve,2012-1539; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-071; classtype:attempted-user; sid:24660; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 9 table th element use after free attempt"; flow:to_server,established; file_data; content:"<th"; content:"document.getElementById"; content:".innerHTML = |22 22 3B|"; fast_pattern:only; pcre:"/(?P<elemName>\w*?)\x2einnerHTML\s*?=\s*?[\x22\x27][\x22\x27].*?<th[^>]id=[\x22\x27](?P=elemName).*?(<em>|<dfn>|<code>|<var>|<kbd>|<strong>|<samp>)/smi"; pcre:"/var\s*?(?P<varName>\w*?)\s*?=\s*?document\x2egetElementById\x28[\x22\x27](?P<tableName>\w*?).*?(?P=varName)\x2e(cellpadding|cellspacing|width|).*?<table[^>]id=[\x22\x27](?P=tableName)/smi"; metadata:policy security-ips drop, service smtp; reference:cve,2012-4775; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-071; classtype:attempted-user; sid:24654; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 table th element use after free attempt"; flow:to_client,established; file_data; content:"<th"; content:"document.getElementById"; content:".innerHTML = |22 22 3B|"; fast_pattern:only; pcre:"/(?P<elemName>\w*?)\x2einnerHTML\s*?=\s*?[\x22\x27][\x22\x27].*?<th[^>]id=[\x22\x27](?P=elemName).*?(<em>|<dfn>|<code>|<var>|<kbd>|<strong>|<samp>)/smi"; pcre:"/var\s*?(?P<varName>\w*?)\s*?=\s*?document\x2egetElementById\x28[\x22\x27](?P<tableName>\w*?).*?(?P=varName)\x2e(cellpadding|cellspacing|width|).*?<table[^>]id=[\x22\x27](?P=tableName)/smi"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4775; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-071; classtype:attempted-user; sid:24653; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer JPEG rendering buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FA FF DA 00 0C 03|"; content:!"R|00|G|00|B|00|"; within:6; pcre:!"/\xFA\xFF\xDA\x00\x0C\x03((\x00.\x01.\x02)|(\x01.\x02.\x03)|(\x01.\x04.\x05))/"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,14282; reference:bugtraq,14284; reference:cve,2005-1988; reference:cve,2005-2308; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-038; classtype:attempted-user; sid:24452; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_server,established; file_data; content:"table-layout|3A|"; nocase; content:"fixed"; within:7; nocase; content:"var divt = document.getElementById(|22|div_table|22|)"; nocase; content:"<col id='col_id' width='41' span='9'>"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:24205; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_client,established; file_data; content:"table-layout|3A|"; nocase; content:"fixed"; within:7; nocase; content:"var divt = document.getElementById(|22|div_table|22|)"; nocase; content:"<col id='col_id' width='41' span='9'>"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:24204; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_server,established; file_data; content:"table-layout|3A|"; fast_pattern; nocase; content:"fixed"; within:7; nocase; pcre:"/<\s*script.*?(?P<var>\w+)\s*=\s*document\.getElementById\s*\x28\s*[\x22\x27](?P<col_id>[^\x22\x27]+)[\x22\x27]\s*\x29.*?((?P=var)\.span.*?<\s*table.*?<col[^>]*?id\s*=\s*[\x22\x27]?(?P=col_id)[^>]*?>.*?<\s*\/\s*table\s*>|<\s*col.*?id\s*=\s*[\x22\x27]?(?P=col_id)[^>]*?span\s*=\s*[\x22\x27]?\d)/ims"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:24203; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer sign extension vulnerability exploitation attempt"; flow:to_server,established; file_data; content:"var reprostr"; nocase; content:"if |28|reprostr.length < 0x7fffffff|29|"; distance:0; nocase; content:"reprostr = reprostr + reprostr"; distance:0; nocase; content:"window.onload"; nocase; metadata:policy security-ips drop, service smtp; reference:cve,2012-2523; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-052; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-056; classtype:attempted-user; sid:23841; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer sign extension vulnerability exploitation attempt"; flow:to_client,established; file_data; content:"var reprostr"; nocase; content:"if |28|reprostr.length < 0x7fffffff|29|"; distance:0; nocase; content:"reprostr = reprostr + reprostr"; distance:0; nocase; content:"window.onload"; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2523; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-052; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-056; classtype:attempted-user; sid:23840; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 memory disclosure attempt"; flow:to_client,established; file_data; content:"event.data.replace("; fast_pattern; nocase; content:"/|5C|0/g"; within:10; content:".postMessage("; nocase; content:"X-UA-Compatible"; pcre:"/var\s+?(?P<var>[^\s=\x3b]+?)\s*?=\s*?[\x22\x27]\x5C0[\x22\x27]\s*?\x3b.*?\.postMessage\(\s*?(?P=var)/smi"; metadata:service http; reference:bugtraq,53844; reference:cve,2012-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-recon; sid:23128; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer insertAdjacentText memory corruption attempt"; flow:to_client,established; file_data; content:"insertAdjacentText(|22|beforeEnd|22 2C| string1.substring(0,96000))"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:cve,2012-1879; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:23126; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:".attachEvent("; content:"onrowsdelete"; within:12; distance:1; content:"srcElement.parentNode.removeChild("; distance:0; metadata:policy security-ips drop, service http; reference:cve,2012-1881; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:misc-attack; sid:23122; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer xbap custom ISeralizable object exception attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|86 18 A1 01 90 00 1C 00 23 24 00 00 00 00 86 00 17 03 1F 00 1E 00 38 24 00 00 00 00 96 00 20 04|"; fast_pattern:only; content:"MarshalByRefObject"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0161; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-035; classtype:attempted-user; sid:22080; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 DOM memory corruption attempt"; flow:to_client,established; file_data; content:"|22|X-UA-Compatible|22|"; nocase; content:"content|3D 22|IE|3D|8|22|"; distance:0; nocase; pcre:"/<\s*script.*?(?P<element2>\w+?)\x2Eparentnode\x2Eremovechild\x28(?P=element2)\x29/smi"; content:"|3C|ul|3E|"; nocase; metadata:service http; reference:bugtraq,37188; reference:cve,2009-3671; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:21994; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"|48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0A 43 6F 6E 74 65 6E 74 2D 45 6E 63 6F 64 69 6E 67 3A 64 65 66 6C 61 74 65 0A 43 6F 6E 74 65 6E 74 2D 52 61 6E 67 65 3A 0D 09 09 09 09 09 09 09 09 09 0A 0D 0A 20 20|"; fast_pattern:only; metadata:service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:21993; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"|48 54 54 50 20 0A 43 6F 6E 74 65 6E 74 2D 45 6E 63 6F 64 69 6E 67 3A 64 65 66 6C 61 74 65 0A 43 6F 6E 74 65 6E 74 2D 52 61 6E 67 65 3A 0A 0A|"; fast_pattern:only; metadata:service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:21992; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"|48 54 54 50 2F 2E 0A 43 6F 6E 74 65 6E 74 2D 45 6E 63 6F 64 69 6E 67 3A 64 65 66 6C 61 74 65 0D 09 0A 0D 0A 20 20|"; fast_pattern:only; metadata:service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:21991; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer SelectAll dangling pointer use after free attempt"; flow:to_client,established; file_data; content:"document.execCommand|28|'selectAll'|29|"; nocase; content:"document.execCommand|28|'selectAll'|29|"; distance:0; nocase; content:"document.execCommand|28|'selectAll'|29|"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0171; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-023; classtype:attempted-user; sid:21791; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer SelectAll dangling pointer use after free attempt"; flow:to_client,established; file_data; content:"document.designMode='off'"; nocase; content:"document.execCommand('selectAll')"; distance:0; nocase; content:"<body onload=|22|document.execCommand('selectAll')|22| onbeforedeactivate='f()'>"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0171; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-023; classtype:attempted-user; sid:21790; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer toStaticHTML XSS attempt"; flow:to_client,established; file_data; content:"toStaticHTML"; nocase; pcre:"/toStaticHtml\s*\x28[^\x29]*?<\s*style\s*>.*?[&\x22<>]\s*\w+[\x3a=].*?\x29\x3b/i"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1252; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-074; classtype:web-application-activity; sid:21569; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer mouse drag hijack"; flow:to_client,established; file_data; content:"createPopup"; nocase; content:"onmousedown"; distance:0; nocase; content:"pop.show"; distance:0; nocase; pcre:"/(?P<q1>\w+)\x3Dwindow\x2EcreatePopup.*?onmousedown[^\x3C]*(?P=q1)\x2Eshow/smi"; metadata:service http; reference:cve,2004-0841; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-038; classtype:attempted-user; sid:21353; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer orphan DOM objects memory corruption attempt"; flow:to_client,established; file_data; content:"createElement"; nocase; content:"appendChild"; distance:0; nocase; content:"attributes"; distance:0; nocase; pcre:"/var\s*(?P<firstDOM>\w+?)\s*\x3D\s*document\x2EcreateElement.*?(?P<secondDOM>\w+?)\s*\x3D\s*document\x2EcreateElement\x28\x27(?P<reference>\w+?)\x27\x29.*?(?P=firstDOM)\x2EappendChild\x28(?P=secondDOM)\x29.*?(?P=secondDOM)\x2E(?P=reference)\s*?\x3D\s*?(?P=firstDOM)\x2Eattributes/smi"; metadata:service http; reference:cve,2009-3674; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:21272; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer XSRF timing attack against XSS filter"; flow:to_client,established; file_data; content:"onload"; nocase; content:"timeCount"; nocase; content:"tcInterval"; nocase; content:"setInterval"; nocase; pcre:"/iframe.*?id\s*\x3d\s*(?P<q1>\w*)\s*src\s*\x3d\s*.*?(?P=q1)\x2elocation\s*\x3d\s*(?P<q2>\x22|\x27|)\s*(http|https)\x3a\x2f\x2f.*?(?P=q2)/smi"; metadata:service http; reference:cve,2011-1992; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-089; classtype:attempted-recon; sid:20699; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML textnode creation attempt"; flow:to_client,established; file_data; content:"window.open"; content:"document.appendChild(document.createTextNode(|22 22|)"; fast_pattern:only; content:".document.appendChild(document.all[0])"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:20279; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML textnode creation attempt"; flow:to_client,established; file_data; content:"window.open().document.appendChild(a)|3B|"; content:"document.removeChild(a)"; within:50; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:20278; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML comment creation attempt"; flow:to_client,established; file_data; content:"window.open"; fast_pattern:only; content:"createComment"; pcre:"/(\w+)\s*=\s*\w+\.createComment\(((\x22\x22|\x27\x27)|([A-z]\w*))\)\s*\;.*?\w+\.(insertBefore|insertAfter|appendChild)\(\1\)\;|window\.open\(\)\.\w\.(insertBefore|insertAfter|appendChild)\(\w+\.createComment\(((\x22\x22|\x27\x27)|([A-z]\w*))\)/s"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:20277; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer jscript9 parsing corruption attempt"; flow:to_client,established; file_data; content:"X-UA-Compatible|22|content=|22|IE=EmulateIE7|22|"; fast_pattern:only; content:"https://getfirebug.com/firebug-lite.js#saveCookies=true"; metadata:service http; reference:cve,2011-1998; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-081; classtype:attempted-user; sid:20273; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer cross-domain scripting attack"; flow:to_client,established; file_data; content:"document.domain"; nocase; content:"this.document.domain"; within:100; nocase; content:"window.open|28| |27|redirect.aspx|27| |29|"; within:200; nocase; metadata:service http; reference:cve,2011-1960; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-057; classtype:attempted-user; sid:19667; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer multi-window access memory corruption attempt"; flow:to_client,established; file_data; content:"open|28 22 23|newwnd"; nocase; content:".document.open|28 29|"; distance:0; nocase; pcre:"/([A-Z\d_]+)\s*=\s*open\x28.*?\1\.document\.open\x28\x29/smi"; metadata:service http; reference:cve,2011-1257; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-057; classtype:attempted-user; sid:19666; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 6/7/8 reload stylesheet attempt"; flow:to_client,established; file_data; content:"<link"; content:".href"; nocase; content:".rel"; distance:0; nocase; content:"stylesheet"; distance:0; fast_pattern; nocase; content:".href"; distance:0; nocase; content:"location.reload"; distance:0; nocase; pcre:"/(?P<q1>[a-zA-Z0-9]*)\x2ehref\s*\x3d.*(?P=q1)\x2erel\s*\x3d.*(?P=q1)\x2ehref\s*\x3d/smi"; metadata:service http; reference:cve,2011-1250; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:19240; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 toStaticHTML XSS attempt"; flow:to_client,established; file_data; content:"toStaticHTML("; fast_pattern; nocase; content:"expression("; within:100; nocase; pcre:"/toStaticHTML\x28.*?[\x26\x22].=expression\x28/smi"; metadata:service http; reference:cve,2011-1252; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:19239; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 self remove from markup vulnerability"; flow:to_client,established; file_data; content:"getElementById"; nocase; content:"parentNode.RemoveChild"; distance:0; fast_pattern; nocase; content:"location.reload()"; nocase; pcre:"/(?P<q1>\w*)\s*\x3d\s*document\x2egetElementById\x28(?P<q2>[\x22\x26])(?P<q3>\w*+)(?P=q2).*(?P=q1)\x2eparentNode\x2eremoveChild.*span\s+id\s*\x3d\s*(?P<q4>[\x22\x26])(?P=q3)(?P=q4)/smi"; metadata:service http; reference:cve,2011-1251; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:19238; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer drag event memory corruption attempt"; flow:to_client,established; file_data; content:"dataTransfer.effectAllowed"; nocase; content:"dataTransfer.setData|28 22|URL|22|"; within:100; nocase; metadata:service http; reference:bugtraq,48204; reference:cve,2011-1254; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-admin; sid:19236; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer copy/paste memory corruption attempt"; flow:to_client,established; file_data; content:"obj.outerHTML = 0x41414141"; fast_pattern:only; metadata:service http; reference:cve,2011-1256; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:19235; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer getElementById object corruption"; flow:to_client, established; file_data; content:"function post_info(info_array)"; content:"info_array.length|3B| i ++)"; distance:0; pcre:"/^\s*\x7B[^\x7D]*document\.createElement\('input'\)[^\x7D]*form\.appendChild\(plugin\)\s*\x7D/smiR"; content:"document.body.removeChild(form)|3B|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30614; reference:cve,2008-2254; reference:url,attack.mitre.org/techniques/T1176; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-045; classtype:attempted-user; sid:19079; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML exploit attempt"; flow:to_client,established; content:"document.writeln|28 28|block.length|2B|memory|5B|0|5D 2E|length|2A|300|29 29 3B|"; content:"child_creator.click|28 29 3B|"; within:100; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18523; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"child_creator|20 3D 20|document|2E|createElement|28 22 3C|A target|3D 27|_blank|27|"; content:"document.body.insertBefore|28|child_creator|29 3B|"; within:200; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18522; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"child_element|20 3D 20|child|2E|document|2E|createElement|28 22 22 29 3B|"; content:"child_element|2E|appendChild|28|parent_element|29 3B|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18521; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML exploit attempt"; flow:to_client,established; content:"try { window.open().document.appendChild(document)|3B| } catch(e) {}"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18520; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML comment creation attempt"; flow:to_client,established; content:"|61 00 72 00 65 00 6E 00 74 00 5F 00 65 00 6C 00 65 00 6D 00 65 00 6E 00 74 00 2E 00 61 00 70 00 70 00 65 00 6E 00 64 00 43 00 68 00 69 00 6C 00 64 00 28 00 64 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 2E 00 63 00 72 00 65 00 61 00 74 00 65 00 43 00 6F 00 6D 00 6D 00 65 00 6E 00 74 00 28 00 73 00 4D 00 53 00 48 00 54 00 4D 00 4C 00 5F 00 68 00 65 00 61 00 70 00 5F 00 73 00 70 00 72 00 61 00 79 00 29 00 29 00 3B 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18518; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-IE Microsoft Internet Explorer long URL buffer overflow attempt"; flow:to_server,established; urilen:>200; content:"|04 04 04|"; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,19667; reference:cve,2006-3869; classtype:attempted-user; sid:18517; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; file_data; content:"|3C|input type|3D 22|checkbox|22 20|id|3D 27|c|27 3E|"; content:"r|3D|document|2E|getElementById|28 22|c|22 29 3B|"; distance:0; content:"a|3D|r|2E|createTextRange|28 29 3B|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:18313; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer frameset memory corruption attempt"; flow:to_client,established; file_data; content:"self.resizeTo|28|2003, 1228|29 3B|"; metadata:service http; reference:bugtraq,18277; reference:cve,2006-3637; classtype:attempted-user; sid:18307; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt"; flow:to_client,established; file_data; content:"|26|lt|3B 2F|span|26|gt|3B 0A 26|lt|3B|pre|26|gt|3B|"; content:"|26|lt|3B|colgroup|26|gt|3B 0A 26|lt|3B|small|26|gt|3B 0A 26|lt|3B 2F|small|26|gt|3B 0A 26|lt|3B 2F|colgroup|26|gt|3B|"; distance:0; content:"|26|lt|3B 2F|object|26|gt|3B 0A 26|lt|3B 2F|bdo|0A 26|lt|3B 2F|th|0A 26|lt|3B 2F|object"; distance:0; metadata:policy max-detect-ips drop, service http; reference:cve,2006-1188; classtype:attempted-user; sid:18306; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt"; flow:to_client,established; file_data; content:"|26|lt|3B|pre|26|gt|3B 26|lt|3B|td|26|gt|3B|"; content:"|26|lt|3B|menu|26|gt|3B 0A 26|lt|3B|legend|26|gt|3B|"; within:27; distance:1; metadata:policy max-detect-ips drop, service http; reference:cve,2006-1188; classtype:attempted-user; sid:18305; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt"; flow:to_client,established; file_data; content:"white|2D|space|3A|normal|3B|"; fast_pattern:only; pcre:"/pre\s*\x7b\s*white\x2dspace\x3a\s*normal\s*\x3b\s*\x7d/i"; content:"span|20 2F|"; distance:0; nocase; content:"span|20 2F|"; within:14; nocase; pcre:"/(\x26lt\x3b|\x3c)pre(\x26gt\x3b|\x3e)\s*(\x26lt\x3b|\x3c)span\s\x2f(\x26gt\x3b|\x3e)(\x26lt\x3b|\x3c)span\s\x2f(\x26gt\x3b|\x3e)\s*(\x26lt\x3b|\x3c)\x2fpre(\x26gt\x3b|\x3e)/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-1188; classtype:attempted-user; sid:18304; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer script action handler overflow attempt"; flow:to_client,established; file_data; content:"for|28|s|3D 27 3C|a|20|onclick|3D 27 2C|i|3D|0|3B|"; content:"document|2E|write|28|s|2B 27 3E 27 29|"; distance:0; content:"s|2B 3D|s|3B|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17131; reference:cve,2006-1245; classtype:attempted-user; sid:18303; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer FTP command injection attempt"; flow:to_client,established; file_data; content:"ftp|3A 2F 2F|"; fast_pattern:only; pcre:"/ftp\x3A\x2F\x2F[^\s]+?\x250[ad]/i"; metadata:service http; reference:bugtraq,11826; reference:cve,2004-1166; classtype:attempted-user; sid:18300; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer implicit drag and drop file installation attempt"; flow:to_client,established; file_data; content:"folder"; nocase; content:"|22|shell|3A|"; distance:0; nocase; pcre:"/folder\s*=\s*\x22shell\x3a/i"; metadata:service http; reference:bugtraq,10973; reference:cve,2004-0839; classtype:attempted-user; sid:18299; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer drag-and-drop vulnerability"; flow:to_client,established; file_data; content:"CreateObject|28 22|ADODB.Connection|22 29|"; nocase; content:"dbq=http|3A 2F 2F|"; distance:0; fast_pattern; nocase; metadata:service http; reference:bugtraq,11466; reference:cve,2005-0053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-008; classtype:attempted-user; sid:18282; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer cross domain information disclosure attempt"; flow:to_client,established; file_data; content:"|72 65 74 72 20 3D 20 6F 2E 6F 62 6A 65 63 74 2E 64 6F 63 75 6D 65 6E 74 45 6C 65 6D 65 6E 74 2E 69 6E 6E 65 72 48 54 4D 4C|"; content:"|73 65 74 54 69 6D 65 6F 75 74 28 27 72 65 74 72 69 65 76 65 28 29 27 2C 31 29|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,18682; reference:cve,2006-3280; classtype:attempted-user; sid:18194; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer cross domain information disclosure attempt"; flow:to_client,established; file_data; content:"|6F 6E 6C 6F 61 64 3D 22 73 65 74 54 69 6D 65 6F 75 74 28 27 61 6C 65 72 74 28 6F 2E 6F 62 6A 65 63 74 2E 64 6F 63 75 6D 65 6E 74 45 6C 65 6D 65 6E 74 2E 6F 75 74 65 72 48 54 4D 4C 29 27 2C 31 30 30 30 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,18682; reference:cve,2006-3280; classtype:attempted-user; sid:18193; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSS memory corruption attempt"; flow:to_server,established; file_data; content:"<style>"; nocase; content:"@"; distance:0; content:"|2F 2A|"; distance:0; content:!"|2A 2F|"; within:300; metadata:service smtp; reference:bugtraq,10816; reference:cve,2004-0842; classtype:attempted-user; sid:18175; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSS memory corruption attempt"; flow:to_client,established; file_data; content:"<style>"; nocase; content:"@"; distance:0; content:"|2F 2A|"; distance:0; content:!"|2A 2F|"; within:300; metadata:service http; reference:bugtraq,10816; reference:cve,2004-0842; classtype:attempted-user; sid:18174; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 CSS XSRF exploit attempt"; flow:to_client,established; file_data; content:"alert|28|el.currentStyle.fontFamily|29|"; fast_pattern:only; metadata:service http; reference:cve,2010-3325; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17774; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt"; flow:to_client,established; file_data; content:"var nopsled"; nocase; content:"cloneNode|28 29|"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:17644; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DOM object cache management memory corruption attempt"; flow:to_client,established; file_data; content:"getElementsByTagName"; nocase; content:"removeNode|28|true|29|"; distance:0; fast_pattern; nocase; pcre:"/\x2EgetElementsByTagName\x28[^\x29]+?\x2EremoveNode\x28true\x29/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26817; reference:cve,2007-5344; classtype:attempted-user; sid:17554; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Error Handling Code Execution"; flow:to_client,established; file_data; content:"var"; nocase; content:".exe"; within:75; content:"for"; nocase; content:"i=0|3B| i<20|3B| i++"; within:30; fast_pattern; content:"document.location.href="; within:50; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25916; reference:cve,2007-3892; reference:cve,2007-3893; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-admin; sid:17549; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Script Action Handler buffer overflow attempt"; flow:to_client,established; file_data; content:"<body onload=a() onload=a() onload=a() onload=a() onload=a()"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17131; reference:cve,2006-1245; classtype:attempted-user; sid:17512; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer long URL buffer overflow attempt"; flow:to_client,established; content:"Location|3A|"; nocase; isdataat:600,relative; content:!"|0D|"; within:600; metadata:policy max-detect-ips drop, service http; reference:bugtraq,19667; reference:cve,2006-3869; classtype:attempted-user; sid:17494; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer setRequestHeader overflow attempt"; flow:to_client,established; file_data; content:"XMLHttpRequest"; nocase; content:"setRequestHeader"; distance:0; nocase; pcre:"/setRequestHeader\x28[^\x29]*(Host|Referer|Content-Length).*?String\.fromCharCode\x28/smi"; byte_test:3,>,160,0,relative,string; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28379; reference:cve,2008-1544; classtype:attempted-user; sid:17385; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer setRequestHeader overflow attempt"; flow:to_client,established; file_data; content:"XMLHttpRequest"; nocase; content:"setRequestHeader"; distance:0; nocase; pcre:"/setRequestHeader\x28[^\x29]*(Host|Referer|Content-Length)[\x22\x27][^\x2c]*[\xA0-\xFF]/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28379; reference:cve,2008-1544; classtype:attempted-user; sid:17384; rev:7;)
|
|
# alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer FTP Response Parsing Memory Corruption"; flow:to_client,established; isdataat:1023; pcre:"/\d{3}\s+[^\n]{1019}/smi"; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,22489; reference:cve,2007-0217; classtype:web-application-attack; sid:17367; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSS import cross-domain restriction bypass attempt"; flow:to_client,established; file_data; content:"|3C|style"; nocase; content:"@import url|28 22|http|3A 2F 2F|news|2E|google|2E|com|2F|news|3F|hl|3D|en|26|ned|3D|us|26|q|3D 25|7D|25|7B|22 29|"; distance:0; nocase; metadata:service http; reference:bugtraq,15660; reference:cve,2005-4089; classtype:attempted-user; sid:17311; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; file_data; content:".createTextRange|28 29 09 0A 0D 09 20 0A 20 0A 20 0D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:17263; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; file_data; content:".createTextRange|28 29 3B|"; fast_pattern:only; content:"<input type|3D 22|radio|22|"; nocase; pcre:"/\x3Cinput\s+type\x3D\x22radio\x22\s+id\x3D(?P<q1>(\x22|\x27|))(?P<t>\S+)(?P=q1).*?document\x2EgetElementById\x28(?P<q2>(\x22|\x27|))(?P=t)(?P=q2)\x29\x2EcreateTextRange/isO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:17262; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 6 race condition exploit attempt"; flow:to_client,established; file_data; content:"|3C|meta http-equiv|3D 22|refresh|22| content|3D 22|01|22 2F 3E|"; content:"|3C|iframe src|3D 22|iframepoc.html|22 3E 3C 2F|iframe|3E|"; distance:0; metadata:service http; reference:cve,2010-2558; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-053; classtype:attempted-user; sid:17136; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; file_data; content:"innerHTML"; content:".createTextRange|28 29|"; fast_pattern:only; pcre:"/input.*?type.*?[\x22\x27]\s*?(radio|image|checkbox)\s*?[\x22\x27].*?\x2EcreateTextRange\s*?\x28\x29/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:16690; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Oracle Java Web Start arbitrary command execution attempt - Internet Explorer"; flow:to_client,established; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; fast_pattern:only; content:"-XXaltjvm"; content:"launchjnlp"; nocase; metadata:service http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16584; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer orphan DOM objects memory corruption attempt"; flow:to_client,established; file_data; content:"createElement"; nocase; content:"appendChild"; within:50; nocase; content:"innerHTML"; within:100; nocase; pcre:"/(?P<first>\S+)\x2EappendChild\x28\s*(?P<second>\S+)\s*\x29.*(?P=second)\x2E\S+\s*\x3D\s*(?P=first)\x2E\S+/is"; pcre:"/(\S+)\x2EappendChild[^\x7D]+\1\x2EinnerHTML\s*\x3D\s*\x27{2}/i"; metadata:service http; reference:cve,2009-3674; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:16330; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 DOM memory corruption attempt"; flow:to_client,established; file_data; content:"http-equiv=|22|X-UA-Compatible|22|"; fast_pattern:only; content:"content|3D 22|IE|3D|8|22|"; nocase; pcre:"/var\s*(?P<element>\w*?)\s*\x3D\s*document\x2EgetElementById.*?(?P=element)\x2EparentNode\x2EremoveChild\x28(?P=element)\x29/smi"; metadata:service http; reference:cve,2009-3671; reference:cve,2010-0245; reference:cve,2010-0246; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:16326; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer mouse move during refresh memory corruption attempt"; flow:to_client,established; file_data; content:"protected void Page_Load|28|object sender, EventArgs e|29|"; content:"StreamReader sr = File.OpenText|28|Server.MapPath|28 22|default.html|22 29 29|"; metadata:service http; reference:cve,2009-3673; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:16317; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer indexing service malformed parameters"; flow:to_client,established; file_data; content:"SetQueryFromURL"; nocase; content:"%%"; within:100; pcre:"/SetQueryFromURL\((?P<q1>\x22|\x27|)[^\)]*\x25{2,}[^\)]*(?P=q1)\)/smi"; metadata:service http; reference:cve,2009-2507; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-057; classtype:attempted-user; sid:16155; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer table layout unitialized or deleted object access attempt"; flow:to_client,established; file_data; content:"<span style=|22|position|3A| absolute|3B|writing-mode|3A| bt-rl|22|>"; nocase; content:"<table style=|22|float|3A|left|3B 22|>"; within:60; nocase; content:"</table>"; within:20; nocase; content:"</span>"; within:40; nocase; metadata:service http; reference:cve,2009-2531; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:misc-activity; sid:16152; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer uninitialized or deleted object access attempt"; flow:to_client,established; file_data; content:"createEventObject"; fast_pattern:only; pcre:"/(\w+)\s*\x3D\s*\w+\x2EcreateEventObject.*\1\x2E(Type|PropertyName|Qualifier|SrcUrn|origin).*\x2EcreateEventObject\s*\x28\s*\1\s*\x29/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2530; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:misc-activity; sid:16151; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"Content-Encoding|3A|deflate"; nocase; content:"|5C|Content-Range|3A 0D 0A 0D 0A 0D 0A 09| |09 09| |09| |09 09 09 09 09| |09 09| |09| |09 09| |09 09| |09 09 09| |09| |09| |09| |09| |09 09 09| |09 09| |09| |09 09 09| |09| |09| |09| |09 09 09 09 09 09| |09 09| |09|"; fast_pattern:only; metadata:service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:16149; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer html tag memory corruption attempt"; flow:to_client,established; file_data; content:"|09 09|pre {|0A 09 09 09|white-space|3A|normal|3B 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17468; reference:cve,2006-1188; classtype:attempted-dos; sid:16043; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer URL canonicalization address bar spoofing attempt"; flow:to_client,established; file_data; content:"%01@"; pcre:"/http\x3A\x2f\x2f[^\r\n]+\x2501\x40/smi"; metadata:service http; reference:cve,2003-1025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-004; classtype:misc-activity; sid:15933; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer popup window object tag code execution attempt"; flow:to_client,established; file_data; content:"window.createPopup|28 29|"; content:"oPopup.document.body.innerHTML"; distance:0; content:"<object data=ouch.php>"; distance:0; metadata:service http; reference:cve,2003-0838; classtype:attempted-user; sid:15880; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer onreadystatechange memory corruption attempt"; flow:to_client,established; file_data; content:"doc.replaceChild|28|doc,doc|29|"; nocase; content:"doc.removeChild|28|doc,doc|29|"; distance:0; nocase; content:"onreadystatechange"; distance:0; nocase; metadata:service http; reference:cve,2009-1531; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-019; classtype:misc-attack; sid:15538; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer setCapture heap corruption exploit attempt"; flow:to_client,established; file_data; content:"setCapture"; pcre:"/document\x2eall\x28.*?\x29\x2esetCapture\x28/s"; metadata:service http; reference:cve,2009-1529; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-019; classtype:attempted-user; sid:15535; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer XML HttpRequest race condition exploit attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; content:"Microsoft.XMLHTTP"; within:30; content:"setInterval"; within:100; pcre:"/function\s+([a-z0-9_]+)\s*\x28.*?ActiveXObject\s*\x28\s*\x22Microsoft\.XMLHTTP\x22\s*\x29.*?setInterval\s*\x28\s*\x22\1/smi"; metadata:service http; reference:cve,2009-1528; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-019; classtype:attempted-user; sid:15534; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Unexpected method call remote code execution attempt"; flow:to_client,established; file_data; content:"clearAttributes"; nocase; pcre:"/(\w+)\.insertCell.*\1\.deleteCell.*\1\.clearAttributes/smi"; metadata:service http; reference:cve,2009-1141; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-019; classtype:attempted-user; sid:15531; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer cross-domain navigation cookie stealing attempt"; flow:to_client,established; file_data; content:"setInterval|28|'xDomainAccess|28 29|',1|29 3B|"; nocase; content:"setInterval|28 22|try { myWindow.location.href = victimLnk|3B|}"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2007-3091; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-019; classtype:misc-attack; sid:15529; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer ActiveX load/unload race condition attempt"; flow:to_client,established; file_data; content:"window.open"; nocase; content:"document.body.innerHTML"; distance:1; content:"<embed"; distance:1; nocase; content:"setInterval"; distance:1; pcre:"/setInterval\s*\x28.+?\x2c\s*[0-9]{1,2}\s*\x29/s"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0553; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:15460; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer deleted/unitialized object memory corruption attempt"; flow:to_client,established; file_data; content:"<script"; nocase; content:"var arr1=new Array"; distance:1; content:"history.go|28|arr1[1]|29|"; distance:1; content:"arr1[i] += temp"; distance:1; content:"</script"; distance:1; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0552; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:15459; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer navigating between pages race condition attempt"; flow:to_client,established; file_data; content:"function set_timers|28 29|"; content:"setInterval|28|'flip_page|28 29|'"; within:40; metadata:service http; reference:cve,2009-0551; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:15458; rev:7;)
|
|
# alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer MSXML DLL memory corruption attempt"; flow:to_client,established; content:"application/xml"; pcre:"/(<[^>]+>)\1{19}/"; metadata:policy max-detect-ips drop; reference:cve,2007-0099; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-069; classtype:attempted-dos; sid:15012; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer XSS mouseevent PII disclosure attempt"; flow:to_client,established; file_data; content:"setcapture|28 29|"; fast_pattern:only; content:"onclick="; nocase; content:"event"; nocase; content:"srcelement."; distance:0; nocase; pcre:"/(?P<divname>\w+)\x2esetcapture\x28\x29.*?<div[^\x3e]*?(?P=divname)[^\x3e]*?onclick\x3d/smi"; metadata:service http; reference:cve,2008-3473; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:web-application-activity; sid:14656; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer XHTML element memory corruption attempt"; flow:to_client,established; file_data; content:"createElement"; nocase; pcre:"/(\w+)\s*\x3D\s*document\x2EcreateElement.*(\w+)\s*\x3D\s*document\x2EcreateElement.*\1\x2EappendChild\x28\2\x29.*appendChild\x28\1\x29/smi"; metadata:service http; reference:cve,2008-2257; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-045; classtype:attempted-user; sid:13974; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer span frontier parsing memory corruption attempt"; flow:to_client,established; file_data; content:"<span"; nocase; content:"id="; within:25; nocase; content:"document.write("; within:50; content:"<div>a"; within:10; fast_pattern; nocase; content:".innerHTML"; within:100; metadata:policy max-detect-ips drop, service http; reference:cve,2008-2254; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-045; classtype:attempted-user; sid:13964; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer argument validation in print preview handling exploitation attempt"; flow:to_client,established; file_data; content:"|2E|ExecWB"; fast_pattern:only; pcre:"/\x2eExecWB\s*\x28(IDM_PRINTPREVIEW|7)\x2c\s+(0|2)\x2C\s+[\x22\x27]http/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30612; reference:cve,2008-2259; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-045; classtype:attempted-user; sid:13963; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer MHTML zone control bypass attempt"; flow:to_client,established; file_data; content:"mhtml|3A|"; nocase; content:"Content-Transfer-Encoding"; nocase; content:"base64"; within:10; nocase; pcre:"/(PHNjcmlw|c2NyaXB0|Y3JpcHQ+|Y3JpcHQ\x252B)/Rsi"; metadata:service http; reference:cve,2008-1448; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-048; classtype:attempted-user; sid:13962; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer table layout access violation vulnerability"; flow:to_client,established; file_data; content:"|2E|getClientRects|28 29|"; nocase; content:"|2E|clearAttributes|28 29|"; within:50; nocase; metadata:service http; reference:cve,2008-2258; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-045; classtype:misc-attack; sid:13961; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer static text range overflow attempt"; flow:to_client,established; file_data; content:"createTextRange"; content:"while|28 31 29|"; within:200; content:"text ="; within:200; metadata:policy max-detect-ips drop, service http; reference:cve,2008-2255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-045; classtype:attempted-user; sid:13960; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer isComponentInstalled attack attempt"; flow:to_client,established; file_data; content:"isComponentInstalled|28|boom"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,16870; reference:cve,2006-1016; classtype:attempted-user; sid:13912; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DXLUTBuilder ActiveX function call unicode access"; flow:to_client,established; file_data; content:"D|00|X|00|T|00|r|00|a|00|n|00|s|00|f|00|o|00|r|00|m|00|.|00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00|.|00|D|00|X|00|L|00|U|00|T|00|B|00|u|00|i|00|l|00|d|00|e|00|r|00|"; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)D\x00X\x00T\x00r\x00a\x00n\x00s\x00f\x00o\x00r\x00m\x00.\x00M\x00i\x00c\x00r\x00o\x00s\x00o\x00f\x00t\x00.\x00D\x00X\x00L\x00U\x00T\x00B\x00u\x00i\x00l\x00d\x00e\x00r\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q4>\x22|\x27|)D\x00X\x00T\x00r\x00a\x00n\x00s\x00f\x00o\x00r\x00m\x00.\x00M\x00i\x00c\x00r\x00o\x00s\x00o\x00f\x00t\x00.\x00D\x00X\x00L\x00U\x00T\x00B\x00u\x00i\x00l\x00d\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-010; classtype:attempted-user; sid:13456; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DXLUTBuilder ActiveX clsid unicode access"; flow:to_client,established; file_data; content:"1|00|e|00|5|00|4|00|3|00|3|00|3|00|b|00|-|00|2|00|a|00|0|00|0|00|-|00|1|00|1|00|d|00|1|00|-|00|8|00|1|00|9|00|8|00|-|00|0|00|0|00|0|00|0|00|f|00|8|00|7|00|5|00|5|00|7|00|d|00|b|00|"; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-010; classtype:attempted-user; sid:13454; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DXLUTBuilder ActiveX clsid access"; flow:to_client,established; file_data; content:"1e54333b-2a00-11d1-8198-0000f87557db"; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1e54333b-2a00-11d1-8198-0000f87557db\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-010; classtype:attempted-user; sid:13453; rev:12;)
|
|
# alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"BROWSER-IE Microsoft Windows ShellExecute and Internet Explorer 7 url handling code execution attempt"; flow:to_client,established; content:"BEGIN|3A|VCARD"; fast_pattern:only; pcre:"/^URL\x3b\w+\x3amailto\x3a[^\n]*%[^\n]*\.(cmd|bat)/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:12664; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt"; flow:to_client,established; file_data; content:"vmlframe"; nocase; content:"urn:schemas-microsoft-com:vml"; fast_pattern:only; pcre:"/<(?P<t>[\w\x2D\x2E]+)\x3A[^>]+>.*?<(?P=t)\x3Avmlframe\s+[^>]*src\s*=\s*(?P<q>\x22|\x27)[\w\x25\x2D\x2E\x2F\x3A]+\x2E\w{2,4}(?P=q)/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25310; reference:cve,2007-1749; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-050; classtype:attempted-user; sid:12282; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt"; flow:to_client,established; file_data; content:"stroke"; nocase; content:"urn:schemas-microsoft-com:vml"; fast_pattern:only; pcre:"/<(?P<t>[\w\x2D\x2E]+)\x3A[^>]+>.*?<(?P=t)\x3Astroke\s+[^>]*src\s*=\s*(?P<q>\x22|\x27)[\w\x25\x2D\x2E\x2F\x3A]+\x2E\w{2,4}(?P=q)/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25310; reference:cve,2007-1749; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-050; classtype:attempted-user; sid:12281; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSS memory corruption exploit"; flow:to_client,established; content:"Content-Type|3A|"; nocase; http_header; content:"text/css"; within:20; nocase; http_header; pcre:!"/^Content-encoding\x3A\s*(gzip|compress)/Him"; pcre:"/\x7D\s*\/[^\/\x2A]/H"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0943; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-045; classtype:attempted-user; sid:12277; rev:19;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer navcancl.htm url spoofing attempt"; flow:to_client,established; file_data; content:"about|3A|cancel|23|"; nocase; metadata:service http; reference:bugtraq,22966; reference:cve,2007-1499; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-033; classtype:misc-attack; sid:12014; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer colgroup tag uninitialized memory exploit attempt"; flow:to_client,established; file_data; content:"<colgroup "; fast_pattern:only; pcre:"/<colgroup\s+[^>]*id\s*=\s*(?P<q1>\x22|\x27|)(?P<q2>\w+)(?P=q1)[^>]*>.*\s+(?P=q2)(\.delete)|(\.test)/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23771; reference:cve,2007-0944; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; classtype:attempted-user; sid:11257; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer mhtml uri shortcut buffer overflow attempt"; flow:to_client,established; file_data; content:"URL"; nocase; content:"mhtml|3A|//"; distance:0; nocase; pcre:"/^\s*URL\s*=\s*mhtml\x3A\x2F\x2F[A-Z\x2D]{2,31}\x3A[^\r\n]{1253}/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,18198; reference:cve,2006-2766; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-043; classtype:attempted-user; sid:6510; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer blnmgr clsid access attempt"; flow:to_client,established; file_data; content:"clsid:3F8A6C33-E0FD-11D0-8A8C-00A0C90C2BC5"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-038; classtype:attempted-user; sid:4134; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer devenum clsid access attempt"; flow:to_client,established; file_data; content:"clsid:083863F1-70DE-11d0-BD40-00A0C911CE86"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-038; classtype:attempted-user; sid:4133; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer msdds clsid access attempt"; flow:to_client,established; file_data; content:"clsid:EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14594; reference:cve,2005-1990; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-038; reference:url,www.frsirt.com/english/advisories/2005/1450; classtype:attempted-user; sid:4132; rev:16;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:4; distance:4; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13941; reference:cve,2005-1211; reference:cve,2012-4170; reference:nessus,18490; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-025; classtype:attempted-user; sid:3689; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer bitmap BitmapOffset multipacket integer overflow attempt"; flow:to_client,established; flowbits:isset,file.bmp; file_data; content:"BM"; pcre:"/^BM/sm"; byte_test:4,>,2147480000,8,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,9663; reference:cve,2004-0566; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-025; classtype:attempted-user; sid:3685; rev:14;)
|
|
# alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer spoofed MIME-Type auto-execution attempt"; flow:to_client,established; content:"Content-Type|3A|"; nocase; http_header; content:"audio/"; fast_pattern; nocase; http_header; pcre:"/Content-Type\x3A\s+audio\/(x-wav|mpeg|x-midi)/iH"; content:"filename="; nocase; http_header; pcre:"/filename=[\x22\x27]?.{1,221}\.(vbs|exe|scr|pif|bat)/Hi"; metadata:service http; reference:bugtraq,2524; reference:cve,2001-0154; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-020; classtype:attempted-admin; sid:3683; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM null DHTML element insertion attempt"; flow:to_client,established; file_data; content:"NULL"; pcre:"/(insertBefore|insertAfter|appendChild)\(\s*NULL\s*\)/sm"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:3553; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Content-Encoding overflow attempt"; flow:to_server,established; content:"Content-Encoding"; nocase; content:"|3A|"; distance:0; pcre:"/^\s*Content-Encoding\s*\x3A\s*[^\r\n]{300}/mi"; metadata:ruleset community, service smtp; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-015; classtype:attempted-admin; sid:3462; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer malformed object type overflow attempt"; flow:to_client,established; file_data; content:"object"; nocase; content:"type"; within:200; nocase; content:"////////////////////////////////"; fast_pattern:only; pcre:"/object\s[^>]*type\s*=\s*[\x22\x27][^\x22\x27]*\x2f{32}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2003-0344; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-020; classtype:attempted-user; sid:3149; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer bitmap BitmapOffset integer overflow attempt"; flow:to_client,established; flowbits:isset,file.bmp; file_data; content:"BM"; byte_test:4,>,2147480000,8,relative,little; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,9663; reference:cve,2004-0566; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-025; classtype:attempted-user; sid:2671; rev:18;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt"; flow:to_client,established; file_data; content:"ele1.addEventListener( |27|DOMNodeRemoved|27|, eHandler, false )"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3119; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26988; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_server,established; file_data; content:"<rect id="; nocase; content:"clip-path=|22 22|/>"; within:25; nocase; content:".removeAttributeNS(|22 22|,|22|clip-path|22 29 3B|"; within:100; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:27101; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"<rect id="; nocase; content:"clip-path=|22 22|/>"; within:25; nocase; content:".removeAttributeNS(|22 22|,|22|clip-path|22 29 3B|"; within:100; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:27100; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer file type spoofing attempt"; flow:to_client,established; file_data; content:".html."; fast_pattern; nocase; content:"document.execCommand"; nocase; content:"SaveAs"; within:8; nocase; pcre:"/document\x2eexecCommand\s*\x28\s*\x22SaveAs\x22\s*,[^,]*,\s*[\x22\x27][^\x22\x27]*\x2e(bat|exe|js)/smi"; metadata:service http; reference:bugtraq,11686; reference:cve,2004-1331; classtype:bad-unknown; sid:27063; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_server,established; file_data; content:".innerHTML"; nocase; content:"document.body.appendChild|28|"; distance:0; content:"CollectGarbage()"; distance:0; nocase; content:"setTimeout|28|"; distance:0; nocase; content:"onload='setTimeout"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:27062; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_client,established; file_data; content:".innerHTML"; nocase; content:"document.body.appendChild|28|"; distance:0; content:"CollectGarbage()"; distance:0; nocase; content:"setTimeout|28|"; distance:0; nocase; content:"onload='setTimeout"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:27061; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer table column-count integer overflow attempt"; flow:to_server,established; file_data; content:"<table"; nocase; content:"<td"; distance:0; content:".getElementsByTagName("; content:"column-count"; distance:0; pcre:"/var\s*(?P<var>\w+)\s*=\s*\w+\.getElementsByTagName\(\s*[\x22\x27]td[\x22\x27]\s*\)\.item(\(\s*0\s*\)|\.first)\s*\x3b.*?(?P=var)\.style\.(column-count\s*=|setAttribute\s*\(\s*[\x22\x27]column-count[\x22\x27]\s*,)\s*[\x22\x27]?(0x)?[a-f\d]{8}/msi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3146; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27157; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer table column-count integer overflow attempt"; flow:to_client,established; file_data; content:"<table"; nocase; content:"<td"; distance:0; content:".getElementsByTagName("; content:"column-count"; distance:0; pcre:"/var\s*(?P<var>\w+)\s*=\s*\w+\.getElementsByTagName\(\s*[\x22\x27]td[\x22\x27]\s*\)\.item(\(\s*0\s*\)|\.first)\s*\x3b.*?(?P=var)\.style\.(column-count\s*=|setAttribute\s*\(\s*[\x22\x27]column-count[\x22\x27]\s*,)\s*[\x22\x27]?(0x)?[a-f\d]{8}/msi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3146; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27156; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer pElement member use after free attempt"; flow:to_client,established; file_data; content:".removeChild(document.getElementsByTagName("; nocase; content:"bdo"; within:10; nocase; content:"CollectGarbage()"; within:200; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-3145; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27154; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt"; flow:to_server,established; file_data; content:"function"; nocase; content:"document.write"; within:50; nocase; content:"onbeforeeditfocus="; within:100; nocase; content:"<input"; within:25; nocase; content:"</input>"; within:30; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27149; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt"; flow:to_client,established; file_data; content:"function"; nocase; content:"document.write"; within:50; nocase; content:"onbeforeeditfocus="; within:100; nocase; content:"<input"; within:25; nocase; content:"</input>"; within:30; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27148; rev:5;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 IE5 compatibility mode use after free attempt"; flow:established,to_client; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=5|22|"; fast_pattern:only; content:"event.srcElement.parentNode.removeChild|28|"; content:"document.body.appendChild|28|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-3144; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-admin; sid:27147; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_server,established; file_data; content:"document.body.innerHTML"; nocase; content:"document.styleSheets[0].cssText"; within:250; nocase; content:"document.body.innerHTML"; within:250; nocase; content:"onload="; within:250; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3164; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27138; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_client,established; file_data; content:"document.body.innerHTML"; nocase; content:"document.styleSheets[0].cssText"; within:250; nocase; content:"document.body.innerHTML"; within:250; nocase; content:"onload="; within:250; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3164; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27137; rev:6;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use after free attempt"; flow:to_client,established; file_data; content:".createTHead"; content:".insertAdjacentHTML"; fast_pattern:only; content:".scrollIntoView"; content:".insertRow"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-3152; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27135; rev:2;)
|
|
alert tcp any any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer display node use after free attempt"; flow:to_server,established; file_data; content:"getElementsByTagName|28|"; content:"input"; within:8; content:".height"; distance:0; content:".focus|28 29|"; distance:0; content:"document.body.noWrap"; distance:0; content:".disabled"; distance:0; pcre:"/(?P<var>\w+)\s*=\s*[\w.]+\.getElementsByTagName\(\s*[\x22\x27]input[\x22\x27]\s*\)(\[\s*0\s*]|\.first)\s*\x3b.{0,256}(?P=var)\.height\s*=\s*0\s*\x3b.{0,512}(?P=var)\.disabled\s*=\s*true/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3115; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27134; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer display node use after free attempt"; flow:to_client,established; file_data; content:"getElementsByTagName|28|"; content:"input"; within:8; content:".height"; distance:0; content:".focus|28 29|"; distance:0; content:"document.body.noWrap"; distance:0; content:".disabled"; distance:0; pcre:"/(?P<var>\w+)\s*=\s*[\w.]+\.getElementsByTagName\(\s*[\x22\x27]input[\x22\x27]\s*\)(\[\s*0\s*]|\.first)\s*\x3b.{0,256}(?P=var)\.height\s*=\s*0\s*\x3b.{0,512}(?P=var)\.disabled\s*=\s*true/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3115; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27133; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer PreviousTreePos use after free attempt"; flow:to_client,established; file_data; content:".onpropertychange"; content:".swapNode|28|"; within:64; pcre:"/\.onpropertychange\s*=\s*function[^{]*?\{[^}]*?\w+\.swapNode\x28/ims"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3153; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27132; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 CTreePos use after free attempt"; flow:to_client,established; file_data; content:"appendChild(document.createElement('q'))|3B|document.body.appendChild(document.createElement('q'))|3B|document.body.appendChild(document.createElement('progress'))|3B|document.getElementsByTagName"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-3151; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27131; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 9 use after free attempt"; flow:to_server,established; file_data; content:"onbeforecopy=|27|document.write(|22 22|)|27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3148; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27130; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 use after free attempt"; flow:to_client,established; file_data; content:"onbeforecopy=|27|document.write(|22 22|)|27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3148; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27129; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use-after-free attempt"; flow:to_server,established; file_data; content:"addEventListener"; nocase; content:"DOMNodeRemoved"; within:50; nocase; content:"document.write"; within:30; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3143; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27128; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use-after-free attempt"; flow:to_client,established; file_data; content:"addEventListener"; nocase; content:"DOMNodeRemoved"; within:50; nocase; content:"document.write"; within:30; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3143; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27127; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer setCapture use after free attempt"; flow:to_client,established; file_data; content:".getElementById("; nocase; content:".setCapture("; within:50; fast_pattern; nocase; content:".getElementById("; within:50; nocase; content:".setCapture("; within:50; nocase; content:".getElementById("; within:50; nocase; content:".setCapture("; within:50; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-3150; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27126; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer innerHTML against incomplete element heap corruption attempt"; flow:to_server,established; file_data; content:".innerHTML"; fast_pattern:only; content:"<script"; nocase; pcre:"/<(?P<elem>\w+)\s[^>]*?(id|name)=\s*?(?P<q1>\x22|\x27|)\s*?(?P<id1>\w+)\s*?(?P=q1)[^>]*?(?<!\x2f)>(?!.*?<\x2f(?P=elem)>).*?<script(?=.*?(?P=id1)\.innerHTML(\x2b{2}|\s*?=\s*?(\x22|\x27){2}))/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,39031; reference:cve,2010-0490; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:27222; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer virtual function table corruption attempt"; flow:to_server,established; file_data; content:"<MARQUEE"; fast_pattern:only; content:".removeNode"; nocase; content:"document.execCommand"; nocase; content:"selectAll"; within:15; nocase; pcre:"/select\s*?id\s*?=[\x22\x27](?P<badelem>\w+).*?<\s*?marquee\s*?id\s*?=\s*?[\x22\x27](?P<badelem2>\w+).*?<\s*?span\s*?id\s*?=[\x22\x27](?P<badelem3>\w+)[\x22\x27].*?[\x22\x27](?P=badelem)[\x22\x27]\x29\s*?\.focus\x28\x29.*?(?P=badelem3)\.innerHTML.*?[\x22\x27](?P=badelem2)[\x22\x27]\x29\s*?\.removeNode\x28\s*?true\x29.*?document\.execCommand\x28[\x22\x27]selectAll/smi"; metadata:policy security-ips drop, service smtp; reference:bugtraq,54951; reference:cve,2012-2522; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:27221; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer virtual function table corruption attempt"; flow:to_client,established; file_data; content:"<MARQUEE"; fast_pattern:only; content:".removeNode"; content:"document.execCommand"; content:"selectAll"; within:15; pcre:"/select\s*?id\s*?=[\x22\x27](?P<badelem>\w+).*?<\s*?marquee\s*?id\s*?=\s*?[\x22\x27](?P<badelem2>\w+).*?<\s*?span\s*?id\s*?=[\x22\x27](?P<badelem3>\w+)[\x22\x27].*?[\x22\x27](?P=badelem)[\x22\x27]\x29\s*?\.focus\x28\x29.*?(?P=badelem3)\.innerHTML.*?[\x22\x27](?P=badelem2)[\x22\x27]\x29\s*?\.removeNode\x28\s*?true\x29.*?document\.execCommand\x28[\x22\x27]selectAll/smi"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,54951; reference:cve,2012-2522; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:27220; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 and 10 information disclosure attempt"; flow:to_client,established; file_data; content:"new Array("; content:"JSON.stringify(new Array("; content:!")"; within:6; metadata:service http; reference:url,hi.baidu.com/yuange1975/item/0a468218d147f4cd39cb30d0; classtype:attempted-user; sid:27531; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer merged stylesheet array use after free attempt"; flow:to_client,established; file_data; content:"createStyleSheet"; content:".sheet"; content:".removeRule"; within:50; fast_pattern; pcre:"/function\s+(?P<n>\w+)\s*\([^\)]*?\)\s*\{[^\}]*?\x2e\s*(getElement[s]*ByTagName[^\}]*?sheet\s*\x2e\s*removeRule\s*\(\s*\w\s*\)|sheet\s*\x2e\s*removeRule\s*\(\s*\w\s*\)[^\}]*?\x2e\s*getElement[s]*ByTagName)[^\}]*?(?P=n)\s*\(/si"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3191; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-059; classtype:attempted-user; sid:27620; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 6 usp10.dll Bengali font stack overrun attempt"; flow:to_server,established; file_data; content:"charset=UTF-8"; content:"|8C E2 80 8C E2 80 8C E2 80 8C E2 80 8C E2 80 8C E2 80 8C E2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3181; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-060; classtype:attempted-dos; sid:27619; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 6 usp10.dll Bengali font stack overrun attempt"; flow:to_client,established; file_data; content:"charset=UTF-8"; content:"|8C E2 80 8C E2 80 8C E2 80 8C E2 80 8C E2 80 8C E2 80 8C E2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3181; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-060; classtype:attempted-dos; sid:27618; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CElement use-after-free attempt"; flow:to_server,established; file_data; content:"document.execCommand"; nocase; content:"SelectAll"; within:9; distance:2; nocase; content:"document.execCommand"; within:200; content:"RemoveFormat"; within:12; distance:2; nocase; content:"document.getElementsByTagName"; within:200; nocase; content:"tbody"; within:5; distance:2; nocase; content:".innerHTML ="; within:12; distance:5; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3193; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-059; classtype:attempted-user; sid:27614; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CElement use-after-free attempt"; flow:to_client,established; file_data; content:"document.execCommand"; nocase; content:"SelectAll"; within:9; distance:2; nocase; content:"document.execCommand"; within:200; content:"RemoveFormat"; within:12; distance:2; nocase; content:"document.getElementsByTagName"; within:200; nocase; content:"tbody"; within:5; distance:2; nocase; content:".innerHTML ="; within:12; distance:5; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3193; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-059; classtype:attempted-user; sid:27613; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CMarkupPointer with SVG use-after-free attempt"; flow:to_client,established; file_data; content:"document.createRange()"; fast_pattern:only; content:"setStart"; nocase; content:"insertNode"; within:40; nocase; content:"insertNode"; within:25; nocase; content:"setStart"; within:25; nocase; content:"document.write"; within:40; nocase; content:"<svg"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3194; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-059; classtype:attempted-user; sid:27612; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode object CSS text overflow attempt"; flow:to_client,established; file_data; content:"text-overflow|3A|ellipsis|3B|overflow-x|3A|hidden"; nocase; content:"onload=|22|"; within:100; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3189; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-059; classtype:attempted-dos; sid:27608; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer content generation use after free attempt"; flow:to_client,established; file_data; content:".setAttribute("; content:"<svg>"; nocase; content:" id="; within:30; nocase; content:" id="; within:30; nocase; content:"surroundContents("; fast_pattern:only; content:"surroundContents("; nocase; content:"document.getElementById("; within:24; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3187; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-059; classtype:attempted-user; sid:27607; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSelectionManager use after free attempt"; flow:to_client,established; file_data; content:"document.write|28|"; nocase; content:".className=|22|"; within:100; nocase; content:"document.execCommand|28 22|Undo|22 29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3199; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-059; classtype:attempted-admin; sid:27606; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer TreeNode use after free attempt"; flow:to_client,established; file_data; content:"style.unicodeBidi"; fast_pattern:only; content:"document.body.innerHTML"; nocase; pcre:"/var\s*(?P<obj>\w+)\s*=\s*document\.createElement.*?(?P=obj)\.innerHTML\s*=\s*"\??"\s*\x3b.*?\w+\.appendChild\(\s*(?P=obj)\s*\).*?(?P=obj)\.style\.unicodeBidi/ims"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3188; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-059; classtype:attempted-user; sid:27605; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 memory disclosure attempt"; flow:to_client,established; file_data; content:"event.data.replace("; fast_pattern; nocase; content:"/|5C|0/g"; within:10; content:".postMessage("; nocase; content:"|5C|0"; within:25; content:"X-UA-Compatible"; metadata:service http; reference:bugtraq,53844; reference:cve,2012-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-recon; sid:27663; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 9 deleted object access memory corruption attempt"; flow:to_server,established; file_data; content:"onload="; nocase; content:"execCommand|28 22|Justify"; within:30; distance:1; nocase; content:"<script>"; within:45; nocase; content:"execCommand|28 22|SelectAll"; within:32; nocase; content:"</script>"; within:12; nocase; content:"<select>"; within:82; nocase; content:"<script>"; within:25; nocase; content:"execCommand|28 22|Justify"; within:50; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,57832; reference:cve,2013-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:27717; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"onload="; nocase; content:"execCommand|28 22|Justify"; within:30; distance:1; nocase; content:"<script>"; within:45; nocase; content:"execCommand|28 22|SelectAll"; within:32; nocase; content:"</script>"; within:12; nocase; content:"<select>"; within:82; nocase; content:"<script>"; within:25; nocase; content:"execCommand|28 22|Justify"; within:50; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57832; reference:cve,2013-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:27716; rev:1;)
|
|
alert tcp any any -> $HOME_NET 25 (msg:"BROWSER-IE Microsoft Internet Explorer iframe execCommand use after free attempt"; flow:to_server,established; file_data; content:"<object data="; content:"onload="; within:64; content:".contentDocument|3B|"; content:".execCommand|28|"; within:64; nocase; content:".execCommand|28|"; within:64; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3208; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-069; classtype:attempted-user; sid:27846; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer iframe execCommand use after free attempt"; flow:to_client,established; file_data; content:"<object data="; content:"onload="; within:64; content:".contentDocument|3B|"; content:".execCommand|28|"; within:64; nocase; content:".execCommand|28|"; within:64; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3208; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-069; classtype:attempted-user; sid:27845; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSegment object use after free attempt"; flow:to_client,established; file_data; content:"for=|22|document|22| event=|22|onreadystatechange|22|>g()"; fast_pattern:only; content:"fieldset style=|22|border:expression(f())"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3209; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-069; classtype:attempted-user; sid:27842; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 MutationEvent use after free attempt"; flow:to_client,established; file_data; content:"initMutationEvent("; content:"DOMNodeRemoved"; within:30; content:"initMutationEvent("; within:200; content:"DOMNodeRemoved"; within:30; pcre:"/initMutationEvent\x28\s*[\x22\x27]?DOMNodeRemoved[\x22\x27]?\s*,([^,]+,){2}\s*(?P<relatedNode>[^,]+)\s*,([^,]+,){2}\s*(?P<attrName>[^,]+)\s*,.*?initMutationEvent\x28\s*[\x22\x27]?DOMNodeRemoved[\x22\x27]?\s*,[^,]+,\s*(false|0)\s*,\s*(?P=relatedNode)\s*,([^,]+,){2}\s*(?P=attrName)\s*,\s*(modification|1)\s*\x29/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-3207; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-069; classtype:attempted-admin; sid:27841; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer range markup switch use after free attempt"; flow:to_server,established; file_data; content:"document.createRange("; fast_pattern; nocase; content:".selectNode("; within:50; nocase; content:".deleteContents("; within:50; nocase; content:".insertNode("; within:50; nocase; content:".reload("; within:50; nocase; content:"<object "; distance:0; nocase; pcre:"/var\s+?(?P<obj>[^\s=\x3b]+?)\s*?=\s*?document\.createRange\(.*?(?P=obj)\.selectNode\(\s*?(?P<sel>[^\s\)\x3b]+?)\s*?\).*?(?P=obj)\.deleteContents\(.*?(?P=obj)\.insertNode\(\s*?(?P=sel)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3206; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-069; classtype:attempted-user; sid:27840; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer range markup switch use after free attempt"; flow:to_client,established; file_data; content:"document.createRange("; fast_pattern; nocase; content:".selectNode("; within:50; nocase; content:".deleteContents("; within:50; nocase; content:".insertNode("; within:50; nocase; content:".reload("; within:50; nocase; content:"<object "; distance:0; nocase; pcre:"/var\s+?(?P<obj>[^\s=\x3b]+?)\s*?=\s*?document\.createRange\(.*?(?P=obj)\.selectNode\(\s*?(?P<sel>[^\s\)\x3b]+?)\s*?\).*?(?P=obj)\.deleteContents\(.*?(?P=obj)\.insertNode\(\s*?(?P=sel)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3206; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-069; classtype:attempted-user; sid:27839; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer AddOption use after free attempt"; flow:to_server,established; file_data; content:"document.getElementsByTagName|28 22|select|22 29 5B|0|5D 3B|"; nocase; content:"document.getElementsByTagName|28 22|select|22 29 5B|0|5D 3B|"; within:200; nocase; content:".options.remove|28 29 3B|"; within:100; nocase; content:".getElementsByTagName|28 22|option|22 29 5B|0|5D 3B|"; within:200; nocase; content:".add|28|"; within:100; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3204; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-069; classtype:attempted-user; sid:27836; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer AddOption use after free attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName|28 22|select|22 29 5B|0|5D 3B|"; nocase; content:"document.getElementsByTagName|28 22|select|22 29 5B|0|5D 3B|"; within:200; nocase; content:".options.remove|28 29 3B|"; within:100; nocase; content:".getElementsByTagName|28 22|option|22 29 5B|0|5D 3B|"; within:200; nocase; content:".add|28|"; within:100; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3204; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-069; classtype:attempted-user; sid:27835; rev:2;)
|
|
alert tcp any any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer javascript apply method type confusion attempt"; flow:to_server,established; file_data; content:".onfocus|3B|"; nocase; content:".apply|28|"; within:64; nocase; content:"0x"; within:5; content:"onload="; content:"onfocus="; within:32; pcre:"/<script((?!<\/script).)*?(var|function)\s*\w+\s*(=\s*function\s*\x28\s*\x29)?((?!<\/script).)*?(var\s*)?(?P<var>\w+)\s*=\s*\w+\.(onfocus|onload)\x3b((?!<\/script).)*?(?P=var)\.apply\x28\s*0x/ims"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3203; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-069; classtype:attempted-user; sid:27834; rev:1;)
|
|
alert tcp any any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer javascript call method type confusion attempt"; flow:to_server,established; file_data; content:".onfocus|3B|"; nocase; content:".call|28|"; within:64; nocase; content:"0x"; within:5; content:"onload="; content:"onfocus="; within:32; pcre:"/<script((?!<\/script).)*?(var|function)\s*\w+\s*(=\s*function\s*\x28\s*\x29)?((?!<\/script).)*?(var\s*)?(?P<var>\w+)\s*=\s*\w+\.(onfocus|onload)\x3b((?!<\/script).)*?(?P=var)\.call\x28\s*0x/ims"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3203; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-069; classtype:attempted-user; sid:27833; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer javascript apply method type confusion attempt"; flow:to_client,established; file_data; content:".onfocus|3B|"; nocase; content:".apply|28|"; within:64; nocase; content:"0x"; within:5; content:"onload="; content:"onfocus="; within:32; pcre:"/<script((?!<\/script).)*?(var|function)\s*\w+\s*(=\s*function\s*\x28\s*\x29)?((?!<\/script).)*?(var\s*)?(?P<var>\w+)\s*=\s*\w+\.(onfocus|onload)\x3b((?!<\/script).)*?(?P=var)\.apply\x28\s*0x/ims"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3203; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-069; classtype:attempted-user; sid:27832; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer javascript call method type confusion attempt"; flow:to_client,established; file_data; content:".onfocus|3B|"; nocase; content:".call|28|"; within:64; nocase; content:"0x"; within:5; content:"onload="; content:"onfocus="; within:32; pcre:"/<script((?!<\/script).)*?(var|function)\s*\w+\s*(=\s*function\s*\x28\s*\x29)?((?!<\/script).)*?(var\s*)?(?P<var>\w+)\s*=\s*\w+\.(onfocus|onload)\x3b((?!<\/script).)*?(?P=var)\.call\x28\s*0x/ims"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3203; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-069; classtype:attempted-user; sid:27831; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"BROWSER-IE Microsoft Internet Explorer hgroup element DOM reset use after free attempt"; flow:to_server,established; file_data; content:"getElementsByTagName(|22|hgroup|22|)"; content:"<table>"; nocase; content:"<hgroup>"; within:100; nocase; content:"<section>"; nocase; content:!"</section>"; within:400; nocase; content:"<address>"; nocase; content:!"</address>"; within:400; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3202; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-069; classtype:attempted-user; sid:27830; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer hgroup element DOM reset use after free attempt"; flow:to_client,established; file_data; content:"getElementsByTagName(|22|hgroup|22|)"; content:"<table>"; nocase; content:"<hgroup>"; within:100; nocase; content:"<section>"; nocase; content:!"</section>"; within:400; nocase; content:"<address>"; nocase; content:!"</address>"; within:400; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3202; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-069; classtype:attempted-user; sid:27829; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CPhraseElement use after free attempt"; flow:to_server,established; file_data; content:"mstime_malloc("; fast_pattern:only; content:"urn:schemas-microsoft-com:time"; nocase; content:":ANIMATECOLOR"; nocase; pcre:"/mstime_malloc\([^\)]+?objId:\s*?[\x22\x27](?P<smil_obj>[^\x22\x27]+)[\x22\x27].*?:ANIMATECOLOR[^>]+?id\s*?=\s*?[\x22\x27]?(?P=smil_obj)/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60975; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27909; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CPhraseElement use after free attempt"; flow:to_client,established; file_data; content:"mstime_malloc("; fast_pattern:only; content:"urn:schemas-microsoft-com:time"; nocase; content:":ANIMATECOLOR"; nocase; pcre:"/mstime_malloc\([^\)]+?objId:\s*?[\x22\x27](?P<smil_obj>[^\x22\x27]+)[\x22\x27].*?:ANIMATECOLOR[^>]+?id\s*?=\s*?[\x22\x27]?(?P=smil_obj)/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60975; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27908; rev:6;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer deleted object memory corruption attempt"; flow:to_client,established; file_data; content:"getElementsByTagName"; nocase; content:"nosmartquotes"; within:30; nocase; content:"onreadystatechange"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-3886; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-080; classtype:attempted-user; sid:28204; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer HtmlLayout SmartObject use after free attempt"; flow:to_client,established; file_data; content:"|3C|table"; nocase; content:"|3C|colgroup"; within:100; nocase; content:"|3C 2F|colgroup|3E|"; within:50; distance:1; nocase; content:"|3C|style"; distance:0; nocase; content:"colgroup|7B|"; distance:0; nocase; content:"display|3A|"; within:10; nocase; content:"none"; within:8; nocase; content:"|3C|script"; nocase; content:"document.execCommand|28|"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-3873; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-080; classtype:attempted-user; sid:28163; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CElement use after free attempt"; flow:to_client,established; file_data; content:".execCommand('Delete', false)"; nocase; content:".execCommand"; within:200; nocase; content:"removeformat"; within:50; nocase; content:".execCommand"; within:400; distance:-200; nocase; content:"delete"; within:50; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3874; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-080; classtype:attempted-user; sid:28160; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CLayoutBlock use after free attempt"; flow:to_server,established; file_data; content:"document.write("; nocase; content:"<ruby>"; within:15; distance:1; fast_pattern; nocase; content:"document.getElementsByTagName("; within:150; nocase; content:".length"; within:25; distance:4; nocase; content:"document.getElementsByTagName("; within:55; distance:6; nocase; content:"|5D|.clientWidth|3B|"; within:35; distance:5; nocase; pcre:"/function\s*?(?P<ruby1>\w+).*?document\.write\x28\s*?[\x22\x27]\s*?\x3c\s*?ruby\s*?\x3e\s*?[\x22\x27].*?function\s*?(?P<enum>\w+).*?for\s*?\x28\s*?\w+\x3d\s*?0\s*?\x3b\s*?\w+\s*?\x3c\s*?document\.getElementsByTagName\x28\s*?[\x22\x27]\s*?(?P<badtag>\w+)\s*?[\x22\x27]\s*?\x29\.length\s*?\x3b\s*?\w+\x2b\x2b\s*?\x29.*?document\.getElementsByTagName\x28\s*?[\x22\x27](?P=badtag)\s*?[\x22\x27]\s*?\x29\s*?\x5b.*?\x5d\.clientWidth.*?\x3cruby\x3e.*?\x3cscript\x3e\s*?(?P=ruby1).*?\x3cscript\x3e\s*?(?P=enum).*?\x3cscript\x3e(?P=enum)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3875; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-080; classtype:attempted-user; sid:28159; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CLayoutBlock use after free attempt"; flow:to_client,established; file_data; content:"document.write("; nocase; content:"<ruby>"; within:15; distance:1; fast_pattern; nocase; content:"document.getElementsByTagName("; within:150; nocase; content:".length"; within:25; distance:4; nocase; content:"document.getElementsByTagName("; within:55; distance:6; nocase; content:"|5D|.clientWidth|3B|"; within:35; distance:5; nocase; pcre:"/function\s*?(?P<ruby1>\w+).*?document\.write\x28\s*?[\x22\x27]\s*?\x3c\s*?ruby\s*?\x3e\s*?[\x22\x27].*?function\s*?(?P<enum>\w+).*?for\s*?\x28\s*?\w+\x3d\s*?0\s*?\x3b\s*?\w+\s*?\x3c\s*?document\.getElementsByTagName\x28\s*?[\x22\x27]\s*?(?P<badtag>\w+)\s*?[\x22\x27]\s*?\x29\.length\s*?\x3b\s*?\w+\x2b\x2b\s*?\x29.*?document\.getElementsByTagName\x28\s*?[\x22\x27](?P=badtag)\s*?[\x22\x27]\s*?\x29\s*?\x5b.*?\x5d\.clientWidth.*?\x3cruby\x3e.*?\x3cscript\x3e\s*?(?P=ruby1).*?\x3cscript\x3e\s*?(?P=enum).*?\x3cscript\x3e(?P=enum)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3875; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-080; classtype:attempted-user; sid:28158; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer STextBlockPosition use after free attempt"; flow:to_client,established; file_data; content:"thead"; fast_pattern:only; content:"caption"; content:"getElement"; pcre:"/\.getElements?By(Id|TagName)\x28\s*[\x22\x27]caption[\x22\x27]\s*\x29.*?innerHTML\s*\x3d\s*[\x22\x27]\x3cthead/sm"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3885; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-080; classtype:attempted-user; sid:28151; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer javascript call method type confusion attempt"; flow:to_server,established; file_data; content:".onfocus"; nocase; content:".call|28|"; within:64; nocase; content:"onclick="; content:"onfocus="; within:64; pcre:"/<script((?!<\/script).)*?(var|function)\s*\w+\s*(=\s*function\s*\x28\s*\x29)?((?!<\/script).)*?(var\s*)?(?P<var>\w+)(\s*=\s*\w+)?\.(onclick|onfocus|onload)\.(call|apply)\x28\s*(0x)?\d+/ims"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3203; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-069; classtype:attempted-user; sid:28232; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer javascript call method type confusion attempt"; flow:to_client,established; file_data; content:".onfocus"; nocase; content:".call|28|"; within:64; nocase; content:"onclick="; content:"onfocus="; within:64; pcre:"/<script((?!<\/script).)*?(var|function)\s*\w+\s*(=\s*function\s*\x28\s*\x29)?((?!<\/script).)*?(var\s*)?(?P<var>\w+)(\s*=\s*\w+)?\.(onclick|onfocus|onload)\.(call|apply)\x28\s*(0x)?\d+/ims"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3203; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-069; classtype:attempted-user; sid:28231; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer generic use after free attempt"; flow:to_server,established; file_data; content:"onload="; nocase; content:"onselectstart="; within:64; nocase; content:"execCommand("; content:"InsertInputReset"; within:20; content:"body.contentEditable"; content:"true"; within:10; content:"body.contentEditable"; distance:0; content:"false"; within:10; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3916; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-088; classtype:attempted-recon; sid:28524; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer generic use after free attempt"; flow:to_client,established; file_data; content:"onload="; nocase; content:"onselectstart="; within:64; nocase; content:"execCommand("; content:"InsertInputReset"; within:20; content:"body.contentEditable"; content:"true"; within:10; content:"body.contentEditable"; distance:0; content:"false"; within:10; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3916; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-088; classtype:attempted-user; sid:28523; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-IE Microsoft Internet Explorer print preview information disclosure attempt"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"MSIE"; within:64; http_header; content:"<script"; http_uri; content:"src="; distance:0; http_uri; metadata:service http; reference:cve,2013-3908; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-088; classtype:attempted-recon; sid:28522; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer undo use after free attempt"; flow:to_client,established; file_data; content:"applyElement|28|"; content:"execCommand|28 22|InsertInputHidden|22 29 3B|"; content:"innerHTML|3D 22 22 3B|"; within:35; content:"CollectGarbage|28 29|"; within:30; content:"execCommand|28 22|Undo|22 29 3B|"; within:55; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3915; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-088; classtype:attempted-user; sid:28504; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer createRange user after free attempt"; flow:to_client,established; file_data; content:" document.body.innerHTML +="; content:" document.execCommand|28|"; within:100; content:".createRange|28|"; distance:0; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2013-3910; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-088; classtype:attempted-user; sid:28496; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer execCommand CTreePos memory corruption attempt"; flow:to_server,established; file_data; content:".execCommand"; nocase; content:"undo"; within:15; nocase; content:".execCommand"; within:100; nocase; content:"redo"; within:15; nocase; content:".execCommand"; within:100; nocase; content:"undo"; within:15; nocase; pcre:"/\x2eexecCommand\s*\x28\s*[\x22\x27]\s*undo\s*[\x22\x27].*?\x2eexecCommand\s*\x28\s*[\x22\x27]\s*redo\s*[\x22\x27].*?\x2eexecCommand\s*\x28\s*[\x22\x27]\s*undo\s*[\x22\x27]/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3914; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-088; classtype:attempted-user; sid:28495; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer execCommand CTreePos memory corruption attempt"; flow:to_client,established; file_data; content:".execCommand"; nocase; content:"undo"; within:15; nocase; content:".execCommand"; within:100; nocase; content:"redo"; within:15; nocase; content:".execCommand"; within:100; nocase; content:"undo"; within:15; nocase; pcre:"/\x2eexecCommand\s*\x28\s*[\x22\x27]\s*undo\s*[\x22\x27].*?\x2eexecCommand\s*\x28\s*[\x22\x27]\s*redo\s*[\x22\x27].*?\x2eexecCommand\s*\x28\s*[\x22\x27]\s*undo\s*[\x22\x27]/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3914; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-088; classtype:attempted-user; sid:28494; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer freed CTreePos object use-after-free attempt"; flow:to_client,established; file_data; content:"function selectRange(nodes"; nocase; content:"removeAllRanges()"; within:80; nocase; content:"selectRange(nodes"; distance:0; nocase; content:"document.selection.createRange().pasteHTML"; within:100; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-3912; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-088; classtype:attempted-user; sid:28492; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CEditAdorner use after free attempt"; flow:to_client,established; file_data; content:".createElement|28|"; content:"canvas"; within:7; distance:1; content:".createControlRange|28 29|"; within:100; content:".select|28 29|"; within:100; content:".addBehavior"; within:100; content:"#default#VML"; within:17; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3911; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-088; classtype:attempted-user; sid:28491; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer deleted object memory corruption attempt"; flow:to_client,established; file_data; content:"outerHTML"; nocase; content:"document.execCommand"; within:100; nocase; content:"designMode=|22|off|22|"; within:200; nocase; content:"contenteditable=|22|true|22|"; within:200; fast_pattern; content:"onresize=|22|"; within:200; nocase; pcre:"/outerhtml\s*?\+\=\s*?\x22/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-3917; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-088; classtype:attempted-user; sid:28490; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt"; flow:to_server,established; file_data; content:"beforeeditfocus"; nocase; content:".focus"; within:250; nocase; content:"document.write"; nocase; pcre:"/function\s+(?P<vuln>\w+)\s*\x28[^\x7B]+?\x7B[^\x7D]+?document\.write.*?onbeforeeditfocus\s*[\x22\x27]\s*\x2C\s*(?P=vuln)/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60966; reference:cve,2013-3147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:28855; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt"; flow:to_client,established; file_data; content:"beforeeditfocus"; nocase; content:".focus"; within:250; nocase; content:"document.write"; nocase; pcre:"/function\s+(?P<vuln>\w+)\s*\x28[^\x7B]+?\x7B[^\x7D]+?document\.write.*?onbeforeeditfocus\s*[\x22\x27]\s*\x2C\s*(?P=vuln)/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60966; reference:cve,2013-3147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:28854; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Dictionary Object use after free attempt"; flow:to_server,established; file_data; content:"text/vbscript"; nocase; content:".RemoveAll()"; within:500; nocase; content:"CreateObject("; within:200; distance:25; nocase; content:"Scripting.Dictionary"; within:35; content:".RemoveAll()"; within:500; nocase; pcre:"/vbscript.*?(?P<dict1>\w+)\.RemoveAll\x28\x29.*?Set\s*?(?P=dict1)\s*?\x3d\s*?CreateObject\x28\s*?[\x22\x27]\s*?Scripting\.Dictionary.*?(?P=dict1)\.Add.*?(?P=dict1)\.RemoveAll\x28\x29/smi"; metadata:policy security-ips drop, service smtp; reference:bugtraq,64082; reference:cve,2013-5056; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-099; classtype:attempted-user; sid:28882; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Dictionary Object use after free attempt"; flow:to_client,established; file_data; content:"text/vbscript"; nocase; content:".RemoveAll()"; within:500; nocase; content:"CreateObject("; within:200; distance:25; nocase; content:"Scripting.Dictionary"; within:35; content:".RemoveAll()"; within:500; nocase; pcre:"/vbscript.*?(?P<dict1>\w+)\.RemoveAll\x28\x29.*?Set\s*?(?P=dict1)\s*?\x3d\s*?CreateObject\x28\s*?[\x22\x27]\s*?Scripting\.Dictionary.*?(?P=dict1)\.Add.*?(?P=dict1)\.RemoveAll\x28\x29/smi"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64082; reference:cve,2013-5056; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-099; classtype:attempted-user; sid:28881; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 CElement Use After Free exploit attempt"; flow:to_client,established; file_data; content:"|2E|select|28|"; nocase; content:"oncontrolselect="; nocase; content:"document.write|28|"; within:16; nocase; content:"contentEditable="; nocase; content:"true"; within:5; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-5052; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-097; classtype:attempted-user; sid:28880; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"all_elements_list|5B|2|5D|.appendChild|28|document.createElement|28 22|div|22 29 29 3B|"; fast_pattern:only; content:"all_elements_list.push|28|document.getElementById|28 22|t9|22 29 29 3B|"; content:"obj|5B 27|appendChild|27 5D 28|all_elements_list|5B|2|5D 29 3B|"; within:250; distance:150; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-5047; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-097; classtype:attempted-user; sid:28874; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"all_elements_list|5B|2|5D|.appendChild|28|document.createElement|28 22|div|22 29 29 3B|"; fast_pattern:only; content:"all_elements_list.push|28|document.getElementById|28 22|t9|22 29 29 3B|"; content:"obj|5B 27|appendChild|27 5D 28|all_elements_list|5B|2|5D 29 3B|"; within:250; distance:150; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-5047; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-097; classtype:attempted-user; sid:28873; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer table sub structure use after free attempt"; flow:to_client,established; file_data; content:"<table "; nocase; content:"<table "; within:256; nocase; content:".appendChild("; content:".insertRow("; within:256; content:".deleteRow("; within:256; fast_pattern; pcre:"/<table[^>]*?>((?!<\/table>).)*?<t(head|body|footer) id=.*?<\/table>.{0,256}<table[^>]*?>((?!<\/table>).)*?<t(head|body|footer) id=.*?<\/table>/ims"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-5048; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-097; classtype:attempted-user; sid:28866; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer table sub structure use after free attempt"; flow:to_server,established; file_data; content:"<table "; nocase; content:"<table "; within:256; nocase; content:".appendChild("; content:".insertRow("; within:256; content:".deleteRow("; within:256; fast_pattern; pcre:"/<table[^>]*?>((?!<\/table>).)*?<t(head|body|footer) id=.*?<\/table>.{0,256}<table[^>]*?>((?!<\/table>).)*?<t(head|body|footer) id=.*?<\/table>/ims"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-5048; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-097; classtype:attempted-user; sid:28865; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BROWSER-IE Microsoft Internet Explorer CViewportChangeInvalidation use after free attempt"; flow:to_server,established; file_data; content:"<marquee"; fast_pattern:only; content:"<a"; content:"<i"; within:50; content:"</a"; within:15; content:"<b"; distance:0; content:"<h"; within:15; content:"</b"; within:15; content:"<marquee"; within:50; content:"</i"; within:55; metadata:policy balanced-ips drop, service smtp; reference:cve,2013-5051; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-097; classtype:attempted-user; sid:28863; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CViewportChangeInvalidation use after free attempt"; flow:to_client,established; file_data; content:"<marquee"; fast_pattern:only; content:"<a"; content:"<i"; within:50; content:"</a"; within:15; content:"<b"; distance:0; content:"<h"; within:15; content:"</b"; within:15; content:"<marquee"; within:50; content:"</i"; within:55; metadata:policy balanced-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-5051; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-097; classtype:attempted-user; sid:28862; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer malformed GIF double-free remote code execution attempt"; flow:to_server,established; flowbits:isset,file.gif; file_data; content:"|2C 00 00 00 00 10 00 10 00 00 00 0E 84 8F A9 CB ED 0F A3 9C B4|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,8530; reference:cve,2003-1048; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-025; classtype:attempted-user; sid:28975; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer malformed GIF double-free remote code execution attempt"; flow:to_server,established; flowbits:isset,file.gif; file_data; content:"|2C 00 00 00 00 01 00 01 00 00 00 01 41 41 41 41 41 41 41 41 41|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,8530; reference:cve,2003-1048; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-025; classtype:attempted-user; sid:28974; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer malformed GIF double-free remote code execution attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|2C 00 00 00 00 10 00 10 00 00 00 0E 84 8F A9 CB ED 0F A3 9C B4|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,8530; reference:cve,2003-1048; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-025; classtype:attempted-user; sid:28973; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer malformed GIF double-free remote code execution attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|2C 00 00 00 00 01 00 01 00 00 00 01 41 41 41 41 41 41 41 41 41|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,8530; reference:cve,2003-1048; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-025; classtype:attempted-user; sid:28972; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CHM file load attempt"; flow:to_server,established; file_data; content:"showHelp("; nocase; content:".chm"; within:40; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1223; reference:url,msdn.microsoft.com/en-us/library/ie/ms536758%28v=vs.85%29.aspx; classtype:misc-activity; sid:28932; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CHM file load attempt"; flow:to_client,established; file_data; content:"showHelp("; fast_pattern; nocase; content:".chm"; within:40; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1223; reference:url,msdn.microsoft.com/en-us/library/ie/ms536758%28v=vs.85%29.aspx; classtype:misc-activity; sid:28931; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Windows showHelp CHM malicious file execution attempt"; flow:to_server,established; file_data; content:"showHelp("; nocase; content:"|2E 2E 5C 5C 2E 2E 5C 5C|"; within:40; fast_pattern; metadata:service smtp; reference:bugtraq,9320; reference:cve,2003-1041; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-023; classtype:attempted-admin; sid:28925; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Windows showHelp CHM malicious file execution attempt"; flow:to_server,established; file_data; content:"showHelp("; nocase; content:"%2E%2E%5C%5C%2E%2E%5C%5C"; within:60; fast_pattern; metadata:service smtp; reference:bugtraq,9320; reference:cve,2003-1041; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-023; classtype:attempted-admin; sid:28924; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Windows showHelp CHM malicious file execution attempt"; flow:to_server,established; file_data; content:"showHelp("; nocase; content:"%25%32%45%25%32%45%255C%255C%25%32%45%25%32%45%255C%255C"; within:85; fast_pattern; metadata:service smtp; reference:bugtraq,9320; reference:cve,2003-1041; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-023; classtype:attempted-admin; sid:28923; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Windows showHelp CHM malicious file execution attempt"; flow:to_client,established; file_data; content:"showHelp("; nocase; content:"|2E 2E 5C 5C 2E 2E 5C 5C|"; within:40; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,9320; reference:cve,2003-1041; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-023; classtype:attempted-admin; sid:28922; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Windows showHelp CHM malicious file execution attempt"; flow:to_client,established; file_data; content:"showHelp("; nocase; content:"%2E%2E%5C%5C%2E%2E%5C%5C"; within:60; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,9320; reference:cve,2003-1041; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-023; classtype:attempted-admin; sid:28921; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Windows showHelp CHM malicious file execution attempt"; flow:to_client,established; file_data; content:"showHelp("; nocase; content:"%25%32%45%25%32%45%255C%255C%25%32%45%25%32%45%255C%255C"; within:85; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,9320; reference:cve,2003-1041; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-023; classtype:attempted-admin; sid:28920; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-IE Microsoft Internet Explorer print preview information disclosure attempt"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"MSIE"; within:64; http_header; content:"<img"; http_uri; content:"src="; distance:0; http_uri; metadata:service http; reference:cve,2013-3908; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-088; classtype:attempted-recon; sid:28997; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 CElement Use After Free exploit attempt"; flow:to_client,established; file_data; content:"function "; nocase; content:"{"; distance:0; content:"document.write"; within:20; nocase; content:"oncontrolselect="; fast_pattern:only; content:"contentEditable="; nocase; content:"true"; within:5; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,64124; reference:cve,2013-5052; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-097; classtype:attempted-user; sid:29036; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt"; flow:to_server,established; content:"Content-Type|3A|"; http_header; content:"charset=euc-jp"; within:64; nocase; http_header; file_data; isdataat:4094; content:"|8F|"; depth:1; offset:4094; content:"//"; within:100; metadata:service smtp; reference:cve,2013-3192; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-059; classtype:attempted-user; sid:29169; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt"; flow:to_client,established; content:"Content-Type|3A|"; http_header; content:"charset=euc-jp"; within:64; nocase; http_header; file_data; isdataat:4094; content:"|8F|"; depth:1; offset:4094; content:"//"; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-3192; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-059; classtype:attempted-user; sid:29168; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer invalid object property use after free memory corruption attempt"; flow:to_server,established; file_data; content:"document.getElement"; content:".style."; within:100; content:"document.createElement"; within:45; content:"CollectGarbage"; within:75; fast_pattern; content:"HTML"; within:55; pcre:"/(body\s*?onload\s*?\x3d\s*?[\x22\x22](?P<func>\w+).*?function\s*?(?P=func)\s*?\x28[^\x7b]+?\x7b[^\x7d]+?var\s*?(?P<var>\w+)\s*?\x3d\s*?document\.getElement[^\x7d]+?\.style\.\w+\s*?\x3d\s*?document\.createElement[^\x7d]+?CollectGarbage[^\x7d]+?(?P=var)\.(inner|outer)HTML)|(function\s*?(?P<func2>\w+)\s*?\x28[^\x7b]+?\x7b[^\x7d]+?var\s*?(?P<var2>\w+)\s*?\x3d\s*?document\.getElement[^\x7d]+?\.style\.\w+\s*?\x3d\s*?document\.createElement[^\x7d]+?CollectGarbage[^\x7d]+?(?P=var2)\.(inner|outer)HTML.*?body\s*?onload[^\x3e]+?)(?P=func2)/ims"; metadata:policy security-ips drop, service smtp; reference:cve,2012-4787; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-077; classtype:attempted-dos; sid:29265; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer msdds clsid access attempt"; flow:to_server,established; file_data; content:"clsid:EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14594; reference:cve,2005-1990; reference:cve,2005-2127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-038; reference:url,www.frsirt.com/english/advisories/2005/1450; classtype:attempted-user; sid:29223; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer devenum clsid access attempt"; flow:to_server,established; file_data; content:"clsid:083863F1-70DE-11d0-BD40-00A0C911CE86"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-038; classtype:attempted-user; sid:29222; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer blnmgr clsid access attempt"; flow:to_server,established; file_data; content:"clsid:3F8A6C33-E0FD-11D0-8A8C-00A0C90C2BC5"; fast_pattern:only; metadata:service smtp; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-038; classtype:attempted-user; sid:29221; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VML array with negative length memory corruption attempt"; flow:to_client,established; file_data; content:"#default#VML"; content:"dashstyle="; fast_pattern:only; content:".length=-"; nocase; content:".split(|22 22|).reverse().join(|22 22|)"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58570; reference:cve,2013-2551; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:29602; rev:3;)
|
|
alert tcp any any -> $HOME_NET 25 (msg:"BROWSER-IE Microsoft Internet Explorer cmarkup methods use after free attempt"; flow:to_server,established; file_data; content:"|3C 64 69 76 20 69 64 3D 22 64 69 76 31 61 22 20 73 74 79 6C 65 3D 22 68 65 69 67 68 74 3A 32 30 30 30 70 78 22 3E 26 6E 62 73 70 3B 3C 2F 64 69 76 3E|"; fast_pattern:only; content:"|65 6C 73 65 69 66 20 28 66 6C 61 67 31 20 25 20 31 30 30 30 20 3D 3D 20 30 29 20 7B|"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0269; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29738; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer cmarkup methods use after free attempt"; flow:to_client,established; file_data; content:"|3C 64 69 76 20 69 64 3D 22 64 69 76 31 61 22 20 73 74 79 6C 65 3D 22 68 65 69 67 68 74 3A 32 30 30 30 70 78 22 3E 26 6E 62 73 70 3B 3C 2F 64 69 76 3E|"; fast_pattern:only; content:"|65 6C 73 65 69 66 20 28 66 6C 61 67 31 20 25 20 31 30 30 30 20 3D 3D 20 30 29 20 7B|"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0269; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29737; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer list element use after free attempt"; flow:to_server,established; file_data; content:"|3C|nl"; content:"|3C|ruby"; distance:0; pcre:"/^.{0,200}(?!r[tp])\x3c\x2fruby.{0,200}\x3c\x2fnl/Rmsi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0270; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29732; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer list element use after free attempt"; flow:to_client,established; file_data; content:"|3C|nl"; content:"|3C|ruby"; distance:0; pcre:"/^.{0,200}(?!r[tp])\x3c\x2fruby.{0,200}\x3c\x2fnl/Rmsi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2014-0270; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29731; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CElement event handler use after free attempt"; flow:to_server,established; file_data; content:"<area"; nocase; content:".attachEvent"; within:250; fast_pattern; nocase; content:".detachEvent"; within:250; nocase; content:"document.open"; within:100; nocase; pcre:"/<area\s[^>]*?id\s*?=\s*?[\x22\x27]?(?P<area_id>[^\x22\x27\s>]+)[\x22\x27]?[\s>].*?(?P=area_id)\.attachEvent\s*?\x28[^\x29]+?,[^\x29]*?(?<func>[^\x29\s]+)[\s\x29].*?(?P=func)[^\x7b]+?\x7b[^\x7d]*?(?P=area_id)\.detachEvent\s*?\x28[^\x7d]+?document\.open/si"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0275; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29730; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CElement event handler use after free attempt"; flow:to_server,established; file_data; content:".attachEvent"; fast_pattern; nocase; content:".detachEvent"; within:250; nocase; content:"document.open"; within:100; nocase; content:"<area"; within:250; nocase; pcre:"/(?P<area_id>\w+)\.attachEvent\s*?\x28[^\x29]+?,[^\x29]*?(?<func>[^\x29\s]+)[\s\x29].*?(?P=func)[^\x7b]+?\x7b[^\x7d]*?(?P=area_id)\.detachEvent\s*?\x28[^\x7d]+?document\.open.*?<area\s[^>]*?id\s*?=\s*?[\x22\x27]?(?P=area_id)/si"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0275; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29729; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CElement event handler use after free attempt"; flow:to_client,established; file_data; content:"<area"; nocase; content:".attachEvent"; within:250; fast_pattern; nocase; content:".detachEvent"; within:250; nocase; content:"document.open"; within:100; nocase; pcre:"/<area\s[^>]*?id\s*?=\s*?[\x22\x27]?(?P<area_id>[^\x22\x27\s>]+)[\x22\x27]?[\s>].*?(?P=area_id)\.attachEvent\s*?\x28[^\x29]+?,[^\x29]*?(?<func>[^\x29\s]+)[\s\x29].*?(?P=func)[^\x7b]+?\x7b[^\x7d]*?(?P=area_id)\.detachEvent\s*?\x28[^\x7d]+?document\.open/si"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0275; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29728; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CElement event handler use after free attempt"; flow:to_client,established; file_data; content:".attachEvent"; fast_pattern; nocase; content:".detachEvent"; within:250; nocase; content:"document.open"; within:100; nocase; content:"<area"; within:250; nocase; pcre:"/(?P<area_id>\w+)\.attachEvent\s*?\x28[^\x29]+?,[^\x29]*?(?<func>[^\x29\s]+)[\s\x29].*?(?P=func)[^\x7b]+?\x7b[^\x7d]*?(?P=area_id)\.detachEvent\s*?\x28[^\x7d]+?document\.open.*?<area\s[^>]*?id\s*?=\s*?[\x22\x27]?(?P=area_id)/si"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0275; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29727; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"outerText = |22| |3B 22|"; content:"|22|div|3A|first-letter{background|3A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0279; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29722; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"outerText = |22| |3B 22|"; content:"|22|div|3A|first-letter{background|3A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2014-0279; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29721; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer SLayoutRun use after free attempt"; flow:to_server,established; file_data; content:"<body "; content:"position: absolute"; within:60; content:"<a"; content:"position: relative"; within:60; metadata:service smtp; reference:cve,2014-0276; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-010; classtype:attempted-user; sid:29720; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer SLayoutRun use after free attempt"; flow:to_client,established; file_data; content:"<body "; content:"position: absolute"; within:60; content:"<a"; content:"position: relative"; within:60; metadata:service http; reference:cve,2014-0276; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-010; classtype:attempted-user; sid:29719; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer text node use after free attempt"; flow:to_server,established; file_data; content:".createTextNode"; content:".addRange"; within:200; content:"delete"; within:250; content:"undo"; within:250; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0289; reference:cve,2014-0298; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-010; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-012; classtype:attempted-user; sid:29718; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer text node use after free attempt"; flow:to_client,established; file_data; content:".createTextNode"; content:".addRange"; within:200; content:"delete"; within:250; content:"undo"; within:250; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2014-0289; reference:cve,2014-0298; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-010; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-012; classtype:attempted-user; sid:29717; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer deleted object memory corruption attempt"; flow:to_client,established; file_data; content:"<meta http-equiv=|22|Content-Type|22| content=|22|text/html|3B| charset=UTF-8|22|>"; content:"<meta http-equiv=|22|X-UA-Compatible|22|content=|22|IE=EmulateIE7|22|>"; content:"src : url(|22|"; content:"<body> <div id=|22|titlebar|22|><div id=|22|left|22|><div class=|22|title|22|>|E4 B8 AD E5 9B BD E4 BA BA|</div></div></div></body>|0A|</html>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2014-0267; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29716; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt"; flow:to_server,established; file_data; content:"<svg"; content:"<path "; within:512; pcre:"/<path[^>]*\sd\s*=\s*[\x22\x27][^\x22\x27]*[\sMLC][-\s]{0,2}([0-9]{10}|[0-9]+e(0[7-9]|[1-9][0-9]))/i"; metadata:service smtp; reference:bugtraq,65393; reference:cve,2014-0263; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-007; classtype:attempted-user; sid:29714; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt"; flow:to_client,established; file_data; content:"<svg"; content:"<path "; within:512; pcre:"/<path[^>]*\sd\s*=\s*[\x22\x27][^\x22\x27]*[\sMLC][-\s]{0,2}([0-9]{10}|[0-9]+e(0[7-9]|[1-9][0-9]))/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,65393; reference:cve,2014-0263; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-007; classtype:attempted-user; sid:29713; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTree Node use after free attempt"; flow:to_server,established; file_data; content:"document.body.offsetHeight"; nocase; content:"document.styleSheets["; within:150; nocase; content:"].deleteRule"; within:16; nocase; content:"document.body.offsetHeight"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0281; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29712; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTree Node use after free attempt"; flow:to_client,established; file_data; content:"document.body.offsetHeight"; nocase; content:"document.styleSheets["; within:150; nocase; content:"].deleteRule"; within:16; nocase; content:"document.body.offsetHeight"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0281; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29711; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer fontFamily attribute deleted object access memory corruption attempt"; flow:to_server,established; file_data; content:"<style id"; nocase; content:"@font-face"; within:30; nocase; content:"src|3A|"; within:80; nocase; content:"getElementbyID"; within:300; nocase; content:"innerHTML"; within:50; nocase; content:"style.fontFamily"; within:36; nocase; pcre:"/\<style\s+?id\s?=\s?\"(?P<fontstyle>\w{1,20})\".*?\@font-face.*?src\:\s?.*\.(ttf|).*?getElementByID\(\'(?P=fontstyle)'\).*?innerHTML.*?style.fontFamily/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0284; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29710; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer fontFamily attribute deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"<style id"; nocase; content:"@font-face"; within:30; nocase; content:"src|3A|"; within:80; nocase; content:"getElementbyID"; within:300; nocase; content:"innerHTML"; within:50; nocase; content:"style.fontFamily"; within:36; nocase; pcre:"/\<style\s+?id\s?=\s?\"(?P<fontstyle>\w{1,20})\".*?\@font-face.*?src\:\s?.*\.(ttf|).*?getElementByID\(\'(?P=fontstyle)'\).*?innerHTML.*?style.fontFamily/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0284; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29709; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected"; flow:to_client,established; file_data; content:".dir="; nocase; content:"rtl"; within:4; nocase; content:"word-wrap|3A|break-word"; fast_pattern:only; content:"style="; nocase; content:"border"; within:7; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0278; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-010; classtype:attempted-user; sid:29708; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer deleted object access attempt detected"; flow:to_server,established; file_data; content:"window.navigate("; nocase; content:"document.open()"; within:50; nocase; content:"<marquee "; fast_pattern:only; content:"<marquee "; nocase; content:"onactivate|3D|"; within:50; nocase; content:"<legend"; within:100; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0285; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-010; classtype:attempted-user; sid:29707; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer deleted object access attempt detected"; flow:to_client,established; file_data; content:"window.navigate("; nocase; content:"document.open()"; within:50; nocase; content:"<marquee "; fast_pattern:only; content:"<marquee "; nocase; content:"onactivate|3D|"; within:50; nocase; content:"<legend"; within:100; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2014-0285; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-010; classtype:attempted-user; sid:29706; rev:2;)
|
|
alert tcp any any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer swap node user after free"; flow:to_server,established; file_data; content:"javascript"; content:"document|2E|execCommand|28|"; distance:14; content:"InsertUnorderedList"; within:25; distance:1; content:"swapNode|28|"; distance:0; content:"document|2E|execCommand|28|"; distance:0; content:"Undo"; within:8; distance:1; pcre:"/document\.execCommand\(\s*[\x22\x27]InsertUnorderedList[\x22\x27]\s*\)\s*\x3B.{0,250}\s*\w+\.swapNode\(\s*[A-Za-z\(\)\"\'\.\=\ ]{1,75}\s*\)\s*document\.execCommand\(\s*[\x22\x27]Undo[\x22\x27]\s*\)\s*\x3B/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0290; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-010; classtype:attempted-user; sid:29679; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer swap node user after free"; flow:to_client,established; file_data; content:"javascript"; content:"document|2E|execCommand|28|"; distance:14; content:"InsertUnorderedList"; within:25; distance:1; content:"swapNode|28|"; distance:0; content:"document|2E|execCommand|28|"; distance:0; content:"Undo"; within:8; distance:1; pcre:"/document\.execCommand\(\s*[\x22\x27]InsertUnorderedList[\x22\x27]\s*\)\s*\x3B.{0,250}\s*\w+\.swapNode\(\s*[A-Za-z\(\)\"\'\.\=\ ]{1,75}\s*\)\s*document\.execCommand\(\s*[\x22\x27]Undo[\x22\x27]\s*\)\s*\x3B/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0290; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-010; classtype:attempted-user; sid:29678; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CRootElement Object use after free attempt"; flow:to_server,established; file_data; content:"swapNode"; fast_pattern; content:"createElement"; within:50; content:"focus|28 29|"; within:600; distance:50; content:"onfocusin"; within:250; pcre:"/var\s*?(?P<var>\w+).*?function\s*?(?P<func1>\w+)\s*?\x28[^\x7b]+?\x7b[^\x7d]+?(?P=var)\.swapNode[^\x7d]+?createElement.*?function\s*?(?P<func2>\w+)\s*?\x28[^\x7b]+?\x7b[^\x7d]+?(?P=var)\.focus\x28\x29.*?body\s*?onload\s*?\x3d\s*?[\x22\x27](?P=func2)[^\x3e]+?onfocusin\s*?\x3d\s*?[\x22\x27](?P=func1)/smi"; metadata:policy security-ips alert, service smtp; reference:cve,2014-0273; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-010; classtype:attempted-user; sid:29677; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CRootElement Object use after free attempt"; flow:to_client,established; file_data; content:"swapNode"; fast_pattern; content:"createElement"; within:50; content:"focus|28 29|"; within:600; distance:50; content:"onfocusin"; within:250; pcre:"/var\s*?(?P<var>\w+).*?function\s*?(?P<func1>\w+)\s*?\x28[^\x7b]+?\x7b[^\x7d]+?(?P=var)\.swapNode[^\x7d]+?createElement.*?function\s*?(?P<func2>\w+)\s*?\x28[^\x7b]+?\x7b[^\x7d]+?(?P=var)\.focus\x28\x29.*?body\s*?onload\s*?\x3d\s*?[\x22\x27](?P=func2)[^\x3e]+?onfocusin\s*?\x3d\s*?[\x22\x27](?P=func1)/smi"; metadata:policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0273; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-010; classtype:attempted-user; sid:29676; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer type confusion attempt"; flow:to_client,established; file_data; content:"language=|22|vbscript|22|"; fast_pattern:only; content:"Public Default Property Get"; content:"language=|22|jscript|22|"; pcre:"/Set\s+(?P<class>[a-z0-9]+)\s+\x3D\s+new.*var\s+[a-z0-9]\s+\x3D\s+(?P=class)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-0271; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-011; classtype:attempted-user; sid:29675; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt"; flow:to_server,established; file_data; content:"<clipPath"; fast_pattern; nocase; content:"clip-path"; within:50; nocase; content:"url|28|"; within:25; nocase; content:"<svg"; nocase; content:"</svg"; within:250; nocase; content:"outerHTML"; nocase; pcre:"/<clipPath[^>]+?id\s*?=\s*?[\x22\x27]?(?P<clip_id>[^\x22\x27\s>]+)[\x22\x27]?[\s>].*?<clipPath[^>]+?clip-path\s*?=\s*?[\x22\x27]?url\x28\x23(?P=clip_id)/si"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,65382; reference:cve,2014-0283; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29674; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt"; flow:to_server,established; file_data; content:"<clipPath"; fast_pattern; nocase; content:"clip-path"; within:50; nocase; content:"url|28|"; within:25; nocase; content:"<svg"; nocase; content:"</svg"; within:250; nocase; content:"innerHTML"; nocase; pcre:"/<clipPath[^>]+?id\s*?=\s*?[\x22\x27]?(?P<clip_id>[^\x22\x27\s>]+)[\x22\x27]?[\s>].*?<clipPath[^>]+?clip-path\s*?=\s*?[\x22\x27]?url\x28\x23(?P=clip_id)/si"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,65382; reference:cve,2014-0283; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29673; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt"; flow:to_client,established; file_data; content:"<clipPath"; fast_pattern; nocase; content:"clip-path"; within:50; nocase; content:"url|28|"; within:25; nocase; content:"<svg"; nocase; content:"</svg"; within:250; nocase; content:"outerHTML"; nocase; pcre:"/<clipPath[^>]+?id\s*?=\s*?[\x22\x27]?(?P<clip_id>[^\x22\x27\s>]+)[\x22\x27]?[\s>].*?<clipPath[^>]+?clip-path\s*?=\s*?[\x22\x27]?url\x28\x23(?P=clip_id)/si"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,65382; reference:cve,2014-0283; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29672; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt"; flow:to_client,established; file_data; content:"<clipPath"; fast_pattern; nocase; content:"clip-path"; within:50; nocase; content:"url|28|"; within:25; nocase; content:"<svg"; nocase; content:"</svg"; within:250; nocase; content:"innerHTML"; nocase; pcre:"/<clipPath[^>]+?id\s*?=\s*?[\x22\x27]?(?P<clip_id>[^\x22\x27\s>]+)[\x22\x27]?[\s>].*?<clipPath[^>]+?clip-path\s*?=\s*?[\x22\x27]?url\x28\x23(?P=clip_id)/si"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,65382; reference:cve,2014-0283; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29671; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos deleted object access attempt"; flow:to_server,established; file_data; content:"getElementById"; nocase; content:"appendChild"; within:30; nocase; content:"innerHTML"; within:250; nocase; content:"<table id"; within:200; nocase; pcre:"/getElementById\s?\(\"(?P<child>\w{1,10})\"\)\.appendChild.*?innerHTML.*\<table\s?id\s?=\"(?P=child)\"/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0277; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29668; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos deleted object access attempt"; flow:to_client,established; file_data; content:"getElementById"; nocase; content:"appendChild"; within:30; nocase; content:"innerHTML"; within:250; nocase; content:"<table id"; within:200; nocase; pcre:"/getElementById\s?\(\"(?P<child>\w{1,10})\"\)\.appendChild.*?innerHTML.*\<table\s?id\s?=\"(?P=child)\"/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0277; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29667; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 use after free attempt"; flow:to_client,established; file_data; content:"document.createElement|28|"; content:"document.body.appendChild|28|"; distance:0; content:".applyElement|28|"; distance:0; content:"document.body.contentEditable|3D 22|true|22|"; distance:0; content:".execCommand|28|"; distance:0; content:".applyElement"; distance:0; content:"document.createElement"; within:50; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2014-0272; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29655; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer deleted object access memory corruption attempt"; flow:to_server,established; file_data; content:"createAttributeNS"; fast_pattern:only; content:"getElementById("; nocase; content:"CollectGarbage()"; distance:0; nocase; content:"getElementById("; distance:0; nocase; pcre:"/getElementById\x28[\'\"](?P<deleted_object>\w{1,20})[\'\"].*?CollectGarbage\x28\x29.*?getElementbyID\x28[\'\"](?P=deleted_object)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0288; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-010; classtype:attempted-user; sid:29742; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"createAttributeNS"; fast_pattern:only; content:"getElementById("; nocase; content:"CollectGarbage()"; distance:0; nocase; content:"getElementById("; distance:0; nocase; pcre:"/getElementById\x28[\'\"](?P<deleted_object>\w{1,20})[\'\"].*?CollectGarbage\x28\x29.*?getElementbyID\x28[\'\"](?P=deleted_object)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0288; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-010; classtype:attempted-user; sid:29741; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer null attribute DoS attempt"; flow:to_client,established; file_data; content:"<script"; nocase; content:"function "; distance:0; nocase; content:".attributes|3B|"; distance:0; nocase; content:"null"; within:300; nocase; pcre:"/function\s+?(?P<function>\w+)\s*?\([^{]*?.*?\w+\s*?=\s*?null\x3b.*?(?P=function)\(?/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,49962; reference:cve,2011-1997; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-081; classtype:attempted-user; sid:29814; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer dynamic style update memory corruption attempt"; flow:to_client,established; file_data; content:"strict.dtd"; nocase; content:".getElementByID"; nocase; content:".className"; within:50; nocase; content:"<li"; distance:0; nocase; content:"<textarea"; within:50; fast_pattern; nocase; content:"</textarea"; within:100; nocase; pcre:"/<style[^>]*?>[\r\n\s]+?\.(?P<class>\w+)[\r\n\s]*?\{[\r\n\s]*?zoom\x3a\s*?\d+px\x3b.*?document\.getElementById\s*?\(\s*?[\x22\x27]?(?P<id>\w+)[\x22\x27]?\s*?\).*?\.className\s*?=\s*?[\x22\x27]?(?P=class).*?<li\s[^>]*?id\s*?=\s*?[\x22\x27]?(?P=id)[^>]*?>[\r\n\s]+<textarea/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:29806; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer dynamic style update memory corruption attempt"; flow:to_client,established; file_data; content:"strict.dtd"; nocase; content:".getElementByID"; nocase; content:".className"; within:50; nocase; content:"<code"; distance:0; nocase; content:"<textarea"; within:50; fast_pattern; nocase; content:"</textarea"; within:100; nocase; pcre:"/<style[^>]*?>[\r\n\s]+?\.(?P<class>\w+)[\r\n\s]*?\{[\r\n\s]*?zoom\x3a\s*?\d+px\x3b.*?document\.getElementById\s*?\(\s*?[\x22\x27]?(?P<id>\w+)[\x22\x27]?\s*?\).*?\.className\s*?=\s*?[\x22\x27]?(?P=class).*?<code\s[^>]*?id\s*?=\s*?[\x22\x27]?(?P=id)[^>]*?>[\r\n\s]+<textarea/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:29805; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer dynamic style update memory corruption attempt"; flow:to_client,established; file_data; content:"<p"; nocase; content:"<textarea"; within:75; fast_pattern; nocase; content:"</textarea"; within:15; nocase; content:".getElementByID"; distance:0; nocase; content:".className"; within:75; nocase; pcre:"/<style[^>]*?>[\r\n\s]+?\.(?P<class>\w+)[\r\n\s]*?\{[\r\n\s]*?zoom\x3a\s*?\d+px\x3b.*?<p\s[^>]*?id\s*?=\s*?[\x22\x27]?(?P<id>\w+)[\x22\x27]?[^>]*?>[^<]*?<textarea.*?document\.getElementById\s*?\(\s*?[\x22\x27]?(?P=id).*?\.className\s*?=\s*?[\x22\x27]?(?P=class)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:29804; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_server,established; file_data; content:"document.styleSheets"; nocase; content:"cssText"; within:15; nocase; content:":first-line"; within:20; fast_pattern; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:29803; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_client,established; file_data; content:"document.styleSheets"; nocase; content:"cssText"; within:15; content:":first-line"; within:20; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:29802; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer SelectAll dangling pointer use after free attempt"; flow:to_server,established; file_data; content:"document.designMode"; nocase; content:"document.execCommand("; distance:0; nocase; content:"selectAll"; within:12; nocase; content:"onbeforedeactivate"; fast_pattern:only; pcre:"/function\s?(?P<freed>\w{1,20}).*?document\.designMode\s?=\s?[\'\"]on[\'\"]\x3B.*?document\.execCommand\([\'\"]selectall[\'\"]\)\x3B.*?onload\s?=s?[\'\"](?P=freed).*?onbeforedeactivate\s?=\s?[\'\"](?P=freed)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0171; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-023; classtype:attempted-user; sid:29797; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer SelectAll dangling pointer use after free attempt"; flow:to_client,established; file_data; content:"document.designMode"; nocase; content:"document.execCommand("; distance:0; nocase; content:"selectAll"; within:12; nocase; content:"onbeforedeactivate"; fast_pattern:only; pcre:"/function\s?(?P<freed>\w{1,20}).*?document\.designMode\s?=\s?[\'\"]on[\'\"]\x3B.*?document\.execCommand\([\'\"]selectall[\'\"]\)\x3B.*?onload\s?=s?[\'\"](?P=freed).*?onbeforedeactivate\s?=\s?[\'\"](?P=freed)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0171; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-023; classtype:attempted-user; sid:29796; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 8 Javascript negative option index attack attempt"; flow:to_server,established; file_data; content:"<script"; nocase; content:".options.add"; distance:0; nocase; pcre:"/options\.add\x28.*?,\s*?(\-0x[a-f0-9]+?\s*?|-[0-9]{6,15}\s*?)\x29/smi"; metadata:service smtp; reference:bugtraq,49964; reference:cve,2011-1999; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-081; classtype:attempted-user; sid:29758; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt"; flow:to_client,established; file_data; content:"position|3A|fixed"; fast_pattern; content:"document.getElementById|28|"; within:200; content:".focus|28|"; within:100; content:".style.position"; within:100; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0011; reference:cve,2012-0155; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-010; classtype:attempted-dos; sid:29754; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_server,established; file_data; content:"<body "; nocase; content:"onscroll="; within:50; fast_pattern; content:"document.writeln(|22 22|)"; pcre:"/<script\s*>((?!<\/script>).)*?function (?P<onload>\w+).*?\{[^}]*?document\.writeln\([\x22\x27]{2}\).*?<body[^>]*?on(scroll|load)\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:29989; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_client,established; file_data; content:"<body "; nocase; content:"onscroll="; within:50; fast_pattern; content:"document.writeln(|22 22|)"; pcre:"/<script\s*>((?!<\/script>).)*?function (?P<onload>\w+).*?\{[^}]*?document\.writeln\([\x22\x27]{2}\).*?<body[^>]*?on(scroll|load)\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:29988; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer ruby text tag heap-based buffer overflow attempt"; flow:to_server,established; file_data; content:"<rt"; nocase; content:"-ms-hyphens:"; fast_pattern:only; pcre:"/<rt[^?]*?style\s*=\s*[\x22\x27]?-ms-hyphens\s*\x3A\s*auto\s*\x3B\s*[\x27\x22]?\>[\w\W]{680}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0313; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-012; reference:url,www.w3schools.com/tags/tag_rt.asp; classtype:attempted-dos; sid:30145; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer ruby text tag heap-based buffer overflow attempt"; flow:to_client,established; file_data; content:"<rt"; nocase; content:"-ms-hyphens:"; fast_pattern:only; pcre:"/<rt[^?]*?style\s*=\s*[\x22\x27]?-ms-hyphens\s*\x3A\s*auto\s*\x3B\s*[\x27\x22]?\>[\w\W]{680}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0313; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-012; reference:url,www.w3schools.com/tags/tag_rt.asp; classtype:attempted-dos; sid:30144; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer OnMove use after free attempt"; flow:to_server,established; file_data; content:"= document.createElement|28 22|html"; content:".scrollLeft="; fast_pattern:only; content:"onmove="; content:".swapNode(document.createElement"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-012; classtype:attempted-user; sid:30143; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer OnMove use after free attempt"; flow:to_client,established; file_data; content:"= document.createElement|28 22|html"; content:".scrollLeft="; fast_pattern:only; content:"onmove="; content:".swapNode(document.createElement"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-012; classtype:attempted-user; sid:30142; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer OnMove use after free attempt"; flow:to_server,established; file_data; content:"= document.createElement|28 22|html"; content:".scrollTop="; fast_pattern:only; content:"onmove="; content:".swapNode(document.createElement"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-012; classtype:attempted-user; sid:30141; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer OnMove use after free attempt"; flow:to_client,established; file_data; content:"= document.createElement|28 22|html"; content:".scrollTop="; fast_pattern:only; content:"onmove="; content:".swapNode(document.createElement"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-012; classtype:attempted-user; sid:30140; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer ruby element in media element use after free attempt"; flow:to_server,established; file_data; content:"document.createElement|28|"; content:"media"; within:20; content:"innerHTML"; content:"<ruby>"; within:20; content:"insertInputSubmit"; content:"insertInputHidden"; pcre:"/(?P<var>[a-z0-9]+)\s*\x3D\s*document\x2EcreateElement\x28[\x22\x27]media[\x22\x27]\x29.*?(?P=var)\x2EinnerHTML\s*\x3D\s*[\x22\x27]\x3Cruby\x3E[\x22\x27].*?(?P=var)\x2EinnerHTML\s*\x3D\s*[\x22\x27]{2}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0309; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-012; classtype:attempted-user; sid:30132; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer ruby element in media element use after free attempt"; flow:to_client,established; file_data; content:"document.createElement|28|"; content:"media"; within:20; content:"innerHTML"; content:"<ruby>"; within:20; content:"insertInputSubmit"; content:"insertInputHidden"; pcre:"/(?P<var>[a-z0-9]+)\s*\x3D\s*document\x2EcreateElement\x28[\x22\x27]media[\x22\x27]\x29.*?(?P=var)\x2EinnerHTML\s*\x3D\s*[\x22\x27]\x3Cruby\x3E[\x22\x27].*?(?P=var)\x2EinnerHTML\s*\x3D\s*[\x22\x27]{2}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2014-0309; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-012; classtype:attempted-user; sid:30131; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Nested Tables use after free attempt"; flow:to_server,established; file_data; content:"table"; nocase; content:"].removeNode(false)"; within:23; fast_pattern; nocase; content:"document.write"; nocase; content:"<table>"; within:11; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0299; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-012; classtype:attempted-user; sid:30130; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Nested Tables use after free attempt"; flow:to_client,established; file_data; content:"table"; nocase; content:"].removeNode(false)"; within:23; fast_pattern; nocase; content:"document.write"; nocase; content:"<table>"; within:11; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0299; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-012; classtype:attempted-user; sid:30129; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer use after free memory corruption attempt"; flow:to_server,established; file_data; content:".contentEditable"; nocase; content:".execCommand|28|"; within:100; nocase; content:"Delete"; within:10; nocase; content:".createTextRange|28 29|.execCommand|28|"; within:100; nocase; content:"SelectAll"; within:15; nocase; content:"HTML"; within:55; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0304; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-012; classtype:attempted-user; sid:30128; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer use after free memory corruption attempt"; flow:to_client,established; file_data; content:".contentEditable"; nocase; content:".execCommand|28|"; within:100; nocase; content:"Delete"; within:10; nocase; content:".createTextRange|28 29|.execCommand|28|"; within:100; nocase; content:"SelectAll"; within:15; nocase; content:"HTML"; within:55; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0304; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-012; classtype:attempted-user; sid:30127; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreeDataPos object use after free attempt"; flow:to_server,established; file_data; content:"all[1].setAttribute(|22|className|22|, all[1].previousSibling)"; content:"setTimeout('CollectGarbage()|3B|all[0].outerText = |22|aaaa|22 3B|document.body.innerHTML += |22|a|22|', 1000)"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0311; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-012; classtype:attempted-user; sid:30126; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreeDataPos object use after free attempt"; flow:to_client,established; file_data; content:"all[1].setAttribute(|22|className|22|, all[1].previousSibling)"; content:"setTimeout('CollectGarbage()|3B|all[0].outerText = |22|aaaa|22 3B|document.body.innerHTML += |22|a|22|', 1000)"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0311; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-012; classtype:attempted-user; sid:30125; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos use after free attempt"; flow:to_server,established; file_data; content:".createRange|28|"; nocase; content:".deleteContents|28|"; within:250; nocase; content:".execCommand|28|"; within:100; nocase; content:"insertIFrame"; within:20; fast_pattern; nocase; pcre:"/function.*?\x28[^\x7b]+?\x7b[^\x7d]+?var\s*?(?P<var>\w+)\s*?\x3d[^\x7d]+?\.createRange\x28[^\x7d]+?(?P=var)\.deleteContents\x28[^\x7d]+?\.execCommand\x28\s*?[\x22\x27]\s*?insertIFrame/ims"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0297; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-012; classtype:attempted-user; sid:30124; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos use after free attempt"; flow:to_client,established; file_data; content:".createRange|28|"; nocase; content:".deleteContents|28|"; within:250; nocase; content:".execCommand|28|"; within:100; nocase; content:"insertIFrame"; within:20; fast_pattern; nocase; pcre:"/function.*?\x28[^\x7b]+?\x7b[^\x7d]+?var\s*?(?P<var>\w+)\s*?\x3d[^\x7d]+?\.createRange\x28[^\x7d]+?(?P=var)\.deleteContents\x28[^\x7d]+?\.execCommand\x28\s*?[\x22\x27]\s*?insertIFrame/ims"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0297; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-012; classtype:attempted-user; sid:30123; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSelectElement SetCurSel remote code execution attempt"; flow:to_client,established; file_data; content:"<select"; nocase; content:"attachEvent("; nocase; content:"onpropertychange"; within:50; nocase; content:"selected"; nocase; content:"true"; within:15; nocase; content:"setTimeout"; nocase; content:"CollectGarbage"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0312; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-012; classtype:attempted-user; sid:30122; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer button element onreadystatechange use after free attempt"; flow:to_server,established; file_data; content:"document.createElement"; content:"button"; within:20; content:"onreadystatechange"; content:"CollectGarbage"; pcre:"/(?P<button>[a-z0-9]+)\s*\x3D\s*document\.createElement\x28[\x22\x27]button[\x22\x27]\x29.*?(?P=button)\.onreadystatechange\s*\x3D\s*.*?(?P=button)\.addBehavior.*?CollectGarbage\x28/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0302; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-012; classtype:attempted-user; sid:30117; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer button element onreadystatechange use after free attempt"; flow:to_client,established; file_data; content:"document.createElement"; content:"button"; within:20; content:"onreadystatechange"; content:"CollectGarbage"; pcre:"/(?P<button>[a-z0-9]+)\s*\x3D\s*document\.createElement\x28[\x22\x27]button[\x22\x27]\x29.*?(?P=button)\.onreadystatechange\s*\x3D\s*.*?(?P=button)\.addBehavior.*?CollectGarbage\x28/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2014-0302; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-012; classtype:attempted-user; sid:30116; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CMarkup object use after free attempt"; flow:to_server,established; file_data; content:"<body"; nocase; content:"behavior"; within:75; nocase; content:"<body"; within:150; nocase; content:"onreadystatechange"; within:75; fast_pattern; nocase; pcre:"/<body[^>]+?style\s*=\s*[\x22\x27](-ms-)?behavior\s*:.*?<body[^>]+?onreadystatechange\s*=[^>]+?>[\s\t\r\n]*?<\/body/si"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,66028; reference:cve,2014-0303; reference:cve,2014-2799; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-012; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:attempted-user; sid:30113; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CMarkup object use after free attempt"; flow:to_server,established; file_data; content:"<body"; nocase; content:"onreadystatechange"; within:75; fast_pattern; nocase; content:"<body"; within:150; nocase; content:"behavior"; within:75; nocase; pcre:"/<body[^>]+?onreadystatechange\s*=.*?<body[^>]+?style\s*=\s*[\x22\x27](-ms-)?behavior\s*:[^\x22\x27]+?[\x22\x27][^>]*?>[\s\t\r\n]*?<\/body/si"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,66028; reference:cve,2014-0303; reference:cve,2014-2799; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-012; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:attempted-user; sid:30112; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CMarkup object use after free attempt"; flow:to_client,established; file_data; content:"<body"; nocase; content:"behavior"; within:75; nocase; content:"<body"; within:150; nocase; content:"onreadystatechange"; within:75; fast_pattern; nocase; pcre:"/<body[^>]+?style\s*=\s*[\x22\x27](-ms-)?behavior\s*:.*?<body[^>]+?onreadystatechange\s*=[^>]+?>[\s\t\r\n]*?<\/body/si"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66028; reference:cve,2014-0303; reference:cve,2014-2799; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-012; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:attempted-user; sid:30111; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CMarkup object use after free attempt"; flow:to_client,established; file_data; content:"<body"; nocase; content:"onreadystatechange"; within:75; fast_pattern; nocase; content:"<body"; within:150; nocase; content:"behavior"; within:75; nocase; pcre:"/<body[^>]+?onreadystatechange\s*=.*?<body[^>]+?style\s*=\s*[\x22\x27](-ms-)?behavior\s*:[^\x22\x27]+?[\x22\x27][^>]*?>[\s\t\r\n]*?<\/body/si"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66028; reference:cve,2014-0303; reference:cve,2014-2799; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-012; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:attempted-user; sid:30110; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Remove Format use after free attempt"; flow:to_server,established; file_data; content:"document.body.appendChild"; nocase; content:"createTextRange()"; nocase; content:"moveToElementText(document.body.all[0])"; fast_pattern:only; content:".execCommand('Underline'"; nocase; content:".execCommand('RemoveFormat'"; within:100; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0306; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-012; classtype:attempted-user; sid:30109; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Remove Format use after free attempt"; flow:to_client,established; file_data; content:"document.body.appendChild"; nocase; content:"createTextRange()"; nocase; content:"moveToElementText(document.body.all[0])"; fast_pattern:only; content:".execCommand('Underline'"; nocase; content:".execCommand('RemoveFormat'"; within:100; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0306; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-012; classtype:attempted-user; sid:30108; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt"; flow:to_server,established; file_data; content:"t.parentNode.runtimeStyle.posWidth = -1|3B|"; content:"t.focus()"; within:20; metadata:service smtp; reference:cve,2013-3882; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-080; classtype:attempted-user; sid:30105; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt"; flow:to_server,established; file_data; content:"b.runtimeStyle.posWidth = 100|3B|"; content:"t.focus()"; within:20; metadata:service smtp; reference:cve,2013-3882; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-080; classtype:attempted-user; sid:30104; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt"; flow:to_client,established; file_data; content:"t.parentNode.runtimeStyle.posWidth = -1|3B|"; content:"t.focus()"; within:20; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-3882; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-080; classtype:attempted-user; sid:30103; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt"; flow:to_client,established; file_data; content:"b.runtimeStyle.posWidth = 100|3B|"; content:"t.focus()"; within:20; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-3882; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-080; classtype:attempted-user; sid:30102; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt"; flow:to_server,established; file_data; content:"<clipPath"; fast_pattern; nocase; content:"clip-path"; within:50; nocase; content:"url|28|"; within:25; nocase; content:"<svg"; nocase; content:"</svg"; within:250; nocase; content:"outerText"; nocase; pcre:"/<clipPath[^>]+?id\s*?=\s*?[\x22\x27]?(?P<clip_id>[^\x22\x27\s>]+)[\x22\x27]?[\s>].*?<clipPath[^>]+?clip-path\s*?=\s*?[\x22\x27]?url\x28\x23(?P=clip_id)/si"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,65382; reference:cve,2014-0283; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:30082; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt"; flow:to_server,established; file_data; content:"<clipPath"; fast_pattern; nocase; content:"clip-path"; within:50; nocase; content:"url|28|"; within:25; nocase; content:"<svg"; nocase; content:"</svg"; within:250; nocase; content:"innerText"; nocase; pcre:"/<clipPath[^>]+?id\s*?=\s*?[\x22\x27]?(?P<clip_id>[^\x22\x27\s>]+)[\x22\x27]?[\s>].*?<clipPath[^>]+?clip-path\s*?=\s*?[\x22\x27]?url\x28\x23(?P=clip_id)/si"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,65382; reference:cve,2014-0283; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:30081; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt"; flow:to_client,established; file_data; content:"<clipPath"; fast_pattern; nocase; content:"clip-path"; within:50; nocase; content:"url|28|"; within:25; nocase; content:"<svg"; nocase; content:"</svg"; within:250; nocase; content:"outerText"; nocase; pcre:"/<clipPath[^>]+?id\s*?=\s*?[\x22\x27]?(?P<clip_id>[^\x22\x27\s>]+)[\x22\x27]?[\s>].*?<clipPath[^>]+?clip-path\s*?=\s*?[\x22\x27]?url\x28\x23(?P=clip_id)/si"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,65382; reference:cve,2014-0283; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:30080; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt"; flow:to_client,established; file_data; content:"<clipPath"; fast_pattern; nocase; content:"clip-path"; within:50; nocase; content:"url|28|"; within:25; nocase; content:"<svg"; nocase; content:"</svg"; within:250; nocase; content:"innerText"; nocase; pcre:"/<clipPath[^>]+?id\s*?=\s*?[\x22\x27]?(?P<clip_id>[^\x22\x27\s>]+)[\x22\x27]?[\s>].*?<clipPath[^>]+?clip-path\s*?=\s*?[\x22\x27]?url\x28\x23(?P=clip_id)/si"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,65382; reference:cve,2014-0283; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:30079; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected"; flow:to_server,established; file_data; content:".dir="; nocase; content:"rtl"; within:4; nocase; content:"word-wrap|3A|break-word"; fast_pattern:only; content:"style="; nocase; content:"border"; within:7; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0278; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-010; classtype:attempted-user; sid:30169; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer merged stylesheet array use after free attempt"; flow:to_server,established; file_data; content:"createStyleSheet"; content:".sheet"; content:".removeRule"; within:50; fast_pattern; pcre:"/function\s+(?P<n>\w+)\s*\([^\)]*?\)\s*\{[^\}]*?\x2e\s*(getElement[s]*ByTagName[^\}]*?sheet\s*\x2e\s*removeRule\s*\(\s*\w\s*\)|sheet\s*\x2e\s*removeRule\s*\(\s*\w\s*\)[^\}]*?\x2e\s*getElement[s]*ByTagName)[^\}]*?(?P=n)\s*\(/si"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3191; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-059; classtype:attempted-user; sid:30201; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer HtmlLayout SmartObject use after free attempt"; flow:to_server,established; file_data; content:"|3C|table"; nocase; content:"|3C|colgroup"; within:100; nocase; content:"|3C 2F|colgroup|3E|"; within:50; distance:1; nocase; content:"|3C|style"; distance:0; nocase; content:"colgroup|7B|"; distance:0; nocase; content:"display|3A|"; within:10; nocase; content:"none"; within:8; nocase; content:"|3C|script"; nocase; content:"document.execCommand|28|"; within:200; metadata:service smtp; reference:cve,2013-3873; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-080; classtype:attempted-user; sid:30289; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt"; flow:to_server,established; file_data; content:"onbeforeeditfocus"; nocase; content:"document.write"; within:30; pcre:"/onbeforeeditfocus\s*?=\s*?[\x22\x27]document\x2ewrite/ism"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0029; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:30345; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 7 swapNode use after free attempt"; flow:to_server,established; file_data; content:"|3C|button|3E 3C|kbd"; fast_pattern:only; content:".appendChild|28|document.createElement|28|"; content:".swapNode|28|document.createElement|28|"; within:200; content:"CollectGarbage|28 29|"; within:200; metadata:service smtp; reference:cve,2014-1752; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-018; classtype:attempted-user; sid:30509; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 7 swapNode use after free attempt"; flow:to_client,established; file_data; content:"|3C|button|3E 3C|kbd"; fast_pattern:only; content:".appendChild|28|document.createElement|28|"; content:".swapNode|28|document.createElement|28|"; within:200; content:"CollectGarbage|28 29|"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-1752; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-018; classtype:attempted-user; sid:30508; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer nth-child use after free attempt"; flow:to_server, established; file_data; content:"|3A|nth-child|28|"; fast_pattern; content:".createRange|28|"; distance:0; content:"extractContents"; distance:0; content:"|3C|li "; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-1755; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-018; classtype:attempted-user; sid:30502; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer nth-child use after free attempt"; flow:to_client, established; file_data; content:"|3A|nth-child|28|"; fast_pattern; content:".createRange|28|"; distance:0; content:"extractContents"; distance:0; content:"|3C|li "; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1755; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-018; classtype:attempted-user; sid:30501; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer remote code execution attempt"; flow:to_server,established; file_data; content:"outerText="; nocase; content:"execCommand(|22|SelectAll|22|)"; distance:0; fast_pattern; nocase; content:"onselectstart="; distance:0; nocase; content:"Element"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-1751; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-018; classtype:attempted-user; sid:30500; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer remote code execution attempt"; flow:to_client,established; file_data; content:"outerText="; nocase; content:"execCommand(|22|SelectAll|22|)"; distance:0; fast_pattern; nocase; content:"onselectstart="; distance:0; nocase; content:"Element"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1751; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-018; classtype:attempted-user; sid:30499; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer failed large copy clonenode attempt"; flow:to_server,established; file_data; content:"document.createElement("; content:".setAttribute("; within:50; content:".cloneNode("; within:100; fast_pattern; content:"<body onload="; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-1753; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-018; classtype:attempted-user; sid:30498; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer failed large copy clonenode attempt"; flow:to_client,established; file_data; content:"document.createElement("; content:".setAttribute("; within:50; content:".cloneNode("; within:100; fast_pattern; content:"<body onload="; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1753; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-018; classtype:attempted-user; sid:30497; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer address bar spoofing with scripting"; flow:to_server,established; file_data; content:"<script"; nocase; content:"window.open"; distance:0; content:".click"; within:100; pcre:"/window\.open\(\s*(\x5C[\x22\x27])?\s*(?!(about|cdl|dvd|f(ile|tp)|gopher|http?|i(pp|ts)|javascript|local|m(ailto|html|k|sdaipp|s-its)|res|sysimage|tv|vbscript|wia)).{1,10}\:\/\//i"; metadata:service smtp; reference:bugtraq,10943; reference:cve,2004-2219; classtype:attempted-user; sid:30491; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer address bar spoofing with scripting"; flow:to_client,established; file_data; content:"<script"; nocase; content:"window.open"; distance:0; content:".click"; within:100; pcre:"/window\.open\(\s*(\x5C[\x22\x27])?\s*(?!(about|cdl|dvd|f(ile|tp)|gopher|http?|i(pp|ts)|javascript|local|m(ailto|html|k|sdaipp|s-its)|res|sysimage|tv|vbscript|wia)).{1,10}\:\/\//i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,10943; reference:cve,2004-2219; classtype:attempted-user; sid:30490; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer VML use after free attempt"; flow:to_server,established; file_data; content:"url|28 23|default|23|VML|29|"; fast_pattern:only; content:"schemas-microsoft-com|3A|vml"; nocase; content:"removeNode"; nocase; content:"onpropertychange"; distance:0; nocase; pcre:"/function\s+?(?P<func>\w+)\s*?\x28\s*?\x29\s*?\x7b((?!function).)*?removeNode.*?\x2eonpropertychange\s*?=\s*?(?P=func)/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,67075; reference:cve,2014-1776; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-021; classtype:attempted-user; sid:30803; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VML use after free attempt"; flow:to_client,established; file_data; content:"url|28 23|default|23|VML|29|"; fast_pattern:only; content:"schemas-microsoft-com|3A|vml"; nocase; content:"removeNode"; nocase; content:"onpropertychange"; distance:0; nocase; pcre:"/function\s+?(?P<func>\w+)\s*?\x28\s*?\x29\s*?\x7b((?!function).)*?removeNode.*?\x2eonpropertychange\s*?=\s*?(?P=func)/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,67075; reference:cve,2014-1776; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-021; classtype:attempted-user; sid:30794; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer type confusion attempt"; flow:to_server,established; file_data; content:"language=|22|vbscript|22|"; fast_pattern:only; content:"Public Default Property Get"; content:"language=|22|jscript|22|"; pcre:"/Set\s+(?P<class>[a-z0-9]+)\s+\x3D\s+new.*var\s+[a-z0-9]\s+\x3D\s+(?P=class)/smi"; metadata:service smtp; reference:cve,2014-0271; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-006; classtype:attempted-user; sid:30851; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer type confusion attempt"; flow:to_server,established; file_data; content:"Class "; content:"Public Default Property Get "; distance:0; content:"End Property"; within:100; content:"Set"; distance:0; content:"New"; within:50; nocase; pcre:"/Class\s(?P<class>[a-z0-9]+).*?Public\sDefault\sProperty\sGet\s(?P<property>[a-z0-9]+)\s+(?P=property)[^\x3D]+?End\sProperty.*?Set\s(?P<var>[a-z0-9]+)\s\x3D\sNew\s(?P=class).*?(?P=var)\.(?P=property)\s\x3D/smi"; metadata:service smtp; reference:cve,2014-0271; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-006; classtype:attempted-user; sid:30850; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer type confusion attempt"; flow:to_client,established; file_data; content:"Class "; content:"Public Default Property Get "; distance:0; content:"End Property"; within:100; content:"Set"; distance:0; content:"New"; within:50; nocase; pcre:"/Class\s(?P<class>[a-z0-9]+).*?Public\sDefault\sProperty\sGet\s(?P<property>[a-z0-9]+)\s+(?P=property)[^\x3D]+?End\sProperty.*?Set\s(?P<var>[a-z0-9]+)\s\x3D\sNew\s(?P=class).*?(?P=var)\.(?P=property)\s\x3D/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-0271; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-006; classtype:attempted-user; sid:30849; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CElement event handler use after free attempt"; flow:to_server,established; file_data; content:".attachEvent"; fast_pattern; content:"onfocus"; within:15; nocase; content:"document.write"; within:150; content:"<area"; within:250; nocase; pcre:"/(?<area>\w+)\x2EattachEvent\s*\x28[\x27\x22]\s*onfocus(out|in)\s*[\x27\x22]\s*,\s*(?<func>\w+)\s*?\x29.*?function\s*(?P=func)\s*?\x28[^\x29]*?\x29\s*\x7b[^\x7d]*?document\x2Ewrite(ln)?\s*\x28\s*[\x27\x22][^\x29]*?[\x27\x22]\s*?\x29.*?<area\s*id\s*=[\x27\x22]\s*(?P=area)\s*[\x27\x22]/si"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0275; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-user; sid:30848; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CElement event handler use after free attempt"; flow:to_client,established; file_data; content:".attachEvent"; fast_pattern; content:"onfocus"; within:15; nocase; content:"document.write"; within:150; content:"<area"; within:250; nocase; pcre:"/(?<area>\w+)\x2EattachEvent\s*\x28[\x27\x22]\s*onfocus(out|in)\s*[\x27\x22]\s*,\s*(?<func>\w+)\s*?\x29.*?function\s*(?P=func)\s*?\x28[^\x29]*?\x29\s*\x7b[^\x7d]*?document\x2Ewrite(ln)?\s*\x28\s*[\x27\x22][^\x29]*?[\x27\x22]\s*?\x29.*?<area\s*id\s*=[\x27\x22]\s*(?P=area)\s*[\x27\x22]/si"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0275; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-user; sid:30847; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer VML use after free attempt"; flow:to_server,established; file_data; content:"|C2 06 62 06 25 80 02 15 DF FF FF 24 00 63 07 24 00 82 63 09 10 34 00 00 09 62 07 D2 62 09 66|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-1776; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-021; classtype:attempted-user; sid:30895; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VML use after free attempt"; flow:to_client,established; file_data; content:"|C2 06 62 06 25 80 02 15 DF FF FF 24 00 63 07 24 00 82 63 09 10 34 00 00 09 62 07 D2 62 09 66|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1776; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-021; classtype:attempted-user; sid:30894; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer VML use after free attempt"; flow:to_server,established; file_data; content:"url|28 23|default|23|VML|29|"; fast_pattern:only; content:"embed src="; content:".swf"; within:10; content:"|3C|v|3A|"; content:"id="; within:10; content:"style="; within:15; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-1776; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-021; classtype:attempted-user; sid:30893; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VML use after free attempt"; flow:to_client,established; file_data; content:"url|28 23|default|23|VML|29|"; fast_pattern:only; content:"embed src="; content:".swf"; within:10; content:"|3C|v|3A|"; content:"id="; within:10; content:"style="; within:15; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1776; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-021; classtype:attempted-user; sid:30892; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CElement use after free attempt"; flow:to_server,established; file_data; content:"<marquee"; fast_pattern; nocase; content:".applyElement"; distance:0; nocase; content:".createElement"; within:100; nocase; content:"frameset"; within:50; nocase; content:".createRange"; within:250; nocase; pcre:"/<marquee[^>]+?id\s*?=\s*?[\x22\x27]?(?P<elem>\w+)[\x22\x27]?[\s>].*?(?P=elem)\.applyElement\s*?\x28[^\x29]*?createElement\s*?\x28\s*?[\x22\x27]frameset[\x22\x27]\s*?\x29/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-1815; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-029; classtype:attempted-user; sid:30964; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CElement use after free attempt"; flow:to_server,established; file_data; content:"applyElement"; nocase; content:"createElement"; nocase; content:"frameset"; within:50; nocase; content:"createRange"; within:250; nocase; content:"<marquee"; fast_pattern:only; content:"onload"; nocase; content:"onresize"; content:"contentEditable"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-1815; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-029; classtype:attempted-user; sid:30963; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CElement use after free attempt"; flow:to_client,established; file_data; content:"<marquee"; fast_pattern; nocase; content:".applyElement"; distance:0; nocase; content:".createElement"; within:100; nocase; content:"frameset"; within:50; nocase; content:".createRange"; within:250; nocase; pcre:"/<marquee[^>]+?id\s*?=\s*?[\x22\x27]?(?P<elem>\w+)[\x22\x27]?[\s>].*?(?P=elem)\.applyElement\s*?\x28[^\x29]*?createElement\s*?\x28\s*?[\x22\x27]frameset[\x22\x27]\s*?\x29/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1815; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-029; classtype:attempted-user; sid:30962; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CElement use after free attempt"; flow:to_client,established; file_data; content:"applyElement"; nocase; content:"createElement"; nocase; content:"frameset"; within:50; nocase; content:"createRange"; within:250; nocase; content:"<marquee"; fast_pattern:only; content:"onload"; nocase; content:"onresize"; content:"contentEditable"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1815; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-029; classtype:attempted-user; sid:30961; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer deleted object memory corruption attempt"; flow:to_server,established; file_data; content:"<dir"; nocase; content:"<sub"; nocase; content:"fireEvent"; nocase; content:"onfocus"; within:20; content:"attachEvent"; nocase; content:"onfocusout"; within:20; nocase; content:"attachEvent"; distance:0; nocase; content:"onfocusout"; within:20; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0310; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-029; classtype:attempted-user; sid:30957; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer deleted object memory corruption attempt"; flow:to_client,established; file_data; content:"<dir"; nocase; content:"<sub"; nocase; content:"fireEvent"; nocase; content:"onfocus"; within:20; content:"attachEvent"; nocase; content:"onfocusout"; within:20; nocase; content:"attachEvent"; distance:0; nocase; content:"onfocusout"; within:20; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0310; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-029; classtype:attempted-user; sid:30956; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer pastHTML use after free"; flow:to_server,established; file_data; content:"document.body.contentEditable="; content:"true"; within:20; content:"document.execCommand"; within:200; content:"InsertInputSubmit"; within:50; content:".addBehavior"; within:50; content:"document.execCommand"; within:50; content:"SelectAll"; within:20; content:"document.selection.createRange|28 29|.pasteHTML|28|"; within:100; content:"event="; distance:0; content:"onreadystatechange"; within:30; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0305; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-012; classtype:attempted-user; sid:30121; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer pastHTML use after free"; flow:to_client,established; file_data; content:"document.body.contentEditable="; content:"true"; within:20; content:"document.execCommand"; within:200; content:"InsertInputSubmit"; within:50; content:".addBehavior"; within:50; content:"document.execCommand"; within:50; content:"SelectAll"; within:20; content:"document.selection.createRange|28 29|.pasteHTML|28|"; within:100; content:"event="; distance:0; content:"onreadystatechange"; within:30; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0305; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-012; classtype:attempted-user; sid:30120; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer setEndPoint use after free attempt"; flow:to_server,established; file_data; content:"document.body.createTextRange|28 29|"; content:".moveToElementText"; within:200; content:".moveToElementText"; within:220; content:".setEndPoint"; within:420; content:"EndToStart"; within:30; content:".select"; within:500; content:"document.execCommand|28|"; within:120; content:"delete"; within:30; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0314; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-012; classtype:attempted-user; sid:30119; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer setEndPoint use after free attempt"; flow:to_client,established; file_data; content:"document.body.createTextRange|28 29|"; content:".moveToElementText"; within:200; content:".moveToElementText"; within:220; content:".setEndPoint"; within:420; content:"EndToStart"; within:30; content:".select"; within:500; content:"document.execCommand|28|"; within:120; content:"delete"; within:30; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0314; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-012; classtype:attempted-user; sid:30118; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer WindowedMarkupContext use after free attempt"; flow:to_server,established; file_data; content:".getSVGDocument"; fast_pattern; nocase; content:".createRange"; within:250; nocase; content:".getSelection"; within:250; nocase; content:".addRange"; within:50; nocase; pcre:"/var\s+?(?P<elem>\w+)\s*?=\s*?\w+\.getSVGDocument\s*?\x28.*?(?P=elem)\.createRange\s*?\x28/si"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-1805; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:31220; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer WindowedMarkupContext use after free attempt"; flow:to_client,established; file_data; content:".getSVGDocument"; fast_pattern; nocase; content:".createRange"; within:250; nocase; content:".getSelection"; within:250; nocase; content:".addRange"; within:50; nocase; pcre:"/var\s+?(?P<elem>\w+)\s*?=\s*?\w+\.getSVGDocument\s*?\x28.*?(?P=elem)\.createRange\s*?\x28/si"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1805; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:31219; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"<ul "; nocase; content:"style=|22|white-space:pre|3B 22|"; fast_pattern:only; content:"document.createElement(|22|header|22|)"; nocase; content:"applyElement"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-1802; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:31216; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"<ul "; nocase; content:"style=|22|white-space:pre|3B 22|"; fast_pattern:only; content:"document.createElement(|22|header|22|)"; nocase; content:"applyElement"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1802; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:31215; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CDispNode use after free attempt"; flow:to_server,established; file_data; content:"contentEditable"; fast_pattern; content:"onresize"; within:150; content:".appendChild"; content:"<body onload="; pcre:"/contentEditable\s*\x3d\s*[\x22\x27]true.*?id\s*\x3d\s*(?P<idName>\w+)\s+.*?onresize\s*\x3d[\x22\x27](?P=idName)\x2ereplaceNode\x28(?P=idName)\x29/Rsmi"; metadata:service smtp; reference:cve,2014-1766; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:31209; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CDispNode use after free attempt"; flow:to_client,established; file_data; content:"contentEditable"; fast_pattern; content:"onresize"; within:150; content:".appendChild"; content:"<body onload="; pcre:"/contentEditable\s*\x3d\s*[\x22\x27]true.*?id\s*\x3d\s*(?P<idName>\w+)\s+.*?onresize\s*\x3d[\x22\x27](?P=idName)\x2ereplaceNode\x28(?P=idName)\x29/Rsmi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-1766; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:31208; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 CTreePos child element use-after-free attempt"; flow:to_server,established; file_data; content:"document.getElementByID"; fast_pattern; nocase; content:"innerText"; within:40; nocase; content:"parentNode.removeChild"; within:50; nocase; pcre:"/var\s?(?P<ctreepos>\w+).*?(?P=ctreepos)\.innerText\s?=\s?[\x22\x27]{2}.*?(?P=ctreepos)\.parentNode\.removeChild\x28(?P=ctreepos)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-1800; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:31207; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 CTreePos child element use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementByID"; fast_pattern; nocase; content:"innerText"; within:40; nocase; content:"parentNode.removeChild"; within:50; nocase; pcre:"/var\s?(?P<ctreepos>\w+).*?(?P=ctreepos)\.innerText\s?=\s?[\x22\x27]{2}.*?(?P=ctreepos)\.parentNode\.removeChild\x28(?P=ctreepos)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1800; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:31206; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer celement use after free attempt"; flow:to_server,established; file_data; content:"getElement"; content:"checked"; within:100; nocase; content:"getElement"; within:100; content:"onpropertychange"; within:200; fast_pattern; nocase; content:"reset"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0282; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:31205; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer celement use after free attempt"; flow:to_client,established; file_data; content:"getElement"; content:"checked"; within:100; nocase; content:"getElement"; within:100; content:"onpropertychange"; within:200; fast_pattern; nocase; content:"reset"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0282; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:31204; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CRangeSaver use after free attempt"; flow:to_server,established; file_data; content:".createRange"; nocase; content:".set"; within:250; nocase; content:"NaN"; within:50; content:".addRange"; within:250; nocase; content:".execCommand"; within:250; fast_pattern; nocase; pcre:"/(?P<range>\w+)\.set(Start|End)\s*?\x28[^\x2c]+?\x2c\s*?NaN\s*?\x29.*?\.addRange\x28\s*?(?P=range)\s*?\x29/si"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-1772; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:31203; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CRangeSaver use after free attempt"; flow:to_client,established; file_data; content:".createRange"; nocase; content:".set"; within:250; nocase; content:"NaN"; within:50; content:".addRange"; within:250; nocase; content:".execCommand"; within:250; fast_pattern; nocase; pcre:"/(?P<range>\w+)\.set(Start|End)\s*?\x28[^\x2c]+?\x2c\s*?NaN\s*?\x29.*?\.addRange\x28\s*?(?P=range)\s*?\x29/si"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1772; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:31202; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer summary node swap use after free attempt"; flow:to_server,established; file_data; content:"contentEditable"; content:"swapNode"; within:300; fast_pattern; content:"createElement"; content:"frame"; within:100; metadata:service smtp; reference:cve,2014-1789; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:31201; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer summary node swap use after free attempt"; flow:to_client,established; file_data; content:"contentEditable"; content:"swapNode"; within:300; fast_pattern; content:"createElement"; content:"frame"; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-1789; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:31200; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"onload="; content:"onresize="; distance:0; nocase; content:".applyElement(document.createElement("; fast_pattern:only; content:"<tr>"; nocase; content:"<tt"; distance:0; nocase; content:"</tt>"; distance:0; nocase; content:"</tr>"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-1804; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:31199; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"onload="; content:"onresize="; distance:0; nocase; content:".applyElement(document.createElement("; fast_pattern:only; content:"<tr>"; nocase; content:"<tt"; distance:0; nocase; content:"</tt>"; distance:0; nocase; content:"</tr>"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1804; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:31198; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode onmousemove use-after-free attempt"; flow:to_server,established; file_data; content:"onmousemove"; nocase; content:"setCapture"; distance:0; nocase; content:"removeNode(true)"; nocase; content:"CollectGarbage"; within:18; nocase; content:"setCapture"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-1791; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:31197; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode onmousemove use-after-free attempt"; flow:to_client,established; file_data; content:"onmousemove"; nocase; content:"setCapture"; distance:0; nocase; content:"removeNode(true)"; nocase; content:"CollectGarbage"; within:18; nocase; content:"setCapture"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1791; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:31196; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer onpagehide use after free attempt"; flow:to_server,established; file_data; content:"contentEditable"; nocase; content:"true"; within:6; content:"onpagehide"; fast_pattern:only; content:".createTextRange"; content:".execCommand"; distance:0; content:"InsertInput"; content:"document.write"; within:25; content:"iframe"; distance:0; metadata:service smtp; reference:cve,2014-1795; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:31194; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 use after free attempt"; flow:to_server,established; file_data; content:".createRange|28|"; nocase; content:".setStart"; within:100; nocase; content:".setEnd"; within:100; nocase; content:"endContainer"; within:150; distance:100; fast_pattern; nocase; content:"removeNode"; within:25; nocase; content:"endContainer"; within:25; nocase; metadata:service smtp; reference:cve,2014-1762; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-035; classtype:attempted-user; sid:31193; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 use after free attempt"; flow:to_client,established; file_data; content:".createRange|28|"; nocase; content:".setStart"; within:100; nocase; content:".setEnd"; within:100; nocase; content:"endContainer"; within:150; distance:100; fast_pattern; nocase; content:"removeNode"; within:25; nocase; content:"endContainer"; within:25; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-1762; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-035; classtype:attempted-user; sid:31192; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer RemoveSplice use-after-free attempt"; flow:to_server,established; file_data; content:".addEventListener"; content:"DOMNodeRemoved"; within:20; fast_pattern; nocase; content:".execCommand"; content:"SelectAll"; within:15; nocase; content:".execCommand"; distance:0; content:"Insert"; within:15; nocase; pcre:"/(?P<target>\w+)\x2eaddEventListener\s*\x28\s*[\x22\x27]\s*DOMNodeRemoved\s*[\x22\x27]\s*\x2c.*?(?P=target)\x2eexecCommand\s*\x28\s*[\x22\x27]\s*SelectAll\s*[\x22\x27]\s*\x29.*?(?P=target)\x2eexecCommand\s*\x28\s*[\x22\x27]\s*Insert[^B(HT)]\w+[\x22\x27]\s*\x2c/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-1785; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-035; classtype:attempted-user; sid:31191; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer RemoveSplice use-after-free attempt"; flow:to_client,established; file_data; content:".addEventListener"; content:"DOMNodeRemoved"; within:20; fast_pattern; nocase; content:".execCommand"; content:"SelectAll"; within:15; nocase; content:".execCommand"; distance:0; content:"Insert"; within:15; nocase; pcre:"/(?P<target>\w+)\x2eaddEventListener\s*\x28\s*[\x22\x27]\s*DOMNodeRemoved\s*[\x22\x27]\s*\x2c.*?(?P=target)\x2eexecCommand\s*\x28\s*[\x22\x27]\s*SelectAll\s*[\x22\x27]\s*\x29.*?(?P=target)\x2eexecCommand\s*\x28\s*[\x22\x27]\s*Insert[^B(HT)]\w+[\x22\x27]\s*\x2c/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1785; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-035; classtype:attempted-user; sid:31190; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer isIndex attribute overflow attempt"; flow:to_server,established; file_data; content:"for(i=0|3B| i<0xfffe|3B| i++)"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-1797; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:31189; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer isIndex attribute overflow attempt"; flow:to_client,established; file_data; content:"for(i=0|3B| i<0xfffe|3B| i++)"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1797; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:31188; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer XSLT memory corruption attempt"; flow:to_server,established; file_data; content:"xmlns"; nocase; content:"|3A|xsl"; within:8; nocase; content:"http|2D|equiv|3D|"; nocase; content:"refresh"; within:10; nocase; content:"onunload"; fast_pattern:only; pcre:"/http\x2dequiv\x3d\s*?[\x22\x27]\s*?refresh\s*?[\x22\x27]\s*?content\s*?\x3d\s*?[\x22\x27]\s*?((1\s*?)|(0\s*?)|(\.\d\s*?)|(1\.\d\s*?))[\x22\x27]/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,49037; reference:cve,2011-1963; reference:url,attack.mitre.org/techniques/T1220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-057; classtype:attempted-user; sid:31301; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt"; flow:to_server,established; file_data; content:"<object"; nocase; content:"align="; within:60; nocase; content:"width"; within:100; distance:-50; nocase; content:!"height"; within:200; distance:-100; nocase; content:!"hspace"; within:200; distance:-100; nocase; content:"dir="; nocase; content:"margin"; nocase; pcre:"/<[^>]*?style\s*[>=].{1,1024}margin\s*\x3a\s*[^\x3b\x7d]*?-\d+.*?[\x7b\x3b]/ims"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,54950; reference:cve,2012-1526; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:31296; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt"; flow:to_server,established; file_data; content:"window"; content:"history"; within:15; content:"pushState"; within:20; fast_pattern; content:"document"; nocase; content:"createElement"; within:20; nocase; content:"applet"; within:15; content:"appendChild"; metadata:service smtp; reference:cve,2014-2804; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-037; classtype:attempted-user; sid:31391; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt"; flow:to_server,established; file_data; content:"window"; content:"history"; within:15; content:"replaceState"; within:20; fast_pattern; content:"document"; nocase; content:"createElement"; within:20; nocase; content:"applet"; within:15; content:"appendChild"; metadata:service smtp; reference:cve,2014-2804; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-037; classtype:attempted-user; sid:31390; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer improper object cast memory corruption attempt"; flow:to_server,established; file_data; content:"sca5=document.createElement"; nocase; content:"document.body.createTextRange().execCommand"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-2787; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-037; classtype:attempted-user; sid:31389; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer improper object cast memory corruption attempt"; flow:to_client,established; file_data; content:"sca5=document.createElement"; nocase; content:"document.body.createTextRange().execCommand"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-2787; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-037; classtype:attempted-user; sid:31388; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CLayout object user after free attempt"; flow:to_client,established; file_data; content:"document.body.createTextRange"; content:".execCommand"; within:20; content:"SelectAll"; within:20; content:"document.body.createTextRange"; within:150; content:".select"; within:15; metadata:service smtp; reference:cve,2014-2801; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-037; classtype:attempted-user; sid:31387; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CLayout object user after free attempt"; flow:to_client,established; file_data; content:"document.body.createTextRange"; content:".execCommand"; within:20; content:"SelectAll"; within:20; content:"document.body.createTextRange"; within:150; content:".select"; within:15; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-2801; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-037; classtype:attempted-user; sid:31386; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"<ul "; nocase; content:".contentEditable="; content:"true"; within:6; content:"style=|22|list-style-type:lower-latin"; fast_pattern:only; content:"<li"; nocase; metadata:policy security-ips drop, service smtp; reference:cve,2014-2795; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-037; classtype:attempted-user; sid:31385; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"<ul "; nocase; content:".contentEditable="; content:"true"; within:6; content:"style=|22|list-style-type:lower-latin"; fast_pattern:only; content:"<li"; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-2795; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-037; classtype:attempted-user; sid:31384; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer uninitialized object use after free attempt"; flow:to_server,established; file_data; content:".createRange("; content:".createTextNode("; within:100; distance:20; content:"CollectGarbage("; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-2797; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-037; classtype:attempted-user; sid:31383; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer uninitialized object use after free attempt"; flow:to_client,established; file_data; content:".createRange("; content:".createTextNode("; within:100; distance:20; content:"CollectGarbage("; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-2797; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-037; classtype:attempted-user; sid:31382; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt"; flow:to_server,established; file_data; content:"style"; nocase; content:"font"; within:150; nocase; content:"onpropertychange"; fast_pattern; nocase; content:"removeAttribute"; within:450; distance:-250; nocase; content:"style"; within:15; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,66244; reference:cve,2014-1765; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-037; classtype:attempted-user; sid:31381; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt"; flow:to_client,established; file_data; content:"style"; nocase; content:"font"; within:150; nocase; content:"onpropertychange"; fast_pattern; nocase; content:"removeAttribute"; within:450; distance:-250; nocase; content:"style"; within:15; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66244; reference:cve,2014-1765; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-037; classtype:attempted-user; sid:31380; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer celement use after free"; flow:to_server,established; file_data; content:"getElementById"; content:"HTML"; within:100; content:"getElementById"; within:200; content:"checked"; within:100; content:"getElementById"; within:100; content:"onpropertychange"; within:200; content:".reset|28 29|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0282; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:31404; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer celement use after free"; flow:to_client,established; file_data; content:"getElementById"; content:"HTML"; within:100; content:"getElementById"; within:200; content:"checked"; within:100; content:"getElementById"; within:100; content:"onpropertychange"; within:200; content:".reset|28 29|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0282; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:31403; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Unexpected method call remote code execution attempt"; flow:to_client,established; file_data; content:"clearAttributes"; fast_pattern:only; pcre:"/(\w+)\.insertCell.*\1\.deleteCell.*\1\.clearAttributes/smi"; metadata:service smtp; reference:cve,2009-1141; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-019; classtype:attempted-user; sid:31402; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_server,established; file_data; content:"table-layout|3A|"; nocase; content:"fixed"; within:7; nocase; content:"<col id="; within:20; content:"width="; within:50; nocase; content:"span="; within:30; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:31428; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt"; flow:to_server,established; file_data; content:"onbeforeeditfocus"; nocase; content:"document.write"; within:90; content:"getElementsByTagName"; fast_pattern:only; pcre:"/(?P<editfocus>onbeforeeditfocus\s?=\s?[\x22\x27])(?P<focus>\w+?\x28\x29)[\x22\x27].*?(?P=editfocus)(?P=focus).*?(?P=focus)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0029; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:31486; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt"; flow:to_client,established; file_data; content:"onbeforeeditfocus"; nocase; content:"document.write"; within:90; content:"getElementsByTagName"; fast_pattern:only; pcre:"/(?P<editfocus>onbeforeeditfocus\s?=\s?[\x22\x27])(?P<focus>\w+?\x28\x29)[\x22\x27].*?(?P=editfocus)(?P=focus).*?(?P=focus)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0029; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:31485; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt"; flow:to_server,established; file_data; content:".getClientRects|28 29|"; fast_pattern:only; content:"for|28|n=0|3B|n<tList.length|3B|n++|29 7B|"; content:"tList|5B|n|5D|.tBodies|5B|0|5D|.appendChild|28|document.createElement|28 27|tr|27 29 29|"; content:"tList|5B|n|5D|.removeChild|28|tList|5B|n|5D|.children|5B|0|5D 29|"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-1880; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:31471; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt"; flow:to_server,established; file_data; content:".getBoundingClientRect|28 29|"; fast_pattern:only; content:".insertAdjacentElement"; nocase; content:".insertRow|28 29|"; nocase; pcre:"/document.getElementById\x28\x22(?P<dfnelement>\w+?)\x22\x29\x2einsertAdjacentElement.*document.getElementById\x28\x22\w+?\x22\x29.getBoundingClientRect\x28\x29.*?document.getElementById\x28\x22\w+?\x22\x29.insertRow\x28\x29.*?\x3cdfn id\x3d\x22(?P=dfnelement)\x22\x3e/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1880; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:31470; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt"; flow:to_client,established; file_data; content:".getClientRects|28 29|"; fast_pattern:only; content:"for|28|n=0|3B|n<tList.length|3B|n++|29 7B|"; content:"tList|5B|n|5D|.tBodies|5B|0|5D|.appendChild|28|document.createElement|28 27|tr|27 29 29|"; content:"tList|5B|n|5D|.removeChild|28|tList|5B|n|5D|.children|5B|0|5D 29|"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1880; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:31469; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer outerHTML against incomplete element heap corruption attempt"; flow:to_server,established; file_data; content:".outerHTML"; fast_pattern; content:"document|2E|createStyleSheet"; within:75; nocase; pcre:"/\s(id|name)\s*?=\s*?[\x22\x27](?P<id1>\w+)[\x22\x27].*?<script[^<]*?(?P=id1)\x2eouterHTML(\x2b{2}|\s*?=\s*?[\x22\x27])/si"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0490; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:31504; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSS .ipsum layout use-after-free attempt"; flow:to_server,established; file_data; content:"text/css"; nocase; content:".ipsum"; fast_pattern:only; pcre:"/\.ipsum\s*?{[^>}]*?(position|float|display|zoom):/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,59751; reference:cve,2013-1310; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-037; reference:url,yuhongbao.blogspot.ca/2013/07/how-i-found-cve-2013-1310.html; classtype:attempted-user; sid:31585; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSS .ipsum layout use-after-free attempt"; flow:to_client,established; file_data; content:"text/css"; nocase; content:".ipsum"; fast_pattern:only; pcre:"/\.ipsum\s*?{[^>}]*?(position|float|display|zoom):/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59751; reference:cve,2013-1310; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-037; reference:url,yuhongbao.blogspot.ca/2013/07/how-i-found-cve-2013-1310.html; classtype:attempted-user; sid:31584; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt"; flow:to_server,established; file_data; content:" onmove"; fast_pattern:only; pcre:"/\sonmove\s*?=\s*?[\x27\x22](?P<func_name>\w+)\x28.*?\s(?P=func_name)\x28[^7D]*?document\x2Ewrite\x28[\x27\x22]{2}\x29/is"; metadata:policy security-ips drop, service smtp; reference:bugtraq,55641; reference:cve,2012-1529; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-063; classtype:attempted-user; sid:31583; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt"; flow:to_server,established; file_data; content:" onmove"; fast_pattern:only; pcre:"/\s(?P<func_name>\w+)\x28[^7D]*?document\x2Ewrite\x28[\x27\x22]{2}\x29.*?[\x27\x22](?P=func_name)\x28/is"; metadata:policy security-ips drop, service smtp; reference:bugtraq,55641; reference:cve,2012-1529; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-063; classtype:attempted-user; sid:31582; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt"; flow:to_client,established; file_data; content:" onmove"; fast_pattern:only; pcre:"/\sonmove\s*?=\s*?[\x27\x22](?P<func_name>\w+)\x28.*?\s(?P=func_name)\x28[^7D]*?document\x2Ewrite\x28[\x27\x22]{2}\x29/is"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,55641; reference:cve,2012-1529; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-063; classtype:attempted-user; sid:31581; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt"; flow:to_client,established; file_data; content:" onmove"; fast_pattern:only; pcre:"/\s(?P<func_name>\w+)\x28[^7D]*?document\x2Ewrite\x28[\x27\x22]{2}\x29.*?[\x27\x22](?P=func_name)\x28/is"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,55641; reference:cve,2012-1529; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-063; classtype:attempted-user; sid:31580; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer cloneNode for loop remote code execution attempt"; flow:to_server,established; file_data; content:"iframe src="; nocase; content:".html"; within:20; nocase; content:"setTimeout"; within:30; nocase; content:"history.go"; within:15; nocase; metadata:policy security-ips drop, service smtp; reference:bugtraq,55647; reference:cve,2012-2557; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-063; classtype:attempted-user; sid:31611; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer cloneNode for loop remote code execution attempt"; flow:to_server,established; file_data; content:"for"; nocase; content:"++"; within:25; content:"cloneNode()"; within:30; fast_pattern; content:"<object"; distance:0; pcre:"/function.*?(?P<textObj>\w+)\.cloneNode\x28\x29.*?<object\s+id=.(?P=textObj).*?<script/smi"; metadata:policy security-ips drop, service smtp; reference:bugtraq,55647; reference:cve,2012-2557; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-063; classtype:attempted-user; sid:31610; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer cloneNode for loop remote code execution attempt"; flow:to_client,established; file_data; content:"iframe src="; nocase; content:".html"; within:20; nocase; content:"setTimeout"; within:30; nocase; content:"history.go"; within:15; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,55647; reference:cve,2012-2557; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-063; classtype:attempted-user; sid:31609; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer cloneNode for loop remote code execution attempt"; flow:to_client,established; file_data; content:"for"; nocase; content:"++"; within:25; content:"cloneNode()"; within:30; fast_pattern; content:"<object"; distance:0; pcre:"/function.*?(?P<textObj>\w+)\.cloneNode\x28\x29.*?<object\s+id=.(?P=textObj).*?<script/smi"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,55647; reference:cve,2012-2557; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-063; classtype:attempted-user; sid:31608; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer margin overflow use after free attempt"; flow:to_server,established; file_data; content:".createElement("; nocase; content:"header"; within:20; nocase; content:".createElement("; nocase; content:".execCommand("; fast_pattern; content:"Indent"; within:20; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-2824; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-051; classtype:attempted-user; sid:31635; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer margin overflow use after free attempt"; flow:to_client,established; file_data; content:".createElement("; nocase; content:"header"; within:20; nocase; content:".createElement("; nocase; content:".execCommand("; fast_pattern; content:"Indent"; within:20; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-2824; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-051; classtype:attempted-user; sid:31634; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CMarkup insertMarquee use after free attempt"; flow:to_server,established; file_data; content:"onpropertychange"; nocase; content:".execCommand"; within:60; nocase; content:"InsertMarquee"; within:60; fast_pattern; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4057; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-051; classtype:attempted-user; sid:31630; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CMarkup insertMarquee use after free attempt"; flow:to_client,established; file_data; content:"onpropertychange"; nocase; content:".execCommand"; within:60; nocase; content:"InsertMarquee"; within:60; fast_pattern; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4057; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-051; classtype:attempted-user; sid:31629; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,2525,465,587] (msg:"BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt "; flow:to_server,established; file_data; content:"document.createEvent("; fast_pattern:only; content:"window.open"; content:"document.createEvent("; within:200; content:".init"; within:200; content:"event"; within:20; nocase; content:"FocusIn"; within:50; nocase; content:"dispatchEvent("; within:200; content:"document.write"; within:200; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,69116; reference:cve,2014-2820; reference:url,cwe.mitre.org/data/definitions/416.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-051; classtype:attempted-user; sid:31628; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt "; flow:to_client,established; file_data; content:"document.createEvent("; fast_pattern:only; content:"window.open"; content:"document.createEvent("; within:200; content:".init"; within:200; content:"event"; within:20; nocase; content:"FocusIn"; within:50; nocase; content:"dispatchEvent("; within:200; content:"document.write"; within:200; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,69116; reference:cve,2014-2820; reference:url,cwe.mitre.org/data/definitions/416.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-051; classtype:attempted-user; sid:31627; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Use after free attempt"; flow:to_server,established; file_data; content:"hgroup.appendChild(iElement)"; content:"document.execCommand(|22|justifyCenter|22| , false, |22 22|)|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-2823; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-051; classtype:attempted-user; sid:31626; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Use after free attempt"; flow:to_client,established; file_data; content:"hgroup.appendChild(iElement)"; content:"document.execCommand(|22|justifyCenter|22| , false, |22 22|)|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-2823; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-051; classtype:attempted-user; sid:31625; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer EventListener use after free attempt"; flow:to_server,established; file_data; content:"<meta"; nocase; content:".addEventListener"; nocase; content:"DOM"; within:55; nocase; content:".createRange|28|"; distance:0; nocase; content:".deleteContents|28|"; within:250; nocase; content:".createRange|28|"; distance:0; nocase; content:".deleteContents|28|"; within:250; nocase; metadata:policy security-ips drop, service smtp; reference:bugtraq,55645; reference:cve,2012-2546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-063; classtype:attempted-user; sid:31624; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer EventListener use after free attempt"; flow:to_client,established; file_data; content:"<meta"; nocase; content:".addEventListener"; nocase; content:"DOM"; within:55; nocase; content:".createRange|28|"; distance:0; nocase; content:".deleteContents|28|"; within:250; nocase; content:".createRange|28|"; distance:0; nocase; content:".deleteContents|28|"; within:250; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,55645; reference:cve,2012-2546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-063; classtype:attempted-user; sid:31623; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer onreadystatechange use after free attempt"; flow:to_server,established; file_data; content:"onreadystatechange"; fast_pattern:only; content:"selectAll"; nocase; content:"Indent"; within:150; nocase; content:"selectAll"; distance:0; nocase; content:"fieldset"; distance:0; nocase; content:"changeStyles"; within:50; nocase; metadata:policy balanced-ips alert, policy security-ips drop, service smtp; reference:cve,2014-4063; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-051; classtype:attempted-user; sid:31622; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer onreadystatechange use after free attempt"; flow:to_client,established; file_data; content:"onreadystatechange"; fast_pattern:only; content:"selectAll"; nocase; content:"Indent"; within:150; nocase; content:"selectAll"; distance:0; nocase; content:"fieldset"; distance:0; nocase; content:"changeStyles"; within:50; nocase; metadata:policy balanced-ips alert, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4063; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-051; classtype:attempted-user; sid:31621; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer kbd element use-after-free attempt"; flow:to_server,established; file_data; content:"<object>"; content:"<kbd>"; within:50; content:"|2A 3A|nth-child|28|-"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4050; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-051; classtype:attempted-user; sid:31620; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer kbd element use-after-free attempt"; flow:to_client,established; file_data; content:"<object>"; content:"<kbd>"; within:50; content:"|2A 3A|nth-child|28|-"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4050; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-051; classtype:attempted-user; sid:31619; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer meter element use-after-free attempt"; flow:to_server,established; file_data; content:".createElement"; content:"meter"; within:20; content:".cloneNode"; distance:0; content:".offsetHeight"; distance:0; metadata:service smtp; reference:cve,2012-2548; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-063; classtype:attempted-user; sid:31618; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer meter element use-after-free attempt"; flow:to_client,established; file_data; content:".createElement"; content:"meter"; within:20; content:".cloneNode"; distance:0; content:".offsetHeight"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-2548; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-063; classtype:attempted-user; sid:31617; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 5 XML page object type validation"; flow:to_server,established; file_data; content:"datasrc|3D 22 23|"; content:"datafld|3D 22|"; within:50; content:"<xml"; distance:0; content:"<![CDATA"; within:150; pcre:"/datasrc\x3D\x22\x23(?P<id>\w+)\x22\s*datafld\x3D\x22(?P<tag1>\w+)\x22.*\<xml\s+id\x3D\x22(?P=id)\x22\>\s*\<\w+\>\s*\<(?P=tag1)\>\s*\<\x21\x5BCDATA/"; metadata:service smtp; reference:bugtraq,8565; reference:cve,2003-0809; classtype:attempted-user; sid:31646; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 5 XML page object type validation"; flow:to_client,established; file_data; content:"datasrc|3D 22 23|"; content:"datafld|3D 22|"; within:50; content:"<xml"; distance:0; content:"<![CDATA"; within:150; pcre:"/datasrc\x3D\x22\x23(?P<id>\w+)\x22\s*datafld\x3D\x22(?P<tag1>\w+)\x22.*\<xml\s+id\x3D\x22(?P=id)\x22\>\s*\<\w+\>\s*\<(?P=tag1)\>\s*\<\x21\x5BCDATA/"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,8565; reference:cve,2003-0809; classtype:attempted-user; sid:31645; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt"; flow:to_server,established; file_data; content:"getElementsBytagName"; fast_pattern:only; content:".removeChild"; nocase; content:"<object"; nocase; content:"onerror"; within:75; nocase; pcre:"/\x3C(?P<obj>\w+)\s[^\x3e]*?onerror\s*?=\s*?[\x22\x27](?P<func>\w+)\s*?\x28.*?function\s+?(?P=func)\s*?\x28[^\x7b]+?\x7b[^\x7d]*?getElementsByTagName\x28[\x22\x27](?P=obj)[\x22\x27]?\s*?\x29[^\x7d]*?removeChild\s*?\x28/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-5049; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-097; classtype:attempted-user; sid:31763; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt"; flow:to_server,established; file_data; content:"getElementByID"; fast_pattern:only; content:".removeChild"; nocase; content:"<object"; nocase; content:"onerror"; within:75; nocase; pcre:"/function\s+?(?P<func>\w+?)\s*?\x28[^\x7b]+?\x7b[^\x7d]*?getElementByID\x28[\x22\x27](?P<obj>\w+?)[\x22\x27]?\s*?\x29[^\x7d]*?removeChild\s*?\x28.*?(?P=obj)\s[^\x3e]*?onerror\s*?=\s*?[\x22\x27](?P=func)\s*?\x28/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-5049; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-097; classtype:attempted-user; sid:31762; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt"; flow:to_server,established; file_data; content:"getElementByID"; fast_pattern:only; content:".removeChild"; nocase; content:"<object"; nocase; content:"onerror"; within:75; nocase; pcre:"/\x3C(?P<obj>\w+)\s[^\x3e]*?onerror\s*?=\s*?[\x22\x27](?P<func>\w+)\s*?\x28.*?function\s+?(?P=func)\s*?\x28[^\x7b]+?\x7b[^\x7d]*?getElementByID\x28[\x22\x27](?P=obj)[\x22\x27]?\s*?\x29[^\x7d]*?removeChild\s*?\x28/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-5049; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-097; classtype:attempted-user; sid:31761; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt"; flow:to_server,established; file_data; content:"ElementsBytagName"; nocase; content:".removeChild"; nocase; content:"<object"; nocase; content:"onerror"; within:75; nocase; content:"CollectGarbage()"; fast_pattern:only; pcre:"/function\s+?(?P<func>\w+?)\s*?\x28[^\x7d]*?ElementsByTagName[^\x7d]*?removeChild\s*?\x28.*?object\s[^\x3e]*?onerror\s*?\x3D\s*?[\x22\x27](?P=func)\s*?\x28/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-5049; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-097; classtype:attempted-user; sid:31760; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 InsertInputSubmit use after free attempt"; flow:to_server,established; file_data; content:".applyElement"; nocase; content:"document.createElement"; within:55; nocase; content:".createTextRange"; within:250; nocase; content:".execCommand"; within:55; nocase; content:"InsertInputSubmit"; within:40; fast_pattern; nocase; content:".innerHTML"; within:250; nocase; content:".execCommand"; within:250; nocase; content:"Undo"; within:30; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-052; classtype:attempted-user; sid:31802; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 InsertInputSubmit use after free attempt"; flow:to_client,established; file_data; content:".applyElement"; nocase; content:"document.createElement"; within:55; nocase; content:".createTextRange"; within:250; nocase; content:".execCommand"; within:55; nocase; content:"InsertInputSubmit"; within:40; fast_pattern; nocase; content:".innerHTML"; within:250; nocase; content:".execCommand"; within:250; nocase; content:"Undo"; within:30; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-052; classtype:attempted-user; sid:31801; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTableCell Use After Free exploit attempt"; flow:to_server,established; file_data; content:"document.addEventListener("; content:"DOMNodeInserted"; within:20; content:".applyElement("; content:"inside"; within:25; nocase; content:"document.body.createTextRange().execCommand("; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4092; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:attempted-user; sid:31800; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTableCell Use After Free exploit attempt"; flow:to_client,established; file_data; content:"document.addEventListener("; content:"DOMNodeInserted"; within:20; content:".applyElement("; content:"inside"; within:25; nocase; content:"document.body.createTextRange().execCommand("; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4092; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:attempted-user; sid:31799; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 CTreeNode use after free"; flow:to_server,established; file_data; content:"document.addEventListener"; nocase; content:"DOMNodeInserted"; within:20; distance:2; fast_pattern; nocase; content:"function"; within:20; distance:2; nocase; content:".selectAllChildren|28|"; within:80; distance:5; nocase; content:"document.selection.createRange|28|"; distance:0; nocase; content:".pasteHTML|28|"; within:20; nocase; content:"</th>"; distance:0; nocase; metadata:service smtp; reference:cve,2014-4089; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-052; classtype:attempted-user; sid:31797; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 CTreeNode use after free"; flow:to_client,established; file_data; content:"document.addEventListener"; nocase; content:"DOMNodeInserted"; within:20; distance:2; fast_pattern; nocase; content:"function"; within:20; distance:2; nocase; content:".selectAllChildren|28|"; within:80; distance:5; nocase; content:"document.selection.createRange|28|"; distance:0; nocase; content:".pasteHTML|28|"; within:20; nocase; content:"</th>"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-4089; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-052; classtype:attempted-user; sid:31796; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer access violation attempt"; flow:to_server,established; file_data; content:"document.createElement(|22|head|22|)"; nocase; content:"createTextRange().execCommand(|22|Outdent|22|)"; nocase; content:"createTextRange().execCommand(|22|InsertInputCheckbox|22|)"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4081; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:attempted-user; sid:31795; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer access violation attempt"; flow:to_client,established; file_data; content:"document.createElement(|22|head|22|)"; nocase; content:"createTextRange().execCommand(|22|Outdent|22|)"; nocase; content:"createTextRange().execCommand(|22|InsertInputCheckbox|22|)"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4081; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:attempted-user; sid:31794; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CGeneratedTreeNode use-after-free attempt"; flow:to_client,established; file_data; content:".createElement(|22|th|22|)"; nocase; content:"<v:oval"; nocase; content:".execCommand(|22|Indent|22|)"; content:".execCommand(|22|Outdent|22|)"; fast_pattern:only; content:".onbeforeeditfocus"; content:".createElement(|22|html|22|)"; nocase; content:".appendChild"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4084; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-046; classtype:attempted-user; sid:31793; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CGeneratedTreeNode use-after-free attempt"; flow:to_client,established; file_data; content:".createElement(|22|th|22|)"; nocase; content:"<v:oval"; nocase; content:".execCommand(|22|Indent|22|)"; content:".execCommand(|22|Outdent|22|)"; fast_pattern:only; content:".onbeforeeditfocus"; content:".createElement(|22|html|22|)"; nocase; content:".appendChild"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4084; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-046; classtype:attempted-user; sid:31792; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt"; flow:to_server,established; file_data; content:"for|28|var i=0|3B|i<0x1FFFF"; fast_pattern:only; content:"setAttribute"; content:"['lang']"; within:200; metadata:policy security-ips drop, service smtp; reference:cve,2014-4065; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-052; classtype:attempted-user; sid:31791; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt"; flow:to_client,established; file_data; content:"for|28|var i=0|3B|i<0x1FFFF"; fast_pattern:only; content:"setAttribute"; content:"['lang']"; within:200; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4065; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-052; classtype:attempted-user; sid:31790; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer justifying text with an incorrect type use after free attempt"; flow:to_server,established; file_data; content:".applyElement"; content:".createTextNode"; content:".insertAdjacentHTML("; content:"beforeBegin"; within:18; content:".execCommand("; content:"Justify"; within:12; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:attempted-user; sid:31789; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer justifying text with an incorrect type use after free attempt"; flow:to_client,established; file_data; content:".applyElement"; content:".createTextNode"; content:".insertAdjacentHTML("; content:"beforeBegin"; within:18; content:".execCommand("; content:"Justify"; within:12; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:attempted-user; sid:31788; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer style-image-url use after free attempt"; flow:to_server,established; file_data; content:"onbeforeactivate"; content:"list-style-image|3A|url"; fast_pattern:only; pcre:"/id=[\x22\x27\s]*?(?P<id>[\w\d]+)[^\x3e]*onbeforeactivate=[\x22\x27\s]*(?P=id)\x2e/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4087; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:attempted-user; sid:31787; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer style-image-url use after free attempt"; flow:to_client,established; file_data; content:"onbeforeactivate"; content:"list-style-image|3A|url"; fast_pattern:only; pcre:"/id=[\x22\x27\s]*?(?P<id>[\w\d]+)[^\x3e]*onbeforeactivate=[\x22\x27\s]*(?P=id)\x2e/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4087; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:attempted-user; sid:31786; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 C1DLayout ruby element use-after-free attempt"; flow:to_server,established; file_data; content:"style.position"; nocase; content:".createTextRange().execCommand"; within:250; fast_pattern; nocase; content:"style.position"; within:100; nocase; content:"createTextRange().select()"; within:250; nocase; content:"<ruby id="; within:400; metadata:policy security-ips drop, service smtp; reference:cve,2014-4094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:attempted-user; sid:31785; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 C1DLayout ruby element use-after-free attempt"; flow:to_client,established; file_data; content:"style.position"; nocase; content:".createTextRange().execCommand"; within:250; fast_pattern; nocase; content:"style.position"; within:100; nocase; content:"createTextRange().select()"; within:250; nocase; content:"<ruby id="; within:400; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:attempted-user; sid:31784; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor instance use after free attempt"; flow:to_server,established; file_data; content:"progress"; content:"source"; content:"contentEditable"; content:"removeNode"; content:"moveToElementText"; fast_pattern:only; content:"moveEnd"; content:"character"; within:40; content:"swapNode"; content:"footer"; within:40; content:"file://"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4095; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:attempted-user; sid:31783; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor instance use after free attempt"; flow:to_client,established; file_data; content:"progress"; content:"source"; content:"contentEditable"; content:"removeNode"; content:"moveToElementText"; fast_pattern:only; content:"moveEnd"; content:"character"; within:40; content:"swapNode"; content:"footer"; within:40; content:"file://"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4095; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:attempted-user; sid:31782; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CHtmlLayout use after free attempt"; flow:to_server,established; file_data; content:"document.body.createTextRange|28 29|.queryCommandState|28 22|InsertIFrame|22 29|"; fast_pattern:only; content:".swapNode|28|document.createTextNode|28|"; metadata:service smtp; reference:cve,2014-4086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:attempted-user; sid:31812; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CHtmlLayout use after free attempt"; flow:to_client,established; file_data; content:"document.body.createTextRange|28 29|.queryCommandState|28 22|InsertIFrame|22 29|"; fast_pattern:only; content:".swapNode|28|document.createTextNode|28|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-4086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:attempted-user; sid:31811; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer integer overflow exploit attempt"; flow:to_server,established; file_data; content:"createElement|28|"; content:"samp"; within:7; content:"document|2E|body|2E|onbeforeactivate"; content:"parentNode.applyElement|28|"; within:50; content:"document|2E|body|2E|contentEditable"; content:"getSelection|28 29 2E|addRange("; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4082; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:attempted-user; sid:31810; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer integer overflow exploit attempt"; flow:to_client,established; file_data; content:"createElement|28|"; content:"samp"; within:7; content:"document|2E|body|2E|onbeforeactivate"; content:"parentNode.applyElement|28|"; within:50; content:"document|2E|body|2E|contentEditable"; content:"getSelection|28 29 2E|addRange|28|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4082; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:attempted-user; sid:31809; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer URL domain spoof attempt"; flow:to_server,established; file_data; content:"%01"; fast_pattern:only; content:"|40|www|2E|"; pcre:"/href=[\x22\x27][^\x22\x27]*?\x2501[^\x22\x27]*?\x40www\x2e/is"; metadata:service smtp; reference:cve,2003-1025; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-004; classtype:attempted-user; sid:31888; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer URL domain spoof attempt"; flow:to_client,established; file_data; content:"%01"; fast_pattern:only; content:"|40|www|2E|"; pcre:"/href=[\x22\x27][^\x22\x27]*?\x2501[^\x22\x27]*?\x40www\x2e/is"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2003-1025; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-004; classtype:attempted-user; sid:31887; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTransientLookaside object use after free attempt"; flow:to_server,established; file_data; content:"|3A|nth-child|28|"; fast_pattern:only; content:"display|3A|"; nocase; content:"inline-table|3B|"; within:20; nocase; content:"transition-duration|3A|"; nocase; content:"|3C|article"; nocase; content:"document.getElementById"; nocase; content:".parentNode.removeChild|28|"; nocase; pcre:"/\x3carticle\s*?id\s*?\x3d\s*?[\x22\x27](?P<art>\w+).*?(?P<elem>\w+)\s*?\x3d\s*?document\.getElementById\s*?\x28\s*?[\x22\x27](?P=art).*?(?P=elem)\.parentNode\.removeChild\s*?\x28\s*?(?P=elem)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4126; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-056; classtype:attempted-user; sid:32169; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTransientLookaside object use after free attempt"; flow:to_client,established; file_data; content:"|3A|nth-child|28|"; fast_pattern:only; content:"display|3A|"; nocase; content:"inline-table|3B|"; within:20; nocase; content:"transition-duration|3A|"; nocase; content:"|3C|article"; nocase; content:"document.getElementById"; nocase; content:".parentNode.removeChild|28|"; nocase; pcre:"/\x3carticle\s*?id\s*?\x3d\s*?[\x22\x27](?P<art>\w+).*?(?P<elem>\w+)\s*?\x3d\s*?document\.getElementById\s*?\x28\s*?[\x22\x27](?P=art).*?(?P=elem)\.parentNode\.removeChild\s*?\x28\s*?(?P=elem)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4126; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-056; classtype:attempted-user; sid:32168; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer GetUpdatedLayout partial table declaration use-after-free attempt"; flow:to_server,established; stream_size:server,<,16000; file_data; content:".execCommand|28 22|SelectAll|22 29|"; fast_pattern:only; content:"<table>"; nocase; content:!"</table>"; distance:0; nocase; content:"<script>"; distance:0; nocase; metadata:service smtp; reference:cve,2014-4128; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-056; classtype:attempted-user; sid:32164; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer GetUpdatedLayout partial table declaration use-after-free attempt"; flow:to_client,established; stream_size:server,<,16000; file_data; content:".execCommand|28 22|SelectAll|22 29|"; fast_pattern:only; content:"<table>"; nocase; content:!"</table>"; distance:0; nocase; content:"<script>"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-4128; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-056; classtype:attempted-user; sid:32163; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer superscript invalid parameter denial of service attempt"; flow:to_server,established; file_data; content:"document.createElement"; nocase; content:"lang"; within:300; nocase; content:"document.createElement"; distance:0; nocase; content:"lang"; within:300; nocase; content:"document.createElement"; distance:0; nocase; content:"lang"; within:300; nocase; content:"text_range.execCommand"; distance:0; nocase; content:"superscript"; within:20; fast_pattern; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4133; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-056; classtype:attempted-dos; sid:32162; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer superscript invalid parameter denial of service attempt"; flow:to_client,established; file_data; content:"document.createElement"; nocase; content:"lang"; within:300; nocase; content:"document.createElement"; distance:0; nocase; content:"lang"; within:300; nocase; content:"document.createElement"; distance:0; nocase; content:"lang"; within:300; nocase; content:"text_range.execCommand"; distance:0; nocase; content:"superscript"; within:20; fast_pattern; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4133; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-056; classtype:attempted-dos; sid:32161; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CMarkup Object use after free attempt"; flow:to_server,established; file_data; content:"obj.textContent = |22|%u33%u17%uB0%u5D%uCC%u84%u91%uD2%uE5%uDC|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4132; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-056; classtype:attempted-user; sid:32160; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CMarkup Object use after free attempt"; flow:to_client,established; file_data; content:"obj.textContent = |22|%u33%u17%uB0%u5D%uCC%u84%u91%uD2%uE5%uDC|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4132; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-056; classtype:attempted-user; sid:32159; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 CMarkup GetMarkupTitle use-after-free attempt"; flow:to_server,established; file_data; content:"DOMAttrModified"; nocase; content:"currentTarget.parentNode.swapNode"; fast_pattern:only; content:"currentTarget.previousSibling"; nocase; content:"<iframe"; distance:0; nocase; metadata:service smtp; reference:cve,2014-4130; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-056; classtype:attempted-user; sid:32158; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 CMarkup GetMarkupTitle use-after-free attempt"; flow:to_client,established; file_data; content:"DOMAttrModified"; nocase; content:"currentTarget.parentNode.swapNode"; fast_pattern:only; content:"currentTarget.previousSibling"; nocase; content:"<iframe"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-4130; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-056; classtype:attempted-user; sid:32157; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer FormatContext Use after free attempt"; flow:to_server,established; file_data; content:"table id="; nocase; content:"document.createElement(|22|bdo|22|)|3B|"; nocase; content:"document.createElement(|22|base|22|)|3B|"; nocase; content:", |22|inside|22|)|3B|"; nocase; content:"style.styleFloat=|27|right|27 3B|"; nocase; content:"document.createElement(|22|ruby|22|),|22|inside|22|)|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4129; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-056; classtype:attempted-user; sid:32156; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer FormatContext Use after free attempt"; flow:to_client,established; file_data; content:"table id="; nocase; content:"document.createElement(|22|bdo|22|)|3B|"; nocase; content:"document.createElement(|22|base|22|)|3B|"; nocase; content:", |22|inside|22|)|3B|"; nocase; content:"style.styleFloat=|27|right|27 3B|"; nocase; content:"document.createElement(|22|ruby|22|),|22|inside|22|)|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4129; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-056; classtype:attempted-user; sid:32155; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer innerHTML use after free attempt"; flow:to_server,established; file_data; content:"<v:line"; fast_pattern:only; content:".contentEditable"; content:"true"; within:10; content:"execCommand"; content:"Undo"; within:10; content:"innerHTML"; pcre:"/title\s+id=(?P<title>\w+).*?(?P=title).innerHtml\s*?=\s*?(\x22\x22|\x27\x27)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-056; classtype:attempted-user; sid:32154; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer innerHTML use after free attempt"; flow:to_client,established; file_data; content:"<v:line"; fast_pattern:only; content:".contentEditable"; content:"true"; within:10; content:"execCommand"; content:"Undo"; within:10; content:"innerHTML"; pcre:"/title\s+id=(?P<title>\w+).*?(?P=title).innerHtml\s*?=\s*?(\x22\x22|\x27\x27)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4127; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-056; classtype:attempted-user; sid:32153; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DCOM sandbox escape attempt"; flow:to_server,established; file_data; content:"|16 13 09 14 13 08 14 13 07 14 13 06 14 0D 14 13 05 28 3E 01 00 06 18 5A FE 0F 13 04 28 0F 00 00 06 13 08 1F 18 28 1E 01 00 06|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4073; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-057; classtype:attempted-user; sid:32140; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DCOM sandbox escape attempt"; flow:to_client,established; file_data; content:"|16 13 09 14 13 08 14 13 07 14 13 06 14 0D 14 13 05 28 3E 01 00 06 18 5A FE 0F 13 04 28 0F 00 00 06 13 08 1F 18 28 1E 01 00 06|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4073; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-057; classtype:attempted-user; sid:32139; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer element attribute use after free attempt"; flow:to_client,established; file_data; content:"document.body.all["; nocase; content:".setAttribute"; within:175; nocase; content:"document.body.all["; within:250; nocase; content:".setAttribute"; within:175; nocase; content:"document.body.all["; distance:0; nocase; content:"].appendChild|28|"; within:30; nocase; content:"document.createElement|28|"; within:300; nocase; content:".setAttribute|28|"; within:300; nocase; pcre:"/document\x2ebody\x2eall\x5b\d*\x5D\x2eappendChild\x28(?P<var>\w+)\x29.*?var\s*(?P=var)\s*?=\s*document.createElement\x28.*?(?P=var)\x2esetAttribute\x28/si"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4134; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-056; classtype:attempted-user; sid:32138; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer element attribute use after free attempt"; flow:to_server,established; file_data; content:"document.body.all["; nocase; content:".setAttribute"; within:175; nocase; content:"document.body.all["; within:250; nocase; content:".setAttribute"; within:175; nocase; content:"document.body.all["; distance:0; nocase; content:"].appendChild|28|"; within:30; nocase; content:"document.createElement|28|"; within:300; nocase; content:".setAttribute|28|"; within:300; nocase; pcre:"/document\x2ebody\x2eall\x5b\d*\x5D\x2eappendChild\x28(?P<var>\w+)\x29.*?var\s*(?P=var)\s*?=\s*document.createElement\x28.*?(?P=var)\x2esetAttribute\x28/si"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4134; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-056; classtype:attempted-user; sid:32137; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CFunctionPointer use after free exploit attempt"; flow:to_server,established; file_data; content:".getElementsByTagName("; nocase; content:"rt"; within:3; content:".execCommand("; nocase; content:"ms-beginUndoUnit"; within:17; fast_pattern; nocase; content:"document.body.parentElement"; nocase; content:"document.body.parentTextEdit"; nocase; content:".execCommand("; nocase; content:"Undo"; within:5; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4141; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-056; classtype:attempted-user; sid:32185; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CFunctionPointer use after free exploit attempt"; flow:to_client,established; file_data; content:".getElementsByTagName("; nocase; content:"rt"; within:3; content:".execCommand("; nocase; content:"ms-beginUndoUnit"; within:17; fast_pattern; nocase; content:"document.body.parentElement"; nocase; content:"document.body.parentTextEdit"; nocase; content:".execCommand("; nocase; content:"Undo"; within:5; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4141; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-056; classtype:attempted-user; sid:32184; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTableLayout AddRow out of bounds array access heap corruption attempt"; flow:to_server,established; file_data; content:"createT"; nocase; content:"document.getElementById("; distance:0; nocase; content:"deleteRow(-1)"; within:80; fast_pattern; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4137; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-056; classtype:attempted-user; sid:32183; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTableLayout AddRow out of bounds array access heap corruption attempt"; flow:to_client,established; file_data; content:"createT"; nocase; content:"document.getElementById("; distance:0; nocase; content:"deleteRow(-1)"; within:80; fast_pattern; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4137; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-056; classtype:attempted-user; sid:32182; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer address bar spoofing without scripting"; flow:to_server,established; file_data; content:"<body"; nocase; content:"<a "; distance:0; nocase; content:"target="; within:80; nocase; content:"newwindow"; within:10; nocase; content:"href="; within:80; nocase; pcre:"/<a[^>]{1,80}target=(\x22|\x27|)newwindow(\x22|\x27|)[^>]{1,80}href=\s*(\x5C[\x22\x27])?\s*(?!(about|cdl|dvd|file|ftp|gopher|http|https|ipp|its|javascript|local|mailto|mhtml|mk|msdaipp|ms-its|res|sysimage|tv|vbscript|wia)).{1,10}\:/i"; metadata:service smtp; reference:bugtraq,10943; reference:cve,2004-2219; classtype:attempted-user; sid:32231; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer address bar spoofing without scripting"; flow:to_client,established; file_data; content:"<body"; nocase; content:"<a "; distance:0; nocase; content:"target="; within:80; nocase; content:"newwindow"; within:10; nocase; content:"href="; within:80; nocase; pcre:"/<a[^>]{1,80}target=(\x22|\x27|)newwindow(\x22|\x27|)[^>]{1,80}href=\s*(\x5C[\x22\x27])?\s*(?!(about|cdl|dvd|file|ftp|gopher|http|https|ipp|its|javascript|local|mailto|mhtml|mk|msdaipp|ms-its|res|sysimage|tv|vbscript|wia)).{1,10}\:/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,10943; reference:cve,2004-2219; classtype:attempted-user; sid:32230; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 out of bounds array access attempt"; flow:to_server,established; file_data; content:"<basefont"; nocase; content:"</basefont"; within:250; nocase; pcre:"/\x3cbasefont.{0,250}(
|
|0x0D|0x000D|0x0000000D|\x5cu000D).{0,5}\x3c\x2fbasefont/smi"; metadata:service smtp; reference:cve,2014-4140; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-056; classtype:attempted-user; sid:32267; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 out of bounds array access attempt"; flow:to_client,established; file_data; content:"<basefont"; nocase; content:"</basefont"; within:250; nocase; pcre:"/\x3cbasefont.{0,250}(
|
|0x0D|0x000D|0x0000000D|\x5cu000D).{0,5}\x3c\x2fbasefont/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-4140; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-056; classtype:attempted-user; sid:32266; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE ActiveX installer broker object sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 6A FF 68 A8 31 01 10 64 A1 00 00 00 00 50 83 EC 0C A1 20 B0 01 10 33 C5 89 45 F0 56 50|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-4123; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-056; classtype:attempted-user; sid:32265; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE ActiveX installer broker object sandbox escape attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 6A FF 68 A8 31 01 10 64 A1 00 00 00 00 50 83 EC 0C A1 20 B0 01 10 33 C5 89 45 F0 56 50|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-4123; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-056; classtype:attempted-user; sid:32264; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Active X installer broker privilege elevation attempt"; flow:to_server,established; file_data; content:"r Broker: %p|0A 00 00 00 00|Created AX Install Broker: %p|0A|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-4124; reference:cve,2015-1743; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-056; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-056; classtype:attempted-user; sid:32263; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Active X installer broker privilege elevation attempt"; flow:to_client,established; file_data; content:"r Broker: %p|0A 00 00 00 00|Created AX Install Broker: %p|0A|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-4124; reference:cve,2015-1743; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-056; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-056; classtype:attempted-user; sid:32262; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer onreadystatechange use after free attempt"; flow:to_server,established; file_data; content:"onreadystatechange"; nocase; content:"execCommand|28|"; nocase; content:"selectAll"; within:25; nocase; content:"execCommand|28|"; nocase; content:"Indent"; within:25; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4063; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-051; classtype:attempted-user; sid:32318; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer onreadystatechange use after free attempt"; flow:to_client,established; file_data; content:"onreadystatechange"; nocase; content:"execCommand|28|"; nocase; content:"selectAll"; within:25; nocase; content:"execCommand|28|"; nocase; content:"Indent"; within:25; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4063; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-051; classtype:attempted-user; sid:32317; rev:2;)
|
|
alert tcp any any -> $HOME_NET 25 (msg:"BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt"; flow:to_server,established; file_data; content:".addEventListener"; content:"DOMNodeRemoved"; within:32; fast_pattern; content:".createElement|28|"; within:150; content:"div"; within:10; content:".appendChild|28|"; within:150; content:".selectAllChildren|28|"; within:150; content:".deleteFromDocument|28|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0274; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:32365; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer VML use after free attempt"; flow:to_server,established; file_data; content:"url|28 23|default|23|VML|29|"; fast_pattern:only; content:"schemas-microsoft-com|3A|vml"; nocase; content:"onpropertychange"; nocase; content:"removeNode"; distance:0; nocase; pcre:"/onpropertychange(\x22\x5d)?\s*?=\s*?function\s*?\x28\s*?\x29\s*?\x7b[^\x7d]*?this[^\x3b]+?removeNode[^\x3b]*?\x28true\x29/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,67075; reference:cve,2014-1776; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-021; classtype:attempted-user; sid:32363; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VML use after free attempt"; flow:to_client,established; file_data; content:"url|28 23|default|23|VML|29|"; fast_pattern:only; content:"schemas-microsoft-com|3A|vml"; nocase; content:"onpropertychange"; nocase; content:"removeNode"; distance:0; nocase; pcre:"/onpropertychange(\x22\x5d)?\s*?=\s*?function\s*?\x28\s*?\x29\s*?\x7b[^\x7d]*?this[^\x3b]+?removeNode[^\x3b]*?\x28true\x29/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,67075; reference:cve,2014-1776; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-021; classtype:attempted-user; sid:32362; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt"; flow:to_server,established; file_data; content:"applyElement(document.createElement("; nocase; content:"frameset"; within:10; nocase; content:"window.location.href"; within:50; nocase; content:"quotes:none"; within:200; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6351; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-065; classtype:attempted-user; sid:32498; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt"; flow:to_client,established; file_data; content:"applyElement(document.createElement("; nocase; content:"frameset"; within:10; nocase; content:"window.location.href"; within:50; nocase; content:"quotes:none"; within:200; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6351; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-065; classtype:attempted-user; sid:32497; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 CStyleSheet object use after free attempt"; flow:to_server,established; file_data; content:".setAttribute|28 22|type|22|, null|29|"; fast_pattern:only; content:".addImport"; content:".imports.item|28|"; within:50; content:".removeImport|28|"; within:50; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6341; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:attempted-user; sid:32496; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 CStyleSheet object use after free attempt"; flow:to_client,established; file_data; content:".setAttribute|28 22|type|22|, null|29|"; fast_pattern:only; content:".addImport"; content:".imports.item|28|"; within:50; content:".removeImport|28|"; within:50; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6341; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:attempted-user; sid:32495; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer information disclosure attempt"; flow:to_server,established; file_data; content:"window.onerror = function(e, url) {"; nocase; content:"<script src|3D 22|http|3A|//vict"; within:75; nocase; metadata:service smtp; reference:cve,2014-6346; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:misc-activity; sid:32492; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer information disclosure attempt"; flow:to_client,established; file_data; content:"window.onerror = function(e, url) {"; nocase; content:"<script src|3D 22|http|3A|//vict"; within:75; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-6346; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:misc-activity; sid:32491; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer immutable application settings sandbox escape attempt"; flow:to_server,established; file_data; content:"|5C 00|B|00|a|00|s|00|e|00|N|00|a|00|m|00|e|00|d|00|O|00|b|00|j|00|e|00|c|00|t|00|s|00 5C 00|i|00|e|00|_|00|i|00|a|00|s|00|_"; fast_pattern:only; content:"|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0"; content:"|5C 00|S|00|e|00|s|00|s|00|i|00|o|00|n|00|s|00 5C 00|"; metadata:service smtp; reference:cve,2014-6349; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-065; classtype:attempted-user; sid:32485; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer immutable application settings sandbox escape attempt"; flow:to_client,established; file_data; content:"|5C 00|B|00|a|00|s|00|e|00|N|00|a|00|m|00|e|00|d|00|O|00|b|00|j|00|e|00|c|00|t|00|s|00 5C 00|i|00|e|00|_|00|i|00|a|00|s|00|_"; fast_pattern:only; content:"|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0"; content:"|5C 00|S|00|e|00|s|00|s|00|i|00|o|00|n|00|s|00 5C 00|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-6349; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-065; classtype:attempted-user; sid:32484; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer pasteHTML use after free attempt"; flow:to_server,established; file_data; content:".selection.createRange().pasteHTML("; fast_pattern:only; content:".createTextRange("; nocase; content:"Outdent"; within:25; nocase; content:".createTextRange("; nocase; content:"SelectAll"; within:25; nocase; content:".style.display"; nocase; content:"none"; within:15; nocase; metadata:service smtp; reference:cve,2014-6339; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:attempted-user; sid:32483; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer pasteHTML use after free attempt"; flow:to_client,established; file_data; content:".selection.createRange().pasteHTML("; fast_pattern:only; content:".createTextRange("; nocase; content:"Outdent"; within:25; nocase; content:".createTextRange("; nocase; content:"SelectAll"; within:25; nocase; content:".style.display"; nocase; content:"none"; within:15; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-6339; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:attempted-user; sid:32482; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSecurityContext use after free attempt"; flow:to_server,established; file_data; content:".clearAttributes("; fast_pattern:only; content:".contentWindow.document"; nocase; content:"setTimeout("; within:150; nocase; content:".contentWindow.document"; within:800; nocase; content:"setTimeout("; within:150; nocase; content:".contentWindow.document"; within:800; nocase; content:"setTimeout("; within:150; nocase; metadata:policy balanced-ips alert, policy security-ips drop, service smtp; reference:cve,2014-4143; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:attempted-user; sid:32479; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSecurityContext use after free attempt"; flow:to_client,established; file_data; content:".clearAttributes("; fast_pattern:only; content:".contentWindow.document"; nocase; content:"setTimeout("; within:150; nocase; content:".contentWindow.document"; within:800; nocase; content:"setTimeout("; within:150; nocase; content:".contentWindow.document"; within:800; nocase; content:"setTimeout("; within:150; nocase; metadata:policy balanced-ips alert, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-4143; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:attempted-user; sid:32478; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt"; flow:to_server,established; file_data; content:"redim"; nocase; content:"preserve"; within:20; nocase; content:"(&h"; within:20; byte_test:6,>,1000,0,relative,string,hex; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6332; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-064; classtype:attempted-dos; sid:32473; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt"; flow:to_server,established; file_data; content:"redim"; nocase; content:"preserve"; within:20; nocase; content:"("; within:20; byte_test:6,>,1000,0,relative,string,dec; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6332; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-064; classtype:attempted-dos; sid:32472; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt"; flow:to_client,established; file_data; content:"redim"; nocase; content:"preserve"; within:20; nocase; content:"(&h"; within:20; byte_test:6,>,1000,0,relative,string,hex; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6332; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-064; classtype:attempted-dos; sid:32471; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt"; flow:to_client,established; file_data; content:"redim"; nocase; content:"preserve"; within:20; nocase; content:"("; within:20; byte_test:6,>,1000,0,relative,string,dec; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6332; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-064; classtype:attempted-dos; sid:32470; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CPtsTextParaclient out of bounds error remote code execution attempt"; flow:to_server,established; file_data; content:"position: relative"; nocase; content:"position: fixed"; nocase; content:"display: block"; nocase; content:"appendChild(document.createElement"; fast_pattern:only; content:"addNode(document.documentElement"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6342; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:attempted-admin; sid:32461; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CPtsTextParaclient out of bounds error remote code execution attempt"; flow:to_client,established; file_data; content:"position: relative"; nocase; content:"position: fixed"; nocase; content:"display: block"; nocase; content:"appendChild(document.createElement"; fast_pattern:only; content:"addNode(document.documentElement"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6342; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:attempted-admin; sid:32460; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer clipboardData unauthorized JavaScript read and write attempt"; flow:to_server,established; file_data; content:"onpaste"; nocase; content:"clipboardData.getData"; distance:0; content:"clipboardData.setData"; within:150; nocase; metadata:service smtp; reference:cve,2014-6323; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:attempted-admin; sid:32459; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer clipboardData unauthorized JavaScript read and write attempt"; flow:to_client,established; file_data; content:"onpaste"; nocase; content:"clipboardData.getData"; distance:0; content:"clipboardData.setData"; within:150; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-6323; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:attempted-admin; sid:32458; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CElementIDContextList use after free attempt"; flow:to_server,established; file_data; content:"|27|NaN|27|, |27|thick|27|, |27|DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD|27|, |27|dir"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6343; reference:cve,2015-1662; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:32443; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CElementIDContextList use after free attempt"; flow:to_client,established; file_data; content:"|27|NaN|27|, |27|thick|27|, |27|DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD|27|, |27|dir"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6343; reference:cve,2015-1662; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:32442; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"document.createElement('BUTTON')"; content:"id_1.insertBefore(id_14, id_1.childNodes[1])"; fast_pattern:only; content:"id_2.offsetLeft = id_2.offsetLeft"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6344; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:attempted-user; sid:32441; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"document.createElement('BUTTON')"; content:"id_1.insertBefore(id_14, id_1.childNodes[1])"; fast_pattern:only; content:"id_2.offsetLeft = id_2.offsetLeft"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6344; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:attempted-user; sid:32440; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 9 CHTMLEditorProxy use after free attempt"; flow:to_server,established; file_data; content:"|5C|u475046"; fast_pattern:only; content:"onkeydown"; content:"window.location.reload"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6353; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:attempted-user; sid:32439; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 CHTMLEditorProxy use after free attempt"; flow:to_client,established; file_data; content:"|5C|u475046"; fast_pattern:only; content:"onkeydown"; content:"window.location.reload"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6353; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:attempted-user; sid:32438; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer document.URL override information disclosure attempt"; flow:to_server,established; file_data; content:"IE_DisplayURL"; fast_pattern:only; content:".ExecWB(51, "; content:"<script"; metadata:service smtp; reference:cve,2014-6340; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:attempted-recon; sid:32437; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer document.URL override information disclosure attempt"; flow:to_client,established; file_data; content:"IE_DisplayURL"; fast_pattern:only; content:".ExecWB(51, "; content:"<script"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-6340; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:attempted-recon; sid:32436; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CHeaderElement object use-after-free remote code execution attempt"; flow:to_server,established; file_data; content:"createRange().pasteHTML("; nocase; content:"createTextRange()"; within:70; nocase; content:"moveToElementText(document.getElementsByTagName"; within:100; nocase; content:"select()"; within:100; nocase; content:"insertimage"; within:100; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6348; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:attempted-admin; sid:32431; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CHeaderElement object use-after-free remote code execution attempt"; flow:to_client,established; file_data; content:"createRange().pasteHTML("; nocase; content:"createTextRange()"; within:70; nocase; content:"moveToElementText(document.getElementsByTagName"; within:100; nocase; content:"select()"; within:100; nocase; content:"insertimage"; within:100; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6348; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:attempted-admin; sid:32430; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer contentEditable use after free attempt"; flow:to_server,established; file_data; content:".contentEditable"; nocase; content:"true"; within:15; nocase; content:"document.selection.createRange().scrollIntoView("; within:100; nocase; content:".contentEditable"; within:75; nocase; content:"false"; within:15; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6337; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-065; classtype:attempted-user; sid:32427; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer contentEditable use after free attempt"; flow:to_client,established; file_data; content:".contentEditable"; nocase; content:"true"; within:15; nocase; content:"document.selection.createRange().scrollIntoView("; within:100; nocase; content:".contentEditable"; within:75; nocase; content:"false"; within:15; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6337; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-065; classtype:attempted-user; sid:32426; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt"; flow:to_server,established; file_data; content:".createTextNode|28|"; nocase; content:".__proto__"; within:100; nocase; content:"document.documentElement.dataset"; within:40; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-065; classtype:attempted-user; sid:32425; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt"; flow:to_client,established; file_data; content:".createTextNode|28|"; nocase; content:".__proto__"; within:100; nocase; content:"document.documentElement.dataset"; within:40; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-065; classtype:attempted-user; sid:32424; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer style sheet array memory corruption attempt"; flow:to_server,established; file_data; content:"document.styleSheets|5B|"; fast_pattern; nocase; content:"|5D|.imports"; within:10; nocase; content:".appendChild|28|"; within:40; nocase; content:".removeChild|28|"; within:40; nocase; content:"outerHTML"; within:40; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,40410; reference:cve,2010-1117; reference:cve,2010-1118; reference:cve,2010-1259; reference:cve,2010-1262; reference:cve,2011-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-002; classtype:attempted-user; sid:32532; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt"; flow:to_server,established; file_data; content:"myarray"; content:"chrw"; within:10; content:"chrw"; within:20; content:"32767"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6332; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-064; classtype:attempted-dos; sid:32565; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt"; flow:to_client,established; file_data; content:"myarray"; content:"chrw"; within:10; content:"chrw"; within:20; content:"32767"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6332; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-064; classtype:attempted-dos; sid:32564; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt"; flow:to_server,established; file_data; content:"redim Preserve arr(&h8000002)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6332; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-064; classtype:attempted-dos; sid:32630; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt"; flow:to_client,established; file_data; content:"redim Preserve arr(&h8000002)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6332; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-064; classtype:attempted-dos; sid:32629; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos insertAdjacentText use after free attempt"; flow:to_server,established; file_data; content:"addEventListener"; nocase; content:"DOMSubtreeModified"; within:30; nocase; content:"currentTarget.insertAdjacentText"; within:300; nocase; content:"currentTarget.insertAdjacentText"; within:75; nocase; metadata:policy security-ips drop, service smtp; reference:cve,2014-6329; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-080; classtype:attempted-user; sid:32725; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos insertAdjacentText use after free attempt"; flow:to_client,established; file_data; content:"addEventListener"; nocase; content:"DOMSubtreeModified"; within:30; nocase; content:"currentTarget.insertAdjacentText"; within:300; nocase; content:"currentTarget.insertAdjacentText"; within:75; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6329; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-080; classtype:attempted-user; sid:32724; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CButton object use after free attempt"; flow:to_server,established; file_data; content:".attachEvent("; nocase; content:".fireEvent("; within:100; nocase; content:".attachEvent("; within:100; nocase; content:".fireEvent("; within:100; nocase; content:".attachEvent("; within:100; nocase; content:".fireEvent("; within:100; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6375; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-080; classtype:attempted-user; sid:32723; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CButton object use after free attempt"; flow:to_client,established; file_data; content:".attachEvent("; nocase; content:".fireEvent("; within:100; nocase; content:".attachEvent("; within:100; nocase; content:".fireEvent("; within:100; nocase; content:".attachEvent("; within:100; nocase; content:".fireEvent("; within:100; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6375; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-080; classtype:attempted-user; sid:32722; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer element type confusion use after free attempt"; flow:to_server,established; file_data; content:"attachEvent("; nocase; content:"onpropertychange"; within:30; nocase; content:"createTFoot()"; distance:0; nocase; content:"setAttribute("; within:30; nocase; content:"innerHTML"; within:20; nocase; content:"true"; within:10; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-8966; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-080; classtype:attempted-user; sid:32721; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer element type confusion use after free attempt"; flow:to_client,established; file_data; content:"attachEvent("; nocase; content:"onpropertychange"; within:30; nocase; content:"createTFoot()"; distance:0; nocase; content:"setAttribute("; within:30; nocase; content:"innerHTML"; within:20; nocase; content:"true"; within:10; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8966; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-080; classtype:attempted-user; sid:32720; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt"; flow:to_server,established; file_data; content:"base"; nocase; content:"attachEvent"; nocase; content:"onpropertychange"; within:50; nocase; content:"applyElement"; within:75; nocase; content:"srcElement"; nocase; pcre:"/srcelement.*(outer|inner)(text|html)/iG"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6366; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-080; classtype:attempted-user; sid:32717; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt"; flow:to_client,established; file_data; content:"base"; nocase; content:"attachEvent"; nocase; content:"onpropertychange"; within:50; nocase; content:"applyElement"; within:75; nocase; content:"srcElement"; nocase; pcre:"/srcelement.*(outer|inner)(text|html)/iG"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6366; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-080; classtype:attempted-user; sid:32716; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 10 CTableSection remote code execution attempt"; flow:to_server,established; file_data; content:"createElement"; content:"setAttribute"; within:100; content:"clearAttributes"; within:50; content:"null"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6369; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-080; classtype:attempted-user; sid:32715; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 10 CTableSection remote code execution attempt"; flow:to_client,established; file_data; content:"createElement"; content:"setAttribute"; within:100; content:"clearAttributes"; within:50; content:"null"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6369; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-080; classtype:attempted-user; sid:32714; rev:1;)
|
|
# alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BROWSER-IE Microsoft Internet Explorer XSS filter bypass attempt"; flow:to_server,established; content:"%253C"; fast_pattern:only; content:"%253C"; nocase; http_raw_uri; content:"%253E"; distance:4; nocase; http_raw_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-6365; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-080; classtype:web-application-attack; sid:32710; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE VBScript RegEx use-after-free attempt"; flow:to_client, established; file_data; content:"|7C|()*?"; fast_pattern:only; content:"New RegExp"; content:".Global"; within:100; content:"True"; within:10; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2014-6363; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-080; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-084; classtype:attempted-user; sid:32709; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer use of rtf file in clipboard attempt"; flow:to_server,established; file_data; content:"designMode"; content:"execCommand"; within:100; content:"InsertInputFileUpload"; within:50; content:"execCommand"; within:50; content:"Copy"; within:25; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6374; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-080; classtype:attempted-user; sid:32704; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer use of rtf file in clipboard attempt"; flow:to_client,established; file_data; content:"designMode"; content:"execCommand"; within:100; content:"InsertInputFileUpload"; within:50; content:"execCommand"; within:50; content:"Copy"; within:25; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6374; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-080; classtype:attempted-user; sid:32703; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8|"; content:"|FF C0|"; distance:0; content:"|FF C4|"; distance:0; content:"|11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:17; distance:2; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-6355; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-085; classtype:attempted-user; sid:32702; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8|"; content:"|FF C0|"; distance:0; content:"|FF C4|"; distance:0; content:"|11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:17; distance:2; fast_pattern; metadata:service smtp; reference:cve,2014-6355; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-085; classtype:attempted-user; sid:32701; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8|"; content:"|FF C0|"; distance:0; content:"|FF C4|"; distance:0; content:"|10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:17; distance:2; fast_pattern; metadata:service smtp; reference:cve,2014-6355; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-085; classtype:attempted-user; sid:32700; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8|"; content:"|FF C0|"; distance:0; content:"|FF C4|"; distance:0; content:"|10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:17; distance:2; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-6355; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-085; classtype:attempted-user; sid:32699; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8|"; content:"|FF C0|"; distance:0; content:"|FF C4|"; distance:0; content:"|01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:17; distance:2; fast_pattern; metadata:service smtp; reference:cve,2014-6355; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-085; classtype:attempted-user; sid:32698; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8|"; content:"|FF C0|"; distance:0; content:"|FF C4|"; distance:0; content:"|01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:17; distance:2; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-6355; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-085; classtype:attempted-user; sid:32697; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt"; flow:to_server,established; file_data; content:"|FF D8 FF|"; depth:3; fast_pattern; content:"|FF C0|"; distance:0; content:"|FF C4|"; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:17; distance:2; metadata:service smtp; reference:cve,2014-6355; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-085; classtype:attempted-user; sid:32696; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt"; flow:to_client,established; file_data; content:"|FF D8 FF|"; depth:3; fast_pattern; content:"|FF C0|"; distance:0; content:"|FF C4|"; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:17; distance:2; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-6355; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-085; classtype:attempted-user; sid:32695; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSS out-of-bounds buffer access attempt"; flow:to_server,established; file_data; content:"#thiz_iz a {"; content:".wesome { }"; distance:0; metadata:service smtp; reference:cve,2014-6368; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-080; classtype:attempted-user; sid:32694; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSS out-of-bounds buffer access attempt"; flow:to_client,established; file_data; content:"#thiz_iz a {"; content:".wesome { }"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-6368; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-080; classtype:attempted-user; sid:32693; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer NodeFilter use after free attempt"; flow:to_server,established; file_data; content:"NodeFilter.FILTER_REJECT"; fast_pattern:only; content:".createTreeWalker"; nocase; content:".execCommand"; distance:0; nocase; content:".appendChild"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6330; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-080; classtype:attempted-user; sid:32692; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer NodeFilter use after free attempt"; flow:to_client,established; file_data; content:"NodeFilter.FILTER_REJECT"; fast_pattern:only; content:".createTreeWalker"; nocase; content:".execCommand"; distance:0; nocase; content:".appendChild"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6330; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-080; classtype:attempted-user; sid:32691; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer style object type confusion attempt"; flow:to_server,established; file_data; content:"SetTimeout("; nocase; content:".parentNode.appendChild("; within:150; nocase; content:".style.setProperty("; within:150; nocase; content:"table-cell"; within:35; nocase; content:".style.setProperty("; within:150; nocase; content:"relative"; within:35; nocase; content:"location.reload"; within:150; nocase; metadata:policy security-ips drop, service smtp; reference:cve,2014-6373; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-080; classtype:attempted-user; sid:32690; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer style object type confusion attempt"; flow:to_client,established; file_data; content:"SetTimeout("; nocase; content:".parentNode.appendChild("; within:150; nocase; content:".style.setProperty("; within:150; nocase; content:"table-cell"; within:35; nocase; content:".style.setProperty("; within:150; nocase; content:"relative"; within:35; nocase; content:"location.reload"; within:150; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6373; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-080; classtype:attempted-user; sid:32689; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer setTimeout use after free attempt"; flow:to_server,established; file_data; content:"iframe"; nocase; content:"getElementById"; within:300; nocase; content:".removeChild"; within:50; nocase; content:"delete"; within:20; nocase; content:".appendChild"; distance:0; nocase; content:"setTimeout("; within:30; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6327; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-080; classtype:attempted-user; sid:32686; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer setTimeout use after free attempt"; flow:to_client,established; file_data; content:"iframe"; nocase; content:"getElementById"; within:300; nocase; content:".removeChild"; within:50; nocase; content:"delete"; within:20; nocase; content:".appendChild"; distance:0; nocase; content:"setTimeout("; within:30; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6327; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-080; classtype:attempted-user; sid:32685; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer lineboxbuilder out of bound array access attempt"; flow:to_server,established; file_data; content:"nth-child("; nocase; content:"::before"; within:20; nocase; content:".createTextRange("; nocase; content:".insertAdjacentHTML("; within:100; nocase; content:"beforeend"; within:20; nocase; metadata:policy security-ips drop, service smtp; reference:cve,2014-6376; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-080; classtype:attempted-user; sid:32680; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer lineboxbuilder out of bound array access attempt"; flow:to_client,established; file_data; content:"nth-child("; nocase; content:"::before"; within:20; nocase; content:".createTextRange("; nocase; content:".insertAdjacentHTML("; within:100; nocase; content:"beforeend"; within:20; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6376; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-080; classtype:attempted-user; sid:32679; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CheaderElement use after free attempt"; flow:to_server,established; file_data; content:".styleSheets[0].insertRule(' * {display: run-in|3B|}', 0)"; fast_pattern:only; content:"defaultView.scrollBy(1, 1)"; content:".execCommand('selectAll'"; within:200; content:".execCommand('justifyLeft'"; within:200; content:".getSelection().deleteFromDocument()"; within:200; metadata:service smtp; reference:cve,2014-8967; classtype:attempted-user; sid:32778; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CheaderElement use after free attempt"; flow:to_client,established; file_data; content:".styleSheets[0].insertRule(' * {display: run-in|3B|}', 0)"; fast_pattern:only; content:"defaultView.scrollBy(1, 1)"; content:".execCommand('selectAll'"; within:200; content:".execCommand('justifyLeft'"; within:200; content:".getSelection().deleteFromDocument()"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-8967; classtype:attempted-user; sid:32777; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt"; flow:to_server,established; file_data; content:"HIvIauuKF6i9p*qI1wE8J*znjk3Yl8td"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6332; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-064; classtype:attempted-dos; sid:33116; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt"; flow:to_client,established; file_data; content:"HIvIauuKF6i9p*qI1wE8J*znjk3Yl8td"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6332; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-064; classtype:attempted-dos; sid:33115; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CClipStack array index exploitation attempt"; flow:to_server,established; file_data; content:"<canvas"; content:".getContext"; content:"2d"; within:5; content:".quadraticCurveTo("; within:50; content:".shadowOffsetX"; within:100; content:".shadowColor"; within:100; content:".shadowBlur"; within:50; content:".globalCompositeOperation"; within:100; content:".quadraticCurveTo("; within:100; content:".stroke("; within:100; content:".lineWidth"; within:50; content:".strokeRect("; within:50; metadata:policy security-ips drop, service smtp; reference:cve,2014-1773; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-035; classtype:attempted-user; sid:33158; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CClipStack array index exploitation attempt"; flow:to_client,established; file_data; content:"<canvas"; content:".getContext"; content:"2d"; within:5; content:".quadraticCurveTo("; within:50; content:".shadowOffsetX"; within:100; content:".shadowColor"; within:100; content:".shadowBlur"; within:50; content:".globalCompositeOperation"; within:100; content:".quadraticCurveTo("; within:100; content:".stroke("; within:100; content:".lineWidth"; within:50; content:".strokeRect("; within:50; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1773; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-035; classtype:attempted-user; sid:33157; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt"; flow:to_server,established; file_data; content:"document[|22|createElement|22|]('fr' + |22|name|22|.substr(1,3) + 's' + |22|e|22| + 't')"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6351; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-065; classtype:attempted-user; sid:33196; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt"; flow:to_client,established; file_data; content:"document[|22|createElement|22|]('fr' + |22|name|22|.substr(1,3) + 's' + |22|e|22| + 't')"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6351; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-065; classtype:attempted-user; sid:33195; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt"; flow:to_server,established; file_data; content:"[|22|appendChild|22|](document.createElement(|22|french|22|.substr(0,2) + 'ame' + |22|marmaset|22|.substr(5,3)))"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6351; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-065; classtype:attempted-user; sid:33194; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt"; flow:to_server,established; file_data; content:"[|22|appendChild|22|](document.createElement('fr' + |22|name|22|.substr(1,3) + 's' + |22|e|22| + 't'))"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6351; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-065; classtype:attempted-user; sid:33193; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt"; flow:to_client,established; file_data; content:"[|22|appendChild|22|](document.createElement(|22|french|22|.substr(0,2) + 'ame' + |22|marmaset|22|.substr(5,3)))"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6351; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-065; classtype:attempted-user; sid:33192; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt"; flow:to_client,established; file_data; content:"[|22|appendChild|22|](document.createElement('fr' + |22|name|22|.substr(1,3) + 's' + |22|e|22| + 't'))"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6351; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-065; classtype:attempted-user; sid:33191; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt"; flow:to_server,established; file_data; content:"<iframe"; nocase; content:"src"; within:150; nocase; content:".php"; within:50; nocase; content:"<iframe"; within:200; nocase; content:"src"; within:150; nocase; content:"http"; within:50; nocase; content:"<script"; distance:0; nocase; content:"top"; within:100; content:".location="; within:100; metadata:service smtp; reference:cve,2015-0072; reference:cve,2016-0005; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-018; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-001; classtype:attempted-user; sid:33288; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt"; flow:to_client,established; file_data; content:"<iframe"; nocase; content:"src"; within:150; nocase; content:".php"; within:50; nocase; content:"<iframe"; within:200; nocase; content:"src"; within:150; nocase; content:"http"; within:50; nocase; content:"<script"; distance:0; nocase; content:"top"; within:100; content:".location="; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0072; reference:cve,2016-0005; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-018; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-001; classtype:attempted-user; sid:33287; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CMarkupTransNavContext object use after free attempt"; flow:to_server,established; file_data; content:"onload"; content:".focus"; content:"history.go(0)"; fast_pattern:only; content:"onbeforeeditfocus"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0031; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:attempted-user; sid:33428; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CMarkupTransNavContext object use after free attempt"; flow:to_client,established; file_data; content:"onload"; content:".focus"; content:"history.go(0)"; fast_pattern:only; content:"onbeforeeditfocus"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0031; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:attempted-user; sid:33427; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CMarkup object use after free attempt"; flow:to_server,established; file_data; content:"onload"; nocase; content:"document.write"; within:25; nocase; content:"<embed></embed>"; within:25; fast_pattern; nocase; pcre:"/onload\s*?=[^>]*?document\.write\s*?\x28\s*?[\x22\x27]{2}/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0018; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:attempted-user; sid:33426; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CMarkup object use after free attempt"; flow:to_client,established; file_data; content:"onload"; nocase; content:"document.write"; within:25; nocase; content:"<embed></embed>"; within:25; fast_pattern; nocase; pcre:"/onload\s*?=[^>]*?document\.write\s*?\x28\s*?[\x22\x27]{2}/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0018; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:attempted-user; sid:33425; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CHeaderElement object use after free attempt"; flow:to_server,established; file_data; content:"display:block|3B|"; nocase; content:"<iframe></iframe>"; within:200; nocase; content:"onload"; within:400; nocase; content:".contentDocument"; within:200; nocase; content:"insertRule(' * {display: run-in|3B|}')|3B|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-8967; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:attempted-user; sid:33424; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CHeaderElement object use after free attempt"; flow:to_client,established; file_data; content:"display:block|3B|"; nocase; content:"<iframe></iframe>"; within:200; nocase; content:"onload"; within:400; nocase; content:".contentDocument"; within:200; nocase; content:"insertRule(' * {display: run-in|3B|}')|3B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-8967; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:attempted-user; sid:33423; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer memory leak exploit attempt"; flow:to_client,established; file_data; content:"payload += "; content:"i<0x50000"; content:"document.execCommand(|22|Outdent|22|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-0037; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:attempted-user; sid:33422; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreeDataPos use-after-free remote code execution attempt"; flow:established,to_client; file_data; content:"document.createRange()"; content:"document.createDocumentFragment()"; within:100; content:"appendChild("; within:100; content:".selectNodeContents("; within:150; content:".replaceNode("; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-0041; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33421; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos use after free attempt"; flow:to_server,established; file_data; content:"document.createElement(|22|cite|22|)"; fast_pattern:only; content:".applyElement"; content:"try"; within:200; content:".scrollIntoView(false)"; within:200; content:".execCommand(|22|SelectAll|22|)"; within:200; content:".removeNode"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0068; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:attempted-user; sid:33420; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos use after free attempt"; flow:to_client,established; file_data; content:"document.createElement(|22|cite|22|)"; fast_pattern:only; content:".applyElement"; content:"try"; within:200; content:".scrollIntoView(false)"; within:200; content:".execCommand(|22|SelectAll|22|)"; within:200; content:".removeNode"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0068; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:attempted-user; sid:33419; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CGenericElement use after free attempt"; flow:established,to_server; file_data; content:"selection.createRange().scrollIntoView(true)"; fast_pattern; content:".createElement(|22|frameset|22|)"; content:"CollectGarbage()"; content:"|3C|v|3A|oval"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0017; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33418; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CGenericElement use after free attempt"; flow:established,to_client; file_data; content:"selection.createRange().scrollIntoView(true)"; fast_pattern; content:".createElement(|22|frameset|22|)"; content:"CollectGarbage()"; content:"|3C|v|3A|oval"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0017; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33417; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CLineCore use after free attempt"; flow:to_server,established; file_data; content:".runtimeStyle.position"; nocase; content:".parentNode"; within:75; nocase; content:".parentNode.removeNode"; within:75; nocase; content:".appendChild"; within:75; nocase; pcre:"/(?P<ref>\w+)\s*?=\s*?(?P<obj>\w+)\x2eparentNode.*?(?P=obj)\x2eparentNode\x2eremoveNode.*?(?P=obj)\x2eappendChild\s*?\x28\s*?(?P=ref)/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:attempted-user; sid:33416; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CLineCore use after free attempt"; flow:to_client,established; file_data; content:".runtimeStyle.position"; nocase; content:".parentNode"; within:75; nocase; content:".parentNode.removeNode"; within:75; nocase; content:".appendChild"; within:75; nocase; pcre:"/(?P<ref>\w+)\s*?=\s*?(?P<obj>\w+)\x2eparentNode.*?(?P=obj)\x2eparentNode\x2eremoveNode.*?(?P=obj)\x2eappendChild\s*?\x28\s*?(?P=ref)/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:attempted-user; sid:33415; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer unitialized memory access attempt"; flow:to_server,established; file_data; content:"div:first-line"; content:"background:"; within:50; content:"margin"; distance:0; content:"document.createElement(|27|div|27|)"; content:"document.createElement(|27|a|27|)"; fast_pattern:only; content:"appendChild"; content:"appendChild"; distance:0; pcre:"/(\w*)\s*=\s*document.createElement\(\'div\'\).*?(\w*)\s*=\s*document\.createElement\(\'a\'\).*?\1\.appendChild\(\2\)/smi"; metadata:service smtp; reference:cve,2015-0051; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33414; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer unitialized memory access attempt"; flow:to_client,established; file_data; content:"div:first-line"; content:"background:"; within:50; content:"margin"; distance:0; content:"document.createElement(|27|div|27|)"; content:"document.createElement(|27|a|27|)"; fast_pattern:only; content:"appendChild"; content:"appendChild"; distance:0; pcre:"/(\w*)\s*=\s*document.createElement\(\'div\'\).*?(\w*)\s*=\s*document\.createElement\(\'a\'\).*?\1\.appendChild\(\2\)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0051; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33413; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer style type confusion remote code execution attempt"; flow:established,to_client; file_data; content:"setTimeout(function()"; content:".setAttribute(|27|class|27|"; within:75; content:"setTimeout("; within:75; content:".removeAttribute(|27|class|27|)"; within:75; content:"location.reload()"; within:150; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-0052; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33412; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CMapElement use-after-free attempt"; flow:to_server,established; file_data; content:".addEventListener|28 22|readystatechange|22|, onReadyStateChangeCallback"; fast_pattern:only; content:".createElement|28 22|oContainer|22 29|"; nocase; content:".createElement|28 22|map|22 29|"; within:100; nocase; content:".createElement|28 22|applet|22 29|"; within:100; nocase; content:".createElement|28 22|map|22 29|"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33366; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CMapElement use-after-free attempt"; flow:to_client,established; file_data; content:".addEventListener|28 22|readystatechange|22|, onReadyStateChangeCallback"; fast_pattern:only; content:".createElement|28 22|oContainer|22 29|"; nocase; content:".createElement|28 22|map|22 29|"; within:100; nocase; content:".createElement|28 22|applet|22 29|"; within:100; nocase; content:".createElement|28 22|map|22 29|"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33365; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CCharFormat use-after-free attempt"; flow:to_client,established; file_data; content:"document.body.createTextRange("; content:"|22|onpropertychange|22|"; distance:0; content:"moveToElementText"; distance:0; content:"execCommand("; distance:0; content:".select("; distance:0; content:".innerText"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-admin; sid:33361; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer svg use after free attempt"; flow:to_server,established; file_data; content:"altGlyph"; content:"marker"; within:50; content:"switch"; within:100; content:"marker-start"; within:50; content:"marker-mid"; within:100; content:"InsertOrderedList"; distance:0; content:"getElementsByTagNameNS"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0042; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33360; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer svg use after free attempt"; flow:to_client,established; file_data; content:"altGlyph"; content:"marker"; within:50; content:"switch"; within:100; content:"marker-start"; within:50; content:"marker-mid"; within:100; content:"InsertOrderedList"; distance:0; content:"getElementsByTagNameNS"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0042; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33359; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer SLayoutRun use-after-free attempt"; flow:to_client,established; file_data; content:"setTimeout|28|"; content:".setAttribute"; within:200; content:"setTimeout|28|"; within:200; content:"document.write"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:attempted-user; sid:33358; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode object used after free attempt"; flow:to_server,established; file_data; content:"<ruby>"; content:"getElementsByTagName(|22|li|22|"; fast_pattern; nocase; content:"innerText"; within:50; content:"ruby"; content:"removeNode"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0023; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33357; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode object used after free attempt"; flow:to_client,established; file_data; content:"<ruby>"; content:"getElementsByTagName(|22|li|22|"; fast_pattern; nocase; content:"innerText"; within:50; content:"ruby"; content:"removeNode"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0023; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33356; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CAttrArray object used after free attempt"; flow:to_server,established; file_data; content:".execCommand|28 27|Delete|27 29|"; fast_pattern:only; content:"document.body.createTextRange"; content:"root.removeChild(root.firstChild)"; pcre:"/var\s*([\d\w]*)\s*=\s*document\.body\.createTextRange.*?\1\.execCommand\(\'Delete\'\)/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33354; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CAttrArray object used after free attempt"; flow:to_client,established; file_data; content:".execCommand|28 27|Delete|27 29|"; fast_pattern:only; content:"document.body.createTextRange"; content:"root.removeChild(root.firstChild)"; pcre:"/var\s*([\d\w]*)\s*=\s*document\.body\.createTextRange.*?\1\.execCommand\(\'Delete\'\)/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33353; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-IE Microsoft Internet Explorer 9 error handler XSS exploit attempt"; flow:to_server,established; content:"onerror=eval"; http_uri; content:"throw"; distance:1; http_uri; metadata:service http; reference:cve,2015-0070; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:attempted-user; sid:33352; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer dximagetransform.microsoft.shadow out of bounds array access attempt"; flow:to_server,established; file_data; content:"dximagetransform.microsoft.shadow"; nocase; content:"direction"; distance:0; nocase; pcre:"/dximagetransform\.microsoft\.shadow\x28[^\x29]*?direction\s*?=\s*?\d{10}/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0036; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33349; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer dximagetransform.microsoft.shadow out of bounds array access attempt"; flow:to_client,established; file_data; content:"dximagetransform.microsoft.shadow"; nocase; content:"direction"; distance:0; nocase; pcre:"/dximagetransform\.microsoft\.shadow\x28[^\x29]*?direction\s*?=\s*?\d{10}/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0036; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33348; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos use-after-free attempt"; flow:to_client,established; file_data; content:".style.whiteSpace"; content:"pre"; within:20; content:".offsetWidth"; within:200; content:"document.body.createTextRange|28 29|"; within:200; fast_pattern; content:"CollectGarbage|28 29|"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-0021; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:attempted-user; sid:33347; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CBatchParentUndoUnit object use after free attempt"; flow:to_server,established; file_data; content:"var documentFragment = id_2000.extractContents()"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0030; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33346; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CBatchParentUndoUnit object use after free attempt"; flow:to_client,established; file_data; content:"var documentFragment = id_2000.extractContents()"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0030; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33345; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CParaElement use after free attempt"; flow:to_server,established; file_data; content:".createTextRange("; fast_pattern; nocase; content:".onresize"; within:100; nocase; content:"function"; within:20; nocase; content:".execCommand"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0019; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33341; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CParaElement use after free attempt"; flow:to_client,established; file_data; content:".createTextRange("; fast_pattern; nocase; content:".onresize"; within:100; nocase; content:"function"; within:20; nocase; content:".execCommand"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0019; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33340; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt"; flow:to_server,established; file_data; content:".runtimeStyle"; content:".left"; within:100; content:"auto"; within:20; nocase; content:"posLeft"; distance:0; content:"NaN"; within:15; content:"window.x"; within:50; metadata:service smtp; reference:cve,2015-0053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33338; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt"; flow:to_client,established; file_data; content:".runtimeStyle"; content:".left"; within:100; content:"auto"; within:20; nocase; content:"posLeft"; distance:0; content:"NaN"; within:15; content:"window.x"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33337; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer ActiveX type confusion attempt"; flow:to_server,established; file_data; content:"884E2049-217D-11DA-B2A4-000E7BBB2B09"; fast_pattern:only; content:"document.body.swapNode"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33336; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer ActiveX type confusion attempt"; flow:to_client,established; file_data; content:"884E2049-217D-11DA-B2A4-000E7BBB2B09"; fast_pattern:only; content:"document.body.swapNode"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33335; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Hyphenator object use after free attempt"; flow:to_server,established; file_data; content:".getElementsByTagName("; nocase; content:"html"; within:50; nocase; content:"columnWidth"; within:250; nocase; content:"msHyphens"; within:250; nocase; content:"auto"; within:50; nocase; content:"outlineStyle"; within:250; nocase; content:".replaceAdjacentText("; fast_pattern; nocase; content:"afterBegin"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:attempted-user; sid:33334; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Hyphenator object use after free attempt"; flow:to_client,established; file_data; content:".getElementsByTagName("; nocase; content:"html"; within:50; nocase; content:"columnWidth"; within:250; nocase; content:"msHyphens"; within:250; nocase; content:"auto"; within:50; nocase; content:"outlineStyle"; within:250; nocase; content:".replaceAdjacentText("; fast_pattern; nocase; content:"afterBegin"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:attempted-user; sid:33333; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditorProxy use after free attempt"; flow:to_server,established; file_data; content:"window.open("; nocase; content:".designMode"; nocase; content:"on"; within:20; nocase; content:".execCommand("; within:250; nocase; content:"InsertFieldset"; within:20; fast_pattern; nocase; content:".execCommand("; within:250; nocase; content:"delete"; within:20; nocase; content:".designMode"; within:250; nocase; content:"off"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0049; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:attempted-user; sid:33332; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditorProxy use after free attempt"; flow:to_client,established; file_data; content:"window.open("; nocase; content:".designMode"; nocase; content:"on"; within:20; nocase; content:".execCommand("; within:250; nocase; content:"InsertFieldset"; within:20; fast_pattern; nocase; content:".execCommand("; within:250; nocase; content:"delete"; within:20; nocase; content:".designMode"; within:250; nocase; content:"off"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0049; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:attempted-user; sid:33331; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CFormElement use after free attempt"; flow:to_server,established; file_data; content:".createElement("; nocase; content:"form"; within:20; nocase; content:".appendChild("; within:100; nocase; content:".createElement("; within:200; nocase; content:".appendChild("; within:100; nocase; content:"null"; nocase; content:".body.innerHTML"; within:50; nocase; content:"CollectGarbage("; within:50; fast_pattern; nocase; content:"document.write("; within:250; nocase; pcre:"/null[^\x7d]{0,50}\.body\.innerHTML\s*?\x3d\s*?[\x22\x27]{2}[^\x7d]{0,50}CollectGarbage\x28\s*?\x29[^\x7d]{0,250}document\.write\x28\s*?[\x22\x27]{2}/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:attempted-user; sid:33325; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CFormElement use after free attempt"; flow:to_client,established; file_data; content:".createElement("; nocase; content:"form"; within:20; nocase; content:".appendChild("; within:100; nocase; content:".createElement("; within:200; nocase; content:".appendChild("; within:100; nocase; content:"null"; nocase; content:".body.innerHTML"; within:50; nocase; content:"CollectGarbage("; within:50; fast_pattern; nocase; content:"document.write("; within:250; nocase; pcre:"/null[^\x7d]{0,50}\.body\.innerHTML\s*?\x3d\s*?[\x22\x27]{2}[^\x7d]{0,50}CollectGarbage\x28\s*?\x29[^\x7d]{0,250}document\.write\x28\s*?[\x22\x27]{2}/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:attempted-user; sid:33324; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer uninitialized pointer use exploit attempt"; flow:to_client,established; file_data; content:"document.getElementById("; content:".recordset"; within:36; distance:4; content:"document.getElementById("; distance:0; content:".DataSource"; distance:0; pcre:"/(?<RS>\w+)\s?=\s?document\x2egetElementById\x28[\x22\x27]\w+[\x22\x27]\x29\x2erecordset.*(?<OBJ>\w+)\s?=\s?document.getElementById\x28[\x22\x27]\w+[\x22\x27]\x29.*\k<RS>.DataSource\s?=\s?\k<OBJ>/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0067; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-admin; sid:33323; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer EPM MOTWCreateFileW file access bypass attempt"; flow:to_server,established; file_data; content:"|68 18 4A 02 10 E8 5C FE FF FF 83 C4 0C 85 FF 78 05 8B 7D E8 EB 02 33 FF C7 45 FC FF FF FF FF 85|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-0055; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:policy-violation; sid:33322; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer EPM MOTWCreateFileW file access bypass attempt"; flow:to_server,established; file_data; content:"|08 E8 32 07 00 00 83 C0 20 50 E8 64 09 00 00 8B F8 89 7D E4 E8 1F 07 00 00 83 C0 20 50 56 E8 F1|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,64120; reference:cve,2013-5046; reference:cve,2015-0055; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-097; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:policy-violation; sid:33321; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer EPM MOTWCreateFileW file access bypass attempt"; flow:to_client,established; file_data; content:"|68 18 4A 02 10 E8 5C FE FF FF 83 C4 0C 85 FF 78 05 8B 7D E8 EB 02 33 FF C7 45 FC FF FF FF FF 85|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0055; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:policy-violation; sid:33320; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer EPM MOTWCreateFileW file access bypass attempt"; flow:to_client,established; file_data; content:"|08 E8 32 07 00 00 83 C0 20 50 E8 64 09 00 00 8B F8 89 7D E4 E8 1F 07 00 00 83 C0 20 50 56 E8 F1|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,64120; reference:cve,2013-5046; reference:cve,2015-0055; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-097; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:policy-violation; sid:33319; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free attempt"; flow:to_server,established; file_data; content:".execCommand"; nocase; content:"insertOrderedList"; within:50; fast_pattern; nocase; content:".attachEvent"; nocase; content:"onpropertychange"; within:50; nocase; content:"noframes"; nocase; content:"iframe"; nocase; pcre:"/(?P<obj>\w+)\s*?=\s*?document\.body\.createtextrange.*?(?P=obj)\.execCommand\s*?\x28\s*?[\x22\x27]\s*?insertOrderedList/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0020; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33318; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free attempt"; flow:to_client,established; file_data; content:".execCommand"; nocase; content:"insertOrderedList"; within:50; fast_pattern; nocase; content:".attachEvent"; nocase; content:"onpropertychange"; within:50; nocase; content:"noframes"; nocase; content:"iframe"; nocase; pcre:"/(?P<obj>\w+)\s*?=\s*?document\.body\.createtextrange.*?(?P=obj)\.execCommand\s*?\x28\s*?[\x22\x27]\s*?insertOrderedList/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0020; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33317; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CElement use after free attempt"; flow:to_server,established; file_data; content:"ms-clearUndoStack"; fast_pattern:only; content:".setStartBefore"; nocase; content:".setEnd"; within:200; nocase; content:"InsertIFrame"; within:200; nocase; content:".scrollIntoView"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0035; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:attempted-user; sid:33316; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CElement use after free attempt"; flow:to_client,established; file_data; content:"ms-clearUndoStack"; fast_pattern:only; content:".setStartBefore"; nocase; content:".setEnd"; within:200; nocase; content:"InsertIFrame"; within:200; nocase; content:".scrollIntoView"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0035; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-009; classtype:attempted-user; sid:33315; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CGeneratedSvgTreeNode use-after-free attempt"; flow:to_client,established; file_data; content:"<svg>"; content:"<linearGradient"; distance:0; content:"|22|linearGradient|22|"; fast_pattern; content:".x1.baseVal"; within:25; distance:2; pcre:"/<linearGradient[^>]*>\s*<\x2flinearGradient>/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0043; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33314; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer InsertElementInternal out of bounds indexed array remote code execution attempt"; flow:to_server,established; file_data; content:".insertBefore(document.body)"; nocase; content:"createElement("; within:60; nocase; content:"TR"; within:5; nocase; content:"<body"; distance:0; nocase; content:"</body>"; within:60; nocase; pcre:"/insertBefore\(document\.body\)([^?]+createElement\([\x22\x27]TR[\x22\x27]\)\))+[^?]+<body[^?]+?<\/body>/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0044; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33313; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer InsertElementInternal out of bounds indexed array remote code execution attempt"; flow:to_client,established; file_data; content:".insertBefore(document.body)"; content:"createElement("; within:60; nocase; content:"TR"; within:5; nocase; content:"<body"; distance:0; nocase; content:"</body>"; within:60; nocase; pcre:"/insertBefore\(document\.body\)([^?]+createElement\([\x22\x27]TR[\x22\x27]\)\))+[^?]+<body[^?]+?<\/body>/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0044; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:33312; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer dynamic style update memory corruption attempt"; flow:to_client,established; file_data; content:"<br"; nocase; content:"<textarea"; within:75; fast_pattern; nocase; content:"</textarea"; within:15; nocase; content:".getElementByID"; distance:0; nocase; content:".className"; within:75; nocase; pcre:"/<style[^>]*?>[\r\n\s]+?\.(?P<class>\w+)[\r\n\s]*?\{[\r\n\s]*?zoom\x3a\s*?\d+px\x3b.*?<br\s[^>]*?id\s*?=\s*?[\x22\x27]?(?P<id>\w+)[\x22\x27]?[^>]*?>[^<]*?<textarea.*?document\.getElementById\s*?\(\s*?[\x22\x27]?(?P=id).*?\.className\s*?=\s*?[\x22\x27]?(?P=class)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:33495; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer dynamic style update memory corruption attempt"; flow:to_client,established; file_data; content:"<h3"; nocase; content:"<textarea"; within:75; fast_pattern; nocase; content:"</textarea"; within:15; nocase; content:".getElementByID"; distance:0; nocase; content:".className"; within:75; nocase; pcre:"/<style[^>]*?>[\r\n\s]+?\.(?P<class>\w+)[\r\n\s]*?\{[\r\n\s]*?zoom\x3a\s*?\d+px\x3b.*?<h3\s[^>]*?id\s*?=\s*?[\x22\x27]?(?P<id>\w+)[\x22\x27]?[^>]*?>[^<]*?<textarea.*?document\.getElementById\s*?\(\s*?[\x22\x27]?(?P=id).*?\.className\s*?=\s*?[\x22\x27]?(?P=class)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:33494; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer dynamic style update memory corruption attempt"; flow:to_client,established; file_data; content:"<h2"; nocase; content:"<textarea"; within:75; fast_pattern; nocase; content:"</textarea"; within:15; nocase; content:".getElementByID"; distance:0; nocase; content:".className"; within:75; nocase; pcre:"/<style[^>]*?>[\r\n\s]+?\.(?P<class>\w+)[\r\n\s]*?\{[\r\n\s]*?zoom\x3a\s*?\d+px\x3b.*?<h2\s[^>]*?id\s*?=\s*?[\x22\x27]?(?P<id>\w+)[\x22\x27]?[^>]*?>[^<]*?<textarea.*?document\.getElementById\s*?\(\s*?[\x22\x27]?(?P=id).*?\.className\s*?=\s*?[\x22\x27]?(?P=class)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:33493; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer dynamic style update memory corruption attempt"; flow:to_client,established; file_data; content:"<textarea"; fast_pattern; nocase; content:"</textarea"; within:15; nocase; content:".getElementByID"; distance:0; nocase; content:".className"; within:75; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0075; reference:cve,2009-0076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:33492; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTableLayout memory corruption attempt"; flow:to_server,established; file_data; content:"CollectGarbage"; fast_pattern:only; content:"document.getElementById"; nocase; content:".innerHTML"; within:50; content:".onpropertychange"; nocase; content:"<table"; nocase; content:"<col"; within:15; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,37891; reference:cve,2010-0244; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:33570; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTableLayout memory corruption attempt"; flow:to_client,established; file_data; content:"CollectGarbage"; fast_pattern:only; content:"document.getElementById"; nocase; content:".innerHTML"; within:50; content:".onpropertychange"; nocase; content:"<table"; nocase; content:"<col"; within:15; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,37891; reference:cve,2010-0244; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:33569; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt"; flow:to_server,established; file_data; content:".runtimeStyle.posWidth"; content:"(|7E 7E|"; within:10; content:".focus()"; within:20; metadata:service smtp; reference:cve,2013-3882; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-080; classtype:attempted-user; sid:33606; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt"; flow:to_client,established; file_data; content:".runtimeStyle.posWidth"; content:"(|7E 7E|"; within:10; content:".focus()"; within:20; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-3882; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-080; classtype:attempted-user; sid:33605; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Java applet denial of service attempt"; flow:to_server,established; file_data; content:"<APPLET"; nocase; content:"HSPACE"; within:50; nocase; content:"file:"; within:10; nocase; metadata:service smtp; reference:bugtraq,15208; classtype:attempted-dos; sid:33639; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Java applet denial of service attempt"; flow:to_client,established; file_data; content:"<APPLET"; nocase; content:"HSPACE"; within:50; nocase; content:"file:"; within:10; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,15208; classtype:attempted-dos; sid:33638; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 CInputContext object use after free attempt"; flow:to_server,established; file_data; content:"createTextRange"; content:"execCommand"; within:50; nocase; content:"JustifyRight"; within:20; nocase; content:"null"; within:10; nocase; content:"true"; within:10; nocase; content:"execCommand"; within:30; nocase; content:"copy"; within:10; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1634; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-018; classtype:attempted-user; sid:33764; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 CInputContext object use after free attempt"; flow:to_client,established; file_data; content:"createTextRange"; content:"execCommand"; within:50; nocase; content:"JustifyRight"; within:20; nocase; content:"null"; within:10; nocase; content:"true"; within:10; nocase; content:"execCommand"; within:30; nocase; content:"copy"; within:10; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1634; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-018; classtype:attempted-user; sid:33763; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer table cell out-of-bounds access attempt"; flow:to_server,established; file_data; content:"X-UA-Compatible"; fast_pattern; content:"IE=5"; within:30; content:".swapNode"; nocase; content:".mergeAttributes"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1625; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-018; classtype:attempted-user; sid:33744; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer table cell out-of-bounds access attempt"; flow:to_client,established; file_data; content:"X-UA-Compatible"; fast_pattern; content:"IE=5"; within:30; content:".swapNode"; nocase; content:".mergeAttributes"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1625; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-018; classtype:attempted-user; sid:33743; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use-after-free attempt"; flow:to_server,established; file_data; content:".onfocusout"; nocase; content:".setActive"; fast_pattern; nocase; content:".setActive"; within:40; nocase; content:".setActive"; within:40; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0100; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-018; classtype:attempted-user; sid:33742; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use-after-free attempt"; flow:to_client,established; file_data; content:".onfocusout"; nocase; content:".setActive"; fast_pattern; nocase; content:".setActive"; within:40; nocase; content:".setActive"; within:40; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0100; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-018; classtype:attempted-user; sid:33741; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 CInputContext object use after free attempt"; flow:to_server,established; file_data; content:".removeNode"; nocase; content:"contentEditable"; nocase; content:".onfocusin"; within:70; nocase; content:"createElement"; nocase; content:"SELECT"; within:30; nocase; content:".autofocus"; within:50; nocase; content:"true"; within:20; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1626; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-018; classtype:attempted-user; sid:33739; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 CInputContext object use after free attempt"; flow:to_client,established; file_data; content:".removeNode"; nocase; content:"contentEditable"; nocase; content:".onfocusin"; within:70; nocase; content:"createElement"; nocase; content:"SELECT"; within:30; nocase; content:".autofocus"; within:50; nocase; content:"true"; within:20; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1626; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-018; classtype:attempted-user; sid:33738; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CGeneratedTreeNode use after free attempt"; flow:to_server,established; file_data; content:".getElementsByTagName"; content:".innerText"; within:50; content:".execCommand"; within:100; content:"selectAll"; within:20; content:".innerHTML"; within:150; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1624; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-018; classtype:attempted-user; sid:33737; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CGeneratedTreeNode use after free attempt"; flow:to_client,established; file_data; content:".getElementsByTagName"; content:".innerText"; within:50; content:".execCommand"; within:100; content:"selectAll"; within:20; content:".innerHTML"; within:150; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1624; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-018; classtype:attempted-user; sid:33736; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer out of bounds array access attempt"; flow:to_server,established; file_data; content:"key-frame"; fast_pattern; nocase; content:"from"; within:200; nocase; content:"cursor"; within:200; nocase; content:"url()"; within:200; nocase; content:"auto"; within:50; nocase; content:"opacity:"; nocase; content:"inherit"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0099; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-018; classtype:attempted-user; sid:33731; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer out of bounds array access attempt"; flow:to_client,established; file_data; content:"key-frame"; fast_pattern; nocase; content:"from"; within:200; nocase; content:"cursor"; within:200; nocase; content:"url()"; within:200; nocase; content:"auto"; within:50; nocase; content:"opacity:"; nocase; content:"inherit"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0099; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-018; classtype:attempted-user; sid:33730; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CMarkup object use after free attempt"; flow:to_server,established; file_data; content:".createDocumentFragment"; nocase; content:".createDocumentFragment"; within:500; nocase; content:".createDocumentFragment"; within:500; nocase; content:"MutationObserver"; fast_pattern:only; content:".replaceNode"; content:".adoptNode"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1623; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-018; classtype:attempted-user; sid:33727; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CMarkup object use after free attempt"; flow:to_client,established; file_data; content:".createDocumentFragment"; nocase; content:".createDocumentFragment"; within:500; nocase; content:".createDocumentFragment"; within:500; nocase; content:"MutationObserver"; fast_pattern:only; content:".replaceNode"; nocase; content:".adoptNode"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1623; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-018; classtype:attempted-user; sid:33726; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 sandbox bypass attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|6A 19 53 FF 15 08 10 41 00 85 C0 74 17 FF 37 FF 15 0C 10 41 00 0F B6 00 48 50 FF 37 FF 15 10 10|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1627; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-018; classtype:attempted-user; sid:33721; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 sandbox bypass attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|6A 19 53 FF 15 08 10 41 00 85 C0 74 17 FF 37 FF 15 0C 10 41 00 0F B6 00 48 50 FF 37 FF 15 10 10|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1627; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-018; classtype:attempted-user; sid:33720; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode interpreted as CGeneratedTreeNode remote code execution attempt"; flow:established,to_server; file_data; content:"list-item"; nocase; content:"|3A|after"; within:50; nocase; content:"content|3A|"; within:30; nocase; content:".appendChild"; within:300; nocase; content:".id"; within:100; nocase; pcre:"/\x2eappendChild.*?\x2eid.{0,200}?(offset|client)(Height|Left|Parent|Top|Width).{0,200}?(offset|client)(Height|Left|Parent|Top|Width)/is"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1622; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-018; classtype:attempted-user; sid:33719; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode interpreted as CGeneratedTreeNode remote code execution attempt"; flow:established,to_client; file_data; content:"list-item"; nocase; content:"|3A|after"; within:50; nocase; content:"content|3A|"; within:30; nocase; content:".appendChild"; within:300; nocase; content:".id"; within:100; nocase; pcre:"/\x2eappendChild.*?\x2eid.{0,200}?(offset|client)(Height|Left|Parent|Top|Width).{0,200}?(offset|client)(Height|Left|Parent|Top|Width)/is"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1622; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-018; classtype:attempted-user; sid:33718; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 VBScript array element use after free attempt"; flow:to_server,established; file_data; content:"Execute "; nocase; content:"ReDim "; within:7; nocase; content:"ReDim "; within:100; nocase; content:"Filter("; within:80; fast_pattern; nocase; pcre:"/Execute\s[\x22\x27]ReDim\s(?P<array>\w+)\([\w\x2c]+\)[^>]*?ReDim\s(?P=array)[^>]*?(?P=array)[^>]*?Filter\((?P=array)/sm"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0032; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-018; classtype:attempted-user; sid:33710; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 VBScript array element use after free attempt"; flow:to_client,established; file_data; content:"Execute "; nocase; content:"ReDim "; within:7; nocase; content:"ReDim "; within:100; nocase; content:"Filter("; within:80; fast_pattern; nocase; pcre:"/Execute\s[\x22\x27]ReDim\s(?P<array>\w+)\([\w\x2c]+\)[^>]*?ReDim\s(?P=array)[^>]*?(?P=array)[^>]*?Filter\((?P=array)/sm"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0032; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-018; classtype:attempted-user; sid:33709; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"['lastChild']['parentNode']['firstChild']['parentNode'].cloneNode"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0056; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-018; classtype:attempted-user; sid:33708; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"['lastChild']['parentNode']['firstChild']['parentNode'].cloneNode"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0056; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-018; classtype:attempted-user; sid:33707; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer out of bounds array access attempt"; flow:to_server,established; file_data; content:".insertAdjacentElement"; nocase; content:"afterbegin"; within:25; nocase; content:".selectAllChildren"; within:100; nocase; content:".insertAdjacentElement"; within:100; nocase; content:"beforebegin"; within:25; nocase; content:".push("; within:50; nocase; content:".push("; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0081; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-020; classtype:attempted-user; sid:33776; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer out of bounds array access attempt"; flow:to_client,established; file_data; content:".insertAdjacentElement"; nocase; content:"afterbegin"; within:25; nocase; content:".selectAllChildren"; within:100; nocase; content:".insertAdjacentElement"; within:100; nocase; content:"beforebegin"; within:25; nocase; content:".push("; within:50; nocase; content:".push("; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0081; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-020; classtype:attempted-user; sid:33775; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer javascript iframe injection attempt"; flow:to_server,established; file_data; content:"<iframe"; nocase; content:"src"; within:150; nocase; content:".php"; within:50; nocase; content:"<iframe"; within:200; nocase; content:"src"; within:150; nocase; content:"http"; within:50; nocase; content:"<script"; distance:0; nocase; content:"top["; within:50; metadata:service smtp; reference:cve,2015-0072; reference:cve,2016-0005; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-018; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-001; classtype:attempted-user; sid:33898; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer javascript iframe injection attempt"; flow:to_client,established; file_data; content:"<iframe"; nocase; content:"src"; within:150; nocase; content:".php"; within:50; nocase; content:"<iframe"; within:200; nocase; content:"src"; within:150; nocase; content:"http"; within:50; nocase; content:"<script"; distance:0; nocase; content:"top["; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0072; reference:cve,2016-0005; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-018; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-001; classtype:attempted-user; sid:33897; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt"; flow:to_server,established; file_data; content:"76723"; content:"wrhc"; within:10; content:"wrhc"; within:20; content:"yarraym"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6332; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-064; classtype:attempted-dos; sid:33980; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt"; flow:to_client,established; file_data; content:"76723"; content:"wrhc"; within:10; content:"wrhc"; within:20; content:"yarraym"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6332; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-064; classtype:attempted-dos; sid:33979; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Multiple products external entity injection attempt"; flow:to_server,established; file_data; content:"ENTITY %"; nocase; content:"ENTITY % "; within:100; nocase; content:"://"; within:30; content:".dtd"; distance:0; pcre:"/ENTITY \x25 \w+ (SYSTEM|PUBLIC).{0,10}(https?|file|ftp|php|expect|phar):\x2f\x2f.+?\x2edtd/i"; metadata:service smtp; reference:cve,2015-1646; reference:cve,2018-8527; reference:cve,2018-8532; reference:cve,2018-8533; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8527; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8532; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8533; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-039; classtype:attempted-admin; sid:34098; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Multiple products external entity injection attempt"; flow:to_client,established; file_data; content:"ENTITY %"; nocase; content:"ENTITY % "; within:100; nocase; content:"://"; within:30; content:".dtd"; distance:0; pcre:"/ENTITY \x25 \w+ (SYSTEM|PUBLIC).{0,10}(https?|file|ftp|php|expect|phar):\x2f\x2f.+?\x2edtd/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1646; reference:cve,2018-8527; reference:cve,2018-8532; reference:cve,2018-8533; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8527; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8532; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8533; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-039; classtype:attempted-admin; sid:34097; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer incorrect array element read information disclosure attempt"; flow:to_server,established; file_data; content:".insertBefore("; content:".createTextNode("; within:50; content:".childNodes"; within:50; content:".normalize()"; fast_pattern:only; content:"document.createElement("; content:"document.body.appendChild("; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1657; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:34090; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer incorrect array element read information disclosure attempt"; flow:to_client,established; file_data; content:".insertBefore("; content:".createTextNode("; within:50; content:".childNodes"; within:50; content:".normalize()"; fast_pattern:only; content:"document.createElement("; content:"document.body.appendChild("; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1657; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:34089; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CDocument use after free attempt"; flow:established,to_server; file_data; content:"window.location.href=baseURL|2B 22|?refresh="; fast_pattern:only; content:"createEvent"; content:"FocusEvent"; within:20; content:"initEvent"; within:50; content:"focus"; within:20; content:"dispatchEvent"; within:75; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1652; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-032; classtype:attempted-user; sid:34085; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CDocument use after free attempt"; flow:established,to_client; file_data; content:"window.location.href=baseURL|2B 22|?refresh="; fast_pattern:only; content:"createEvent"; content:"FocusEvent"; within:20; content:"initEvent"; within:50; content:"focus"; within:20; content:"dispatchEvent"; within:75; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1652; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-032; classtype:attempted-user; sid:34084; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer append and swap use after free attempt"; flow:to_server,established; file_data; content:".appendChild"; content:".appendChild"; within:100; content:".appendChild"; within:100; content:".appendChild"; within:100; content:".swapNode"; distance:0; content:".swapNode"; within:100; content:".swapNode"; within:100; content:".swapNode"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1659; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-032; classtype:attempted-user; sid:34077; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer append and swap use after free attempt"; flow:to_client,established; file_data; content:".appendChild"; content:".appendChild"; within:100; content:".appendChild"; within:100; content:".appendChild"; within:100; content:".swapNode"; distance:0; content:".swapNode"; within:100; content:".swapNode"; within:100; content:".swapNode"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1659; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-032; classtype:attempted-user; sid:34076; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer TextData object use after free attempt"; flow:to_server,established; file_data; content:".createTextRange"; fast_pattern:only; content:".moveToElementText"; nocase; content:".moveEnd"; within:500; nocase; content:".moveToElementText"; nocase; content:".getElementsByTagName"; within:500; nocase; content:".innerHTML"; nocase; content:":nth-child("; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1665; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-032; classtype:attempted-user; sid:34075; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer TextData object use after free attempt"; flow:to_client,established; file_data; content:".createTextRange"; fast_pattern:only; content:".moveToElementText"; nocase; content:".moveEnd"; within:500; nocase; content:".moveToElementText"; nocase; content:".getElementsByTagName"; within:500; nocase; content:".innerHTML"; nocase; content:":nth-child("; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1665; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-032; classtype:attempted-user; sid:34074; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CMetaElement use after free attempt"; flow:established,to_server; file_data; content:"createRange()"; content:"MutationObserver"; within:200; content:".insertBefore"; content:"mutationRecordsList"; within:50; content:".observe(document"; within:200; content:".removeChild"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1666; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-032; classtype:attempted-user; sid:34073; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CMetaElement use after free attempt"; flow:established,to_client; file_data; content:"createRange()"; content:"MutationObserver"; within:200; content:".insertBefore"; content:"mutationRecordsList"; within:50; content:".observe(document"; within:200; content:".removeChild"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1666; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-032; classtype:attempted-user; sid:34072; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt"; flow:to_server,established; file_data; content:".baseVal.convertToSpecifiedUnits"; fast_pattern:only; content:"<svg"; content:"<circle"; distance:0; content:"<marker"; distance:0; content:"<marker"; distance:0; content:"document.createRange()"; content:".deleteContents()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1668; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:34071; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt"; flow:to_client,established; file_data; content:".baseVal.convertToSpecifiedUnits"; fast_pattern:only; content:"<svg"; content:"<circle"; distance:0; content:"<marker"; distance:0; content:"<marker"; distance:0; content:"document.createRange()"; content:".deleteContents()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1668; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:34070; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 invalid array element read attempt"; flow:to_server,established; file_data; content:".toString"; content:"function"; within:13; content:"typeof("; within:50; content:".offsetLeft"; within:50; content:"createTextRange"; distance:0; content:".removeNode"; within:100; metadata:service smtp; reference:cve,2015-1661; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-032; classtype:attempted-user; sid:34069; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 invalid array element read attempt"; flow:to_client,established; file_data; content:".toString"; content:"function"; within:13; content:"typeof("; within:50; content:".offsetLeft"; within:50; content:"createTextRange"; distance:0; content:".removeNode"; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1661; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-032; classtype:attempted-user; sid:34068; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt"; flow:to_server,established; file_data; content:"document.createElement(|27|frameset|27|)"; fast_pattern:only; content:".appendChild"; nocase; content:".innerHTML"; distance:0; nocase; content:"<table"; nocase; content:"<colgroup"; within:100; nocase; content:".style.quotes"; nocase; pcre:"/\x3ctable.{0,100}?\x3ccolgroup.+?\x3c(td|th)\x20/si"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-1667; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-032; classtype:attempted-user; sid:34065; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt"; flow:to_client,established; file_data; content:"document.createElement(|27|frameset|27|)"; fast_pattern:only; content:".appendChild"; nocase; content:".innerHTML"; distance:0; nocase; content:"<table"; nocase; content:"<colgroup"; within:100; nocase; content:".style.quotes"; nocase; pcre:"/\x3ctable.{0,100}?\x3ccolgroup.+?\x3c(td|th)\x20/si"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1667; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-032; classtype:attempted-user; sid:34064; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CBodyElement use after free attempt"; flow:to_server,established; file_data; content:"onpropertychange"; nocase; content:"defaultView.focus"; within:40; nocase; content:"<strong></strong>"; within:100; nocase; content:"<strong></strong>"; within:40; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1660; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-032; classtype:attempted-user; sid:34060; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CBodyElement use after free attempt"; flow:to_client,established; file_data; content:"onpropertychange"; nocase; content:"defaultView.focus"; within:40; nocase; content:"<strong></strong>"; within:100; nocase; content:"<strong></strong>"; within:40; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1660; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-032; classtype:attempted-user; sid:34059; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt"; flow:to_server,established; file_data; content:".baseVal.convertToSpecifiedUnits"; fast_pattern:only; content:"<svg"; content:"<use"; distance:0; content:"<marker"; distance:0; content:"<marker"; distance:0; content:"document.createRange()"; content:".deleteContents()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1668; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:34212; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt"; flow:to_server,established; file_data; content:".baseVal.convertToSpecifiedUnits"; fast_pattern:only; content:"<svg"; content:"<text"; distance:0; content:"<marker"; distance:0; content:"<marker"; distance:0; content:"document.createRange()"; content:".deleteContents()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1668; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:34211; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt"; flow:to_server,established; file_data; content:".baseVal.convertToSpecifiedUnits"; fast_pattern:only; content:"<svg"; content:"<rect"; distance:0; content:"<marker"; distance:0; content:"<marker"; distance:0; content:"document.createRange()"; content:".deleteContents()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1668; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:34210; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt"; flow:to_server,established; file_data; content:".baseVal.convertToSpecifiedUnits"; fast_pattern:only; content:"<svg"; content:"<polyline"; distance:0; content:"<marker"; distance:0; content:"<marker"; distance:0; content:"document.createRange()"; content:".deleteContents()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1668; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:34209; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt"; flow:to_server,established; file_data; content:".baseVal.convertToSpecifiedUnits"; fast_pattern:only; content:"<svg"; content:"<polygon"; distance:0; content:"<marker"; distance:0; content:"<marker"; distance:0; content:"document.createRange()"; content:".deleteContents()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1668; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:34208; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt"; flow:to_server,established; file_data; content:".baseVal.convertToSpecifiedUnits"; fast_pattern:only; content:"<svg"; content:"<path"; distance:0; content:"<marker"; distance:0; content:"<marker"; distance:0; content:"document.createRange()"; content:".deleteContents()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1668; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:34207; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt"; flow:to_server,established; file_data; content:".baseVal.convertToSpecifiedUnits"; fast_pattern:only; content:"<svg"; content:"<line"; distance:0; content:"<marker"; distance:0; content:"<marker"; distance:0; content:"document.createRange()"; content:".deleteContents()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1668; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:34206; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt"; flow:to_server,established; file_data; content:".baseVal.convertToSpecifiedUnits"; fast_pattern:only; content:"<svg"; content:"<image"; distance:0; content:"<marker"; distance:0; content:"<marker"; distance:0; content:"document.createRange()"; content:".deleteContents()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1668; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:34205; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt"; flow:to_server,established; file_data; content:".baseVal.convertToSpecifiedUnits"; fast_pattern:only; content:"<svg"; content:"<ellipse"; distance:0; content:"<marker"; distance:0; content:"<marker"; distance:0; content:"document.createRange()"; content:".deleteContents()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1668; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:34204; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt"; flow:to_client,established; file_data; content:".baseVal.convertToSpecifiedUnits"; fast_pattern:only; content:"<svg"; content:"<use"; distance:0; content:"<marker"; distance:0; content:"<marker"; distance:0; content:"document.createRange()"; content:".deleteContents()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1668; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:34203; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt"; flow:to_client,established; file_data; content:".baseVal.convertToSpecifiedUnits"; fast_pattern:only; content:"<svg"; content:"<text"; distance:0; content:"<marker"; distance:0; content:"<marker"; distance:0; content:"document.createRange()"; content:".deleteContents()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1668; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:34202; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt"; flow:to_client,established; file_data; content:".baseVal.convertToSpecifiedUnits"; fast_pattern:only; content:"<svg"; content:"<polyline"; distance:0; content:"<marker"; distance:0; content:"<marker"; distance:0; content:"document.createRange()"; content:".deleteContents()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1668; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:34201; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt"; flow:to_client,established; file_data; content:".baseVal.convertToSpecifiedUnits"; fast_pattern:only; content:"<svg"; content:"<polygon"; distance:0; content:"<marker"; distance:0; content:"<marker"; distance:0; content:"document.createRange()"; content:".deleteContents()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1668; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:34200; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt"; flow:to_client,established; file_data; content:".baseVal.convertToSpecifiedUnits"; fast_pattern:only; content:"<svg"; content:"<path"; distance:0; content:"<marker"; distance:0; content:"<marker"; distance:0; content:"document.createRange()"; content:".deleteContents()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1668; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:34199; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt"; flow:to_client,established; file_data; content:".baseVal.convertToSpecifiedUnits"; fast_pattern:only; content:"<svg"; content:"<line"; distance:0; content:"<marker"; distance:0; content:"<marker"; distance:0; content:"document.createRange()"; content:".deleteContents()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1668; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:34198; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt"; flow:to_client,established; file_data; content:".baseVal.convertToSpecifiedUnits"; fast_pattern:only; content:"<svg"; content:"<image"; distance:0; content:"<marker"; distance:0; content:"<marker"; distance:0; content:"document.createRange()"; content:".deleteContents()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1668; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:34197; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt"; flow:to_client,established; file_data; content:".baseVal.convertToSpecifiedUnits"; fast_pattern:only; content:"<svg"; content:"<ellipse"; distance:0; content:"<marker"; distance:0; content:"<marker"; distance:0; content:"document.createRange()"; content:".deleteContents()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1668; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:34196; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt"; flow:to_client,established; file_data; content:".baseVal.convertToSpecifiedUnits"; fast_pattern:only; content:"<svg"; content:"<rect"; distance:0; content:"<marker"; distance:0; content:"<marker"; distance:0; content:"document.createRange()"; content:".deleteContents()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1668; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-032; classtype:attempted-user; sid:34195; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt"; flow:to_client,established; file_data; content:"window"; content:"history"; within:15; content:"replaceState"; within:20; fast_pattern; content:"document"; nocase; content:"createElement"; within:20; nocase; content:"applet"; within:15; content:"appendChild"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-2804; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-037; classtype:attempted-user; sid:34321; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt"; flow:to_client,established; file_data; content:"window"; content:"history"; within:15; content:"pushState"; within:20; fast_pattern; content:"document"; nocase; content:"createElement"; within:20; nocase; content:"applet"; within:15; content:"appendChild"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-2804; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-037; classtype:attempted-user; sid:34320; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer onpagehide use after free attempt"; flow:to_client,established; file_data; content:"contentEditable"; nocase; content:"true"; within:10; content:"onpagehide"; fast_pattern:only; content:".createTextRange"; content:".execCommand"; distance:0; content:"InsertInput"; content:"document.write"; within:25; content:"iframe"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-1795; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-035; classtype:attempted-user; sid:34299; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer TableGridBlock object use after free attempt"; flow:to_server,established; file_data; content:".setAttribute"; nocase; content:"null"; within:25; nocase; content:".style.lineheight"; within:100; nocase; content:"document.body.createTextRange"; within:100; nocase; content:".execCommand"; within:100; nocase; content:"InsertOrderedList"; within:25; nocase; content:".execCommand"; within:100; nocase; content:"formatBlock"; within:25; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1709; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-043; classtype:attempted-admin; sid:34445; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer TableGridBlock object use after free attempt"; flow:to_client,established; file_data; content:".setAttribute"; nocase; content:"null"; within:25; nocase; content:".style.lineheight"; within:100; nocase; content:"document.body.createTextRange"; within:100; nocase; content:".execCommand"; within:100; nocase; content:"InsertOrderedList"; within:25; nocase; content:".execCommand"; within:100; nocase; content:"formatBlock"; within:25; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1709; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-043; classtype:attempted-admin; sid:34444; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTitleElement use after free attempt"; flow:to_client,established; file_data; content:"document.adoptNode(document.getElementsByTagName"; content:"document.adoptNode(document.getElementsByTagName"; within:150; content:"document.adoptNode(document.getElementsByTagName"; within:150; content:"document.adoptNode(document.getElementsByTagName"; within:150; content:"document.all"; content:".swapNode(document.all"; within:60; content:".addEventListener"; content:"readystatechange"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1714; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-043; classtype:attempted-user; sid:34437; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTitleElement use after free attempt"; flow:to_server,established; file_data; content:"document.adoptNode(document.getElementsByTagName"; content:"document.adoptNode(document.getElementsByTagName"; within:150; content:"document.adoptNode(document.getElementsByTagName"; within:150; content:"document.adoptNode(document.getElementsByTagName"; within:150; content:"document.all"; content:".swapNode(document.all"; within:60; content:".addEventListener"; content:"readystatechange"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1714; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-043; classtype:attempted-user; sid:34436; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer TableGridBlock use after free attempt"; flow:to_server,established; file_data; content:".styleSheets[0].addRule"; fast_pattern:only; content:!"@import"; content:!"<link rel=|22|stylesheet"; content:".appendChild("; content:".appendChild("; within:50; content:".appendChild("; within:50; content:".swapNode("; content:".scrollLeft"; content:".createCaption("; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1658; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-043; classtype:attempted-user; sid:34433; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer TableGridBlock use after free attempt"; flow:to_client,established; file_data; content:".styleSheets[0].addRule"; fast_pattern:only; content:!"@import"; content:!"<link rel=|22|stylesheet"; content:".appendChild("; content:".appendChild("; within:50; content:".appendChild("; within:50; content:".swapNode("; content:".scrollLeft"; content:".createCaption("; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1658; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-043; classtype:attempted-user; sid:34432; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos object use after free attempt"; flow:to_server,established; file_data; content:"document.normalize"; fast_pattern:only; content:"<svg"; nocase; content:"onresize"; within:25; nocase; content:".createTextRange"; nocase; content:".execCommand"; within:50; nocase; content:"SelectAll"; within:25; nocase; content:".execCommand"; within:100; nocase; content:"Bold"; within:25; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1711; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-043; classtype:attempted-user; sid:34431; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos object use after free attempt"; flow:to_client,established; file_data; content:"document.normalize"; fast_pattern:only; content:"<svg"; nocase; content:"onresize"; within:25; nocase; content:".createTextRange"; nocase; content:".execCommand"; within:50; nocase; content:"SelectAll"; within:25; nocase; content:".execCommand"; within:100; nocase; content:"Bold"; within:25; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1711; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-043; classtype:attempted-user; sid:34430; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer compatibility mode use after free attempt"; flow:to_server,established; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=5|22|"; fast_pattern:only; content:"'InsertInputSubmit"; content:"AbsolutePosition"; within:50; content:"InsertIFrame"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1710; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-043; classtype:attempted-user; sid:34425; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer compatibility mode use after free attempt"; flow:to_client,established; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=5|22|"; fast_pattern:only; content:"'InsertInputSubmit"; content:"AbsolutePosition"; within:50; content:"InsertIFrame"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1710; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-043; classtype:attempted-user; sid:34424; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTitleElement object use-after-free attempt"; flow:to_server,established; file_data; content:"createDocumentFragment("; content:"MutationObserver"; within:750; content:"initEvent"; within:400; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1717; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-043; classtype:attempted-admin; sid:34423; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTitleElement object use-after-free attempt"; flow:to_client,established; file_data; content:"createDocumentFragment("; content:"MutationObserver"; within:750; content:"initEvent("; within:400; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1717; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-043; classtype:attempted-admin; sid:34422; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CDispScroller object use-after-free attempt"; flow:to_server,established; file_data; content:"IE=7"; fast_pattern:only; content:"pixelWidth"; content:"1"; within:50; content:"overflowY"; within:150; content:"scroll"; within:50; content:"createTextRange()"; content:"InsertButton"; within:150; content:".scrollIntoView"; within:150; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1718; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-043; classtype:attempted-admin; sid:34421; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CDispScroller object use-after-free attempt"; flow:to_client,established; file_data; content:"IE=7"; fast_pattern:only; content:"pixelWidth"; content:"1"; within:50; content:"overflowY"; within:150; content:"scroll"; within:50; content:"createTextRange()"; content:"InsertButton"; within:150; content:".scrollIntoView"; within:150; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1718; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-043; classtype:attempted-admin; sid:34420; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Element object use-after-free attempt"; flow:to_client,established; file_data; content:"<meta"; content:"http-equiv"; within:50; nocase; content:"X-UA-Compatible"; within:50; nocase; content:"IE="; within:20; content:"replaceChild"; content:"CollectGarbage"; fast_pattern:only; content:"contentEditable"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1705; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-043; classtype:attempted-admin; sid:34419; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Element object use-after-free attempt"; flow:to_server,established; file_data; content:"<meta"; content:"http-equiv"; within:50; nocase; content:"X-UA-Compatible"; within:50; nocase; content:"IE="; within:20; content:"replaceChild"; content:"CollectGarbage"; fast_pattern:only; content:"contentEditable"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1705; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-043; classtype:attempted-admin; sid:34418; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer dd element use after free attempt"; flow:to_server,established; file_data; content:".createElement"; content:"dd"; within:20; content:".createElement"; content:"input"; within:20; content:"attachEvent"; content:"onmove"; within:20; content:"listener"; within:50; content:"InsertSelectDropdown"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1691; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-043; classtype:attempted-user; sid:34417; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 compatibility mode enable attempt"; flow:established,to_client; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=8|22|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,blogs.msdn.com/b/askie/archive/2009/03/23/understanding-compatibility-modes-in-internet-explorer-8.aspx; classtype:policy-violation; sid:34416; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer dd element use after free attempt"; flow:to_client,established; file_data; content:".createElement"; content:"dd"; within:20; content:".createElement"; content:"input"; within:20; content:"attachEvent"; content:"onmove"; within:20; content:"listener"; within:50; content:"InsertSelectDropdown"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1691; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-043; classtype:attempted-user; sid:34415; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSecurityContext type confusion use after free attempt"; flow:to_server,established; file_data; content:"document.execCommand("; content:"Undo"; within:10; content:".style.float"; content:"document."; content:"meta"; within:30; content:"document."; content:"mark"; content:"window.location.reload()"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1706; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-043; classtype:attempted-user; sid:34412; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSecurityContext type confusion use after free attempt"; flow:to_client,established; file_data; content:"document.execCommand("; content:"Undo"; within:10; content:".style.float"; content:"document."; content:"meta"; within:30; content:"document."; content:"mark"; content:"window.location.reload()"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1706; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-043; classtype:attempted-user; sid:34411; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DOMNodeInserted use-after-free attempt"; flow:to_server,established; file_data; content:"outerText"; content:"|22|0|22|"; within:15; content:"document.documentElement|3B|"; content:"applyElement"; within:150; content:"addEventListener"; within:150; content:"|22|DOMNodeInserted|22|"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1689; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-043; classtype:attempted-admin; sid:34410; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DOMNodeInserted use-after-free attempt"; flow:to_client,established; file_data; content:"outerText"; content:"|22|0|22|"; within:15; content:"document.documentElement|3B|"; content:"applyElement"; within:150; content:"addEventListener"; within:150; content:"|22|DOMNodeInserted|22|"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1689; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-043; classtype:attempted-admin; sid:34409; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer protected mode sandbox bypass attempt"; flow:to_server,established; file_data; content:"|03 00 00 0F BA 25 E4 EF 41 00 01 73 07 F3 A4 E9 17 03 00 00 81 F9 80 00 00 00 0F 82 CE 01 00 00 8B C7 33 C6 A9 0F 00 00 00 75 0E 0F BA|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1688; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-043; classtype:attempted-admin; sid:34408; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer protected mode sandbox bypass attempt"; flow:to_client,established; file_data; content:"|03 00 00 0F BA 25 E4 EF 41 00 01 73 07 F3 A4 E9 17 03 00 00 81 F9 80 00 00 00 0F 82 CE 01 00 00 8B C7 33 C6 A9 0F 00 00 00 75 0E 0F BA|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1688; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-043; classtype:attempted-admin; sid:34407; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer improper copy buffer access information disclosure attempt"; flow:to_server,established; file_data; content:"window.clipboardData.getData('Text')"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1692; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-043; classtype:policy-violation; sid:34406; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer improper copy buffer access information disclosure attempt"; flow:to_client,established; file_data; content:"window.clipboardData.getData('Text')"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1692; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-043; classtype:policy-violation; sid:34405; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt"; flow:to_server,established; file_data; content:"<script"; nocase; content:"vbscript"; within:30; nocase; content:"|5C 22 0A|"; fast_pattern:only; content:"regexp"; nocase; content:".execute"; within:500; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-1686; reference:cve,2015-6052; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-106; classtype:attempted-recon; sid:34394; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt"; flow:to_client,established; file_data; content:"<script"; nocase; content:"vbscript"; within:30; nocase; content:"|5C 22 0A|"; fast_pattern:only; content:"regexp"; nocase; content:".execute"; within:500; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1686; reference:cve,2015-6052; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-106; classtype:attempted-recon; sid:34393; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer TextData out of bounds read attempt"; flow:to_server,established; file_data; content:".insertAdjacentElement"; nocase; content:"document.body"; within:50; nocase; content:".execCommand"; nocase; content:"undo"; within:50; nocase; content:"removeChild|28|document.body"; within:100; nocase; metadata:service smtp; reference:cve,2015-1685; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-043; classtype:attempted-user; sid:34392; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer TextData out of bounds read attempt"; flow:to_client,established; file_data; content:".insertAdjacentElement"; nocase; content:"document.body"; within:50; nocase; content:".execCommand"; nocase; content:"undo"; within:50; nocase; content:"removeChild|28|document.body"; within:100; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1685; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-043; classtype:attempted-user; sid:34391; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer memory corruption attempt"; flow:to_server,established; file_data; content:"document.all"; content:".appendChild"; within:100; content:"document.all"; distance:0; content:".swapNode"; within:100; content:"document.all"; distance:0; content:".appendChild"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1712; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-043; classtype:attempted-user; sid:34384; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer memory corruption attempt"; flow:to_client,established; file_data; content:"document.all"; content:".appendChild"; within:100; content:"document.all"; distance:0; content:".swapNode"; within:100; content:"document.all"; distance:0; content:".appendChild"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1712; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-043; classtype:attempted-user; sid:34383; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer range use after free attempt"; flow:to_server,established; file_data; content:"<table>"; content:"<tbody"; within:40; content:"<tr"; within:50; content:"<td"; within:50; content:"<q"; within:50; content:"<legend"; within:50; fast_pattern; content:"selection.createRange"; content:"queryCommandState"; content:"Delete"; within:6; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1708; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-043; classtype:attempted-user; sid:34382; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer range use after free attempt"; flow:to_client,established; file_data; content:"<table>"; content:"<tbody"; within:40; content:"<tr"; within:50; content:"<td"; within:50; content:"<q"; within:50; content:"<legend"; within:50; fast_pattern; content:"selection.createRange"; content:"queryCommandState"; content:"Delete"; within:6; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1708; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-043; classtype:attempted-user; sid:34381; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer protected mode sandbox privilege escalation attempt"; flow:to_server,established; file_data; content:"|57 33 FF 89 8D 30 E5 FF FF 89 B5 40 E5 FF FF 39 75 10 75 07 33 C0 E9 0D 08 00 00 85 C9 75 1F E8 BF E4 FF FF 21 30 E8 EC E4 FF FF C7 00 16 00 00 00 E8 BC D5 FF FF|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1713; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-043; classtype:attempted-user; sid:34380; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer protected mode sandbox privilege escalation attempt"; flow:to_client,established; file_data; content:"|57 33 FF 89 8D 30 E5 FF FF 89 B5 40 E5 FF FF 39 75 10 75 07 33 C0 E9 0D 08 00 00 85 C9 75 1F E8 BF E4 FF FF 21 30 E8 EC E4 FF FF C7 00 16 00 00 00 E8 BC D5 FF FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1713; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-043; classtype:attempted-user; sid:34379; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt"; flow:to_client,established; file_data; content:"window.location.href"; nocase; content:"document.write("; nocase; pcre:"/window\.location\.href=[\x22\x27]\x23(?P<anchor>\w+)[\x22\x27].*?document\.write\x28[\x22\x27](?!(?P=anchor)).*?a\sname\s*=\s*[\x22\x27](?P=anchor)/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3871; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-088; classtype:attempted-user; sid:33099; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos Use After Free attempt"; flow:to_server,established; file_data; content:"innerText"; content:"<textarea"; within:300; distance:10; content:"display|3A|"; within:50; distance:1; content:"ruby"; within:10; pcre:"/function\s+(?P<funcName>\w+)\(\)\s*\{[^}]+innerText\s*=.{0,200}onload\s*=\s*(\x22|\x27)(?P=funcName)\x3B(\x22|\x27).{0,100}<textarea.{0,50}style=(\x22|\x27)display\x3A\s*ruby\x3B(\x22|\x27)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3845; classtype:attempted-user; sid:33098; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos Use After Free attempt"; flow:to_client,established; file_data; content:"innerText"; content:"<textarea"; within:300; distance:10; content:"display|3A|"; within:50; distance:1; content:"ruby"; within:10; pcre:"/function\s+(?P<funcName>\w+)\(\)\s*\{[^}]+innerText\s*=.{0,200}onload\s*=\s*(\x22|\x27)(?P=funcName)\(\)\x3B(\x22|\x27).{0,100}<textarea.{0,50}style=(\x22|\x27)display\x3A\s*ruby\x3B(\x22|\x27)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3845; classtype:attempted-user; sid:33097; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos Use After Free attempt"; flow:to_server,established; file_data; content:"inner"; content:"textarea"; within:300; distance:10; content:"display|3A|"; within:50; distance:1; content:"ruby"; within:10; pcre:"/for\s*\([^{]+document\.[^}]+inner(HTML|Text)\s*=.{0,300}textarea\s*\{.{0,50}display\x3A\s*ruby/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3845; classtype:attempted-user; sid:33096; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos Use After Free attempt"; flow:to_client,established; file_data; content:"inner"; content:"textarea"; within:300; distance:10; content:"display|3A|"; within:50; distance:1; content:"ruby"; within:10; pcre:"/for\s*\([^{]+document\.[^}]+inner(HTML|Text)\s*=.{0,300}textarea\s*\{.{0,50}display\x3A\s*ruby/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3845; classtype:attempted-user; sid:33095; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CInput element user after free attempt"; flow:to_server,established; file_data; content:"input"; content:"type"; within:200; content:"radio"; within:200; content:"onpropertychange"; within:200; pcre:"/<input\s[^>]*?type\s*=\s*[\x22\x27]?radio[\x22\x27]?.*?(?P<doc>\w+)\.checked[^>]+(?P=doc)\.onpropertychange[^>]+?\.checked/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0286; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:33094; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CInput element user after free attempt"; flow:to_client,established; file_data; content:"input"; content:"type"; within:200; content:"radio"; within:200; content:"onpropertychange"; within:200; pcre:"/<input\s[^>]*?type\s*=\s*[\x22\x27]?radio[\x22\x27]?.*?(?P<doc>\w+)\.checked[^>]+(?P=doc)\.onpropertychange[^>]+?\.checked/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0286; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:33093; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 10 use after free attempt"; flow:to_server,established; file_data; content:"%5b%27%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%27%5d%28%27%73%63%72%69%70%74%27%29%3b"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0322; reference:url,technet.microsoft.com/en-us/security/advisory/2934088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-012; classtype:attempted-user; sid:33086; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 10 use after free attempt"; flow:to_client,established; file_data; content:"%5b%27%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%27%5d%28%27%73%63%72%69%70%74%27%29%3b"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0322; reference:url,technet.microsoft.com/en-us/security/advisory/2934088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-012; classtype:attempted-user; sid:33085; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"BLACKICEDEVMODE.BlackIceDEVMODECtrl"; fast_pattern:only; content:"SetAnnotationFont"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1516; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html; classtype:attempted-user; sid:33021; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"BLACKICEDEVMODE.BlackIceDEVMODECtrl"; fast_pattern:only; content:"SetAnnotationFont"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1516; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html; classtype:attempted-user; sid:33020; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; fast_pattern:only; content:"SetAnnotationFont"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1516; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html; classtype:attempted-user; sid:33019; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; fast_pattern:only; content:"SetAnnotationFont"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1516; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html; classtype:attempted-user; sid:33018; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer TextRange after free attempt"; flow:to_server,established; file_data; content:"createTextRange"; content:"moveToElementText"; content:".children["; within:50; content:"execCommand"; content:"InsertInput"; within:40; content:"execCommand"; content:"RemoveFormat"; within:40; content:"<body onload="; metadata:policy max-detect-ips drop, service smtp; reference:cve,2014-0307; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-012; classtype:attempted-user; sid:32763; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer TextRange after free attempt"; flow:to_client,established; file_data; content:"createTextRange"; content:"moveToElementText"; content:".children["; within:50; content:"execCommand"; content:"InsertInput"; within:40; content:"execCommand"; content:"RemoveFormat"; within:40; content:"<body onload="; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0307; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-012; classtype:attempted-user; sid:32762; rev:7;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt"; flow:to_client,established; file_data; content:".addEventListener"; content:"DOMNodeRemoved"; within:32; fast_pattern; content:".createElement|28|"; within:150; content:"div"; within:10; content:".appendChild|28|"; within:150; content:".selectAllChildren|28|"; within:150; content:".deleteFromDocument|28|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0274; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:32364; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt"; flow:to_client,established; file_data; content:"getElementByID"; fast_pattern:only; content:".removeChild"; nocase; content:"<object"; nocase; content:"onerror"; within:75; nocase; pcre:"/function\s+?(?P<func>\w+?)\s*?\x28[^\x7b]+?\x7b[^\x7d]*?getElementByID\x28[\x22\x27](?P<obj>\w+?)[\x22\x27]?\s*?\x29[^\x7d]*?removeChild\s*?\x28.*?(?P=obj)\s[^\x3e]*?onerror\s*?=\s*?[\x22\x27](?P=func)\s*?\x28/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-5049; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-097; classtype:attempted-user; sid:30506; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt"; flow:to_client,established; file_data; content:"getElementByID"; fast_pattern:only; content:".removeChild"; nocase; content:"<object"; nocase; content:"onerror"; within:75; nocase; pcre:"/\x3C(?P<obj>\w+)\s[^\x3e]*?onerror\s*?=\s*?[\x22\x27](?P<func>\w+)\s*?\x28.*?function\s+?(?P=func)\s*?\x28[^\x7b]+?\x7b[^\x7d]*?getElementByID\x28[\x22\x27](?P=obj)[\x22\x27]?\s*?\x29[^\x7d]*?removeChild\s*?\x28/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-5049; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-097; classtype:attempted-user; sid:30505; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt"; flow:to_client,established; file_data; content:"ElementsBytagName"; nocase; content:".removeChild"; nocase; content:"<object"; nocase; content:"onerror"; within:75; nocase; content:"CollectGarbage()"; fast_pattern:only; pcre:"/function\s+?(?P<func>\w+?)\s*?\x28[^\x7d]*?ElementsByTagName[^\x7d]*?removeChild\s*?\x28.*?object\s[^\x3e]*?onerror\s*?\x3D\s*?[\x22\x27](?P=func)\s*?\x28/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-5049; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-097; classtype:attempted-user; sid:30504; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt"; flow:to_client,established; file_data; content:"getElementsBytagName"; fast_pattern:only; content:".removeChild"; nocase; content:"<object"; nocase; content:"onerror"; within:75; nocase; pcre:"/\x3C(?P<obj>\w+)\s[^\x3e]*?onerror\s*?=\s*?[\x22\x27](?P<func>\w+)\s*?\x28.*?function\s+?(?P=func)\s*?\x28[^\x7b]+?\x7b[^\x7d]*?getElementsByTagName\x28[\x22\x27](?P=obj)[\x22\x27]?\s*?\x29[^\x7d]*?removeChild\s*?\x28/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-5049; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-097; classtype:attempted-user; sid:30503; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 10 use after free attempt"; flow:to_server,established; file_data; content:".getElementById"; content:"<script id="; nocase; content:".onpropertychange"; content:".createElement"; within:100; content:"body onload="; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0322; reference:url,technet.microsoft.com/en-us/security/advisory/2934088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-012; classtype:attempted-user; sid:30107; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 10 use after free attempt"; flow:to_client,established; file_data; content:".getElementById"; content:"<script id="; nocase; content:".onpropertychange"; content:".createElement"; within:100; content:"body onload="; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0322; reference:url,technet.microsoft.com/en-us/security/advisory/2934088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-012; classtype:attempted-user; sid:30106; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 10 use after free attempt"; flow:to_server,established; file_data; content:".getElementsByTagName"; content:"script"; within:10; nocase; content:".onpropertychange"; within:200; content:".createElement"; within:200; content:"SELECT"; within:10; nocase; content:"CollectGarbage()"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0322; reference:url,technet.microsoft.com/en-us/security/advisory/2934088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-012; classtype:attempted-user; sid:29820; rev:7;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 10 use after free attempt"; flow:to_client,established; file_data; content:".getElementsByTagName"; content:"script"; within:10; nocase; content:".onpropertychange"; within:200; content:".createElement"; within:200; content:"SELECT"; within:10; nocase; content:"CollectGarbage()"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0322; reference:url,technet.microsoft.com/en-us/security/advisory/2934088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-012; classtype:attempted-user; sid:29819; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CInput element user after free attempt"; flow:to_server,established; file_data; content:"input"; content:"type"; within:200; content:"radio"; within:200; content:"onpropertychange"; within:200; pcre:"/<input\s[^>]*?type\s*=\s*[\x22\x27]?radio[\x22\x27]?[^>]*?onpropertychange\s*=\s*[\x22\x27]?(?P<func>\w+)\s*\(.*?(?P=func)\s*\([^{]+?\{[^}]*?\.(inner|outer)HTML/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0286; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29744; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CInput element user after free attempt"; flow:to_client,established; file_data; content:"input"; content:"type"; within:200; content:"radio"; within:200; content:"onpropertychange"; within:200; pcre:"/<input\s[^>]*?type\s*=\s*[\x22\x27]?radio[\x22\x27]?[^>]*?onpropertychange\s*=\s*[\x22\x27]?(?P<func>\w+)\s*\(.*?(?P=func)\s*\([^{]+?\{[^}]*?\.(inner|outer)HTML/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0286; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29743; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer selectall use after free attempt"; flow:to_server,established; file_data; content:"document.execCommand("; content:"SelectAll"; within:20; content:"setTimeout("; content:"document.appendChild("; within:50; content:"document.body."; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0287; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-010; classtype:attempted-user; sid:29736; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer selectall use after free attempt"; flow:to_client,established; file_data; content:"document.execCommand("; content:"SelectAll"; within:20; content:"setTimeout("; content:"document.appendChild("; within:50; content:"document.body."; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0287; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-010; classtype:attempted-user; sid:29735; rev:9;)
|
|
alert tcp any any -> $HOME_NET 25 (msg:"BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt"; flow:to_server,established; file_data; content:".addEventListener"; content:"DOMNodeRemoved"; within:32; fast_pattern; content:".removeEventListener"; distance:0; content:"DOMNodeRemoved"; within:32; content:"getSelection().removeAllRanges("; within:128; content:"getSelection().deleteFromDocument("; distance:0; pcre:"/\.addEventListener\s*\x28\s*[\x22\x27]DOMNodeRemoved[\x22\x27][^\x29]*?function(?:(?!\)\x3b).)*?\{[^}]*?\.removeEventListener\s*\x28\s*[\x22\x27]DOMNodeRemoved[\x22\x27][^}]*?getselection\s*\x28.*?\x29\.removeAllRanges\s*\x28.*?\x29\x3b[^}]*?\}.*?getSelection\s*\x28.*?\x29\.deleteFromDocument/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0274; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29734; rev:7;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt"; flow:to_client,established; file_data; content:".addEventListener"; content:"DOMNodeRemoved"; within:32; fast_pattern; content:".removeEventListener"; distance:0; content:"DOMNodeRemoved"; within:32; content:"getSelection().removeAllRanges("; within:128; content:"getSelection().deleteFromDocument("; distance:0; pcre:"/\.addEventListener\s*\x28\s*[\x22\x27]DOMNodeRemoved[\x22\x27][^\x29]*?function(?:(?!\)\x3b).)*?\{[^}]*?\.removeEventListener\s*\x28\s*[\x22\x27]DOMNodeRemoved[\x22\x27][^}]*?getselection\s*\x28.*?\x29\.removeAllRanges\s*\x28.*?\x29\x3b[^}]*?\}.*?getSelection\s*\x28.*?\x29\.deleteFromDocument/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0274; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-010; classtype:attempted-user; sid:29733; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer MoveToMarkupPointer call with CControlTracker OnExitTree use-after-free attempt"; flow:to_server,established; file_data; content:"body.contentEditable"; fast_pattern:only; content:"execCommand"; nocase; content:"execCommand"; within:100; nocase; content:"Insert"; within:15; nocase; content:"onload"; within:200; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,61668; reference:cve,2013-3184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-059; classtype:attempted-user; sid:29651; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer MoveToMarkupPointer call with CControlTracker OnExitTree use-after-free attempt"; flow:to_client,established; file_data; content:"body.contentEditable"; fast_pattern:only; content:"execCommand"; nocase; content:"execCommand"; within:100; nocase; content:"Insert"; within:15; nocase; content:"onload"; within:200; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,61668; reference:cve,2013-3184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-059; classtype:attempted-user; sid:29650; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CDisplayPointer use after free attempt"; flow:to_server,established; file_data; content:"contentEditable"; nocase; content:"true"; within:20; nocase; content:"document.execCommand"; within:40; nocase; content:"InsertInput"; within:25; nocase; content:".inner"; within:45; nocase; content:"onbeforeeditfocus"; within:100; fast_pattern; nocase; pcre:"/function\s+?(?P<trigger>\w+)\s*?\x28[^\x7b]+?\x7b[^\x7d]+?document\.write.*?(window\.onload|function|body)\s*?\x3d?\s*?(?P<activate>\w+).*?(onactivate|onbeforeeditfocus)\s*?\x3d\s*?[\x22\x27]?\s*?((?P=trigger)|(?P=activate))/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3205; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-069; classtype:attempted-user; sid:29035; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CDisplayPointer use after free attempt"; flow:to_client,established; file_data; content:"contentEditable"; nocase; content:"true"; within:20; nocase; content:"document.execCommand"; within:40; nocase; content:"InsertInput"; within:25; nocase; content:".inner"; within:45; nocase; content:"onbeforeeditfocus"; within:100; fast_pattern; nocase; pcre:"/function\s+?(?P<trigger>\w+)\s*?\x28[^\x7b]+?\x7b[^\x7d]+?document\.write.*?(window\.onload|function|body)\s*?\x3d?\s*?(?P<activate>\w+).*?(onactivate|onbeforeeditfocus)\s*?\x3d\s*?[\x22\x27]?\s*?((?P=trigger)|(?P=activate))/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3205; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-069; classtype:attempted-user; sid:29034; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt"; flow:to_server,established; file_data; content:"<object"; nocase; content:"onerror"; within:75; nocase; content:".removeChild"; distance:0; nocase; pcre:"/<object[^>]+?id\s*?=\s*?[\x22\x27]?(?P<obj>\w+?)[\x22\x27]?[^>]*?onerror\s*?=\s*?[\x22\x27](?P<func>\w+?)\s*?\x28.*?(?P=func)\s*?\x28[^\x7b]+?\x7b[^\x7d]*?\x2eremoveChild\s*?\x28\s*?[\x22\x27]?(?P=obj)[\x22\x27]?\s*?\x29/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-5049; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-097; classtype:attempted-user; sid:28878; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt"; flow:to_server,established; file_data; content:".removeChild"; nocase; content:"<object"; distance:0; nocase; content:"onerror"; within:75; nocase; pcre:"/function\s+?(?P<func>\w+?)\s*?\x28[^\x7b]+?\x7b[^\x7d]*?\x2eremoveChild\s*?\x28\s*?[\x22\x27]?(?P<obj>\w+?)[\x22\x27]?\s*?\x29.*?<object[^>]+?id\s*?=\s*?[\x22\x27]?(?P=obj)[\x22\x27]?[^>]*?onerror\s*?=\s*?[\x22\x27](?P=func)\s*?\x28/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-5049; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-097; classtype:attempted-user; sid:28877; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt"; flow:to_client,established; file_data; content:"<object"; nocase; content:"onerror"; within:75; nocase; content:".removeChild"; distance:0; nocase; pcre:"/<object[^>]+?id\s*?=\s*?[\x22\x27]?(?P<obj>\w+?)[\x22\x27]?[^>]*?onerror\s*?=\s*?[\x22\x27](?P<func>\w+?)\s*?\x28.*?(?P=func)\s*?\x28[^\x7b]+?\x7b[^\x7d]*?\x2eremoveChild\s*?\x28\s*?[\x22\x27]?(?P=obj)[\x22\x27]?\s*?\x29/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-5049; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-097; classtype:attempted-user; sid:28876; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt"; flow:to_client,established; file_data; content:".removeChild"; nocase; content:"<object"; distance:0; nocase; content:"onerror"; within:75; nocase; pcre:"/function\s+?(?P<func>\w+?)\s*?\x28[^\x7b]+?\x7b[^\x7d]*?\x2eremoveChild\s*?\x28\s*?[\x22\x27]?(?P<obj>\w+?)[\x22\x27]?\s*?\x29.*?<object[^>]+?id\s*?=\s*?[\x22\x27]?(?P=obj)[\x22\x27]?[^>]*?onerror\s*?=\s*?[\x22\x27](?P=func)\s*?\x28/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-5049; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-097; classtype:attempted-user; sid:28875; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer address bar spoofing attempt"; flow:to_server,established; file_data; content:"|D6 FD 91 46 E0 43 B0 89 8E B9 F0 CB 32 45 EE D4 7D 81 16 4B 39 22 32 93 15 A2 56 98 EA 38|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,17404; reference:cve,2006-1626; classtype:attempted-user; sid:28663; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer address bar spoofing attempt"; flow:to_client,established; file_data; content:"|D6 FD 91 46 E0 43 B0 89 8E B9 F0 CB 32 45 EE D4 7D 81 16 4B 39 22 32 93 15 A2 56 98 EA 38|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,17404; reference:cve,2006-1626; classtype:attempted-user; sid:28662; rev:5;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt"; flow:to_client,established; file_data; content:"name"; content:"window.navigate|28|"; distance:0; content:"document.open|28|"; within:100; pcre:"/a\sname\s*=\s*(\x22|\x27)(?P<anchor>\w+).*?window\.navigate\x28(\x22|\x27)\x23(?P=anchor)(\x22|\x27)\x29.*?document\.open\x28(\x22|\x27)(?!(?P=anchor))/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-3871; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-088; classtype:attempted-user; sid:28489; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt"; flow:to_client,established; file_data; content:"focus()"; nocase; content:"style.position"; within:48; nocase; content:"v:textbox contenteditable=|22|true|22|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0011; reference:cve,2012-0155; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-010; classtype:attempted-dos; sid:28447; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer iframe onreadystatechange handler use after free attempt"; flow:to_server,established; file_data; content:".getElement"; nocase; content:"iframe"; within:25; nocase; content:".onreadystatechange"; within:75; fast_pattern; nocase; pcre:"/\x2eonreadystatechange\s*=\s*(?P<del_func>\w+)\s*\x3b.*?function\s+(?P=del_func)\s*\x28[^\x7b]*?\x7b[^\x7d]*?\x2e(?:innerHTML\s*=|outerHTML\s*=|write)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,52904; reference:cve,2012-0170; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-023; classtype:attempted-user; sid:28364; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer iframe onreadystatechange handler use after free attempt"; flow:to_server,established; file_data; content:"<iframe"; nocase; content:"onreadystatechange"; within:75; fast_pattern; nocase; pcre:"/function\s+(?P<del_func>\w+)\s*\x28[^\x7b]*?\x7b[^\x7d]*?\x2e(?:innerHTML\s*=|outerHTML\s*=|write).*?<iframe[^>]+onreadystatechange\s*=\s*[\x22\x27]\s*(?P=del_func)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,52904; reference:cve,2012-0170; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-023; classtype:attempted-user; sid:28363; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DOM manipulation memory corruption attempt"; flow:to_server,established; file_data; content:"|5D|.fireEvent|28|"; fast_pattern:only; content:"document.getElementsByTagName|28|"; nocase; content:"<div "; nocase; content:"<img "; within:200; nocase; content:"<div "; within:200; nocase; content:".innerHTML"; distance:0; nocase; pcre:"/<img[^>]+id\s*=\s*(?P<q1>\x22|\x27|)(?P<id>[^\x22\x27\x20]+)(?P=q1)[^>]*?>.*?<div[^>]+id\s*=\s*(\x22|\x27|)(?P=id)/smi"; pcre:"/<div[^>]+id\s*=\s*(\x22|\x27|)(?P<id>[^\x22\x27\x20\x3E]+)[^>]*>.*?(?P=id)\.innerHTML/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53847; reference:cve,2012-1875; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:28360; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DOM manipulation memory corruption attempt"; flow:to_server,established; file_data; content:"|7B|eval|28 22|imgABC|22 29|.src|3D 22 22 3B 7D|"; fast_pattern:only; content:"<div "; nocase; content:"<img "; within:200; nocase; content:"<div "; within:200; nocase; content:".innerHTML"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53847; reference:cve,2012-1875; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:28359; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DOM manipulation memory corruption attempt"; flow:to_client,established; file_data; content:"span_tags|5B|0|5D|.fireEvent|28 27|onBlur|27 29|"; fast_pattern:only; content:"|3C|span id|3D 22|duplicate|22| onBlur|3D 22|use|28 29 22 2F 3E|"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53847; reference:cve,2012-1875; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:28358; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DOM manipulation memory corruption attempt"; flow:to_server,established; file_data; content:"|3C|DIV id|3D|testfaild|3E|"; fast_pattern:only; content:"|3C|script|3E|document.write|28 28|function|28|"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53847; reference:cve,2012-1875; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:28357; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DOM manipulation memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|DIV id|3D|testfaild|3E|"; fast_pattern:only; content:"|3C|script|3E|document.write|28 28|function|28|"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53847; reference:cve,2012-1875; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:28356; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DOM manipulation memory corruption attempt"; flow:to_server,established; file_data; content:"span_tags|5B|0|5D|.fireEvent|28 27|onBlur|27 29|"; fast_pattern:only; content:"|3C|span id|3D 22|duplicate|22| onBlur|3D 22|use|28 29 22 2F 3E|"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53847; reference:cve,2012-1875; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:28355; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DOM manipulation memory corruption attempt"; flow:to_client,established; file_data; content:"|7B|eval|28 22|imgABC|22 29|.src|3D 22 22 3B 7D|"; fast_pattern:only; content:"<div "; nocase; content:"<img "; within:200; nocase; content:"<div "; within:200; nocase; content:".innerHTML"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53847; reference:cve,2012-1875; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:28354; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTableLayout memory corruption attempt"; flow:to_server,established; file_data; content:"document.getElement"; nocase; content:".onpropertychange"; within:75; fast_pattern; nocase; content:"function"; within:75; nocase; content:"<table"; distance:0; nocase; content:"<col"; within:75; nocase; pcre:"/\x2eonpropertychange\s*=\s*function\s*\x28\s*\x29\s*\x7b[^\x7d]+?\x2e(inner|outer)HTML(\s*=\s*[\x22\x27]\s*[\x22\x27]|\x2b\x2b)/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,37891; reference:cve,2010-0244; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:28353; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTableLayout memory corruption attempt"; flow:to_server,established; file_data; content:"document.getElement"; nocase; content:".onpropertychange"; within:75; fast_pattern; nocase; content:"window."; within:75; nocase; content:"<table"; distance:0; nocase; content:"<col"; within:75; nocase; pcre:"/var\s+(?P<del_func>\w+)\s*=\s*function\s*\x28\s*\x29\s*\x7b[^\x7d]+?\x2e(inner|outer)HTML\s*=\s*[\x22\x27]\s*[\x22\x27].*?\x2eonpropertychange\s*=\s*window\x2e(?P=del_func)/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,37891; reference:cve,2010-0244; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:28352; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSS expression defined to empty selection attempt"; flow:to_server,established; file_data; content:"expression"; nocase; content:"document.selection.empty"; within:50; pcre:"/expression\s*\x28\s*document\x2eselection\x2eempty\s*\x28\s*\x29\s*\x29/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,48210; reference:cve,2011-1261; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:28306; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer deleted object cells reference memory corruption vulnerability"; flow:to_client,established; file_data; content:"cells.item"; nocase; content:"outerText"; distance:0; nocase; pcre:"/([A-Z0-9_]+)\.cells\.item.*?\1\.outerText/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-0248; classtype:attempted-user; sid:28287; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer htmlfile null attribute access attempt"; flow:to_server,established; file_data; content:"25336920-03F9-11CF-8FD0-00AA00686F13"; fast_pattern:only; content:".attributes["; nocase; pcre:"/<object[^>]+id\s*?=\s*?[\x22\x27]?([A-Z\d]+)[\x22\x27]?[^>]+classid\s*?=\s*?[\x22\x27]?clsid\x3A25336920-03F9-11CF-8FD0-00AA00686F13[\x22\x27]?.*?\1\.attributes.*?for\s*\x28[^\x29]+\1\.attributes\x5B/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,49960; reference:cve,2011-1995; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-081; classtype:attempted-user; sid:28271; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer option element use after free attempt"; flow:to_server,established; file_data; content:"imgarray|5B|i|5D|.title = fakeobj.substring|28|0, 0x38 / 2 - 1|29 3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-1995; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-081; classtype:attempted-user; sid:28270; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer option element use after free attempt"; flow:to_server,established; file_data; content:"bigarray|5B|k|5D 5B|i|5D|.title = fakeobj.substring|28|0, 0x38 / 2 - 1|29 3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-1995; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-081; classtype:attempted-user; sid:28269; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer option element use after free attempt"; flow:to_client,established; file_data; content:"imgarray|5B|i|5D|.title = fakeobj.substring|28|0, 0x38 / 2 - 1|29 3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1995; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-081; classtype:attempted-user; sid:28268; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer option element use after free attempt"; flow:to_client,established; file_data; content:"bigarray|5B|k|5D 5B|i|5D|.title = fakeobj.substring|28|0, 0x38 / 2 - 1|29 3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1995; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-081; classtype:attempted-user; sid:28267; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer object management memory corruption attempt"; flow:to_server,established; file_data; content:".onpropertychange"; nocase; content:".childNode"; within:50; nocase; content:".onpropertychange"; distance:0; nocase; content:"null"; within:50; nocase; pcre:"/(?P<q1>[A-Z\d_]+)\.onpropertychange\s*=\s*(?P=q1)\.childNode.*?(?P=q1)\.onpropertychange\s*=\s*null.*?(?P=q1)\.onpropertychange/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,46821; reference:cve,2011-1345; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:attempted-user; sid:28259; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer object management memory corruption attempt"; flow:to_server,established; file_data; content:".onpropertychange"; nocase; content:".attributes"; within:50; nocase; content:".onpropertychange"; distance:0; nocase; content:"null"; within:50; nocase; pcre:"/(?P<q1>[A-Z\d_]+)\.onpropertychange\s*=\s*(?P=q1)\.attributes.*?(?P=q1)\.onpropertychange\s*=\s*null.*?(?P=q1)\.onpropertychange/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,46821; reference:cve,2011-1345; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:attempted-user; sid:28258; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer swapNode memory corruption attempt"; flow:to_server,established; file_data; content:".onpropertychange"; nocase; content:"execCommand"; within:500; nocase; content:".onselect"; nocase; content:".swapNode"; within:500; fast_pattern; nocase; pcre:"/\x2eappendChild\s*\x28\s*(?P<var>\w+)\s*\x29.*?(?P=var)\x2eonselect[^\x7d]+\x2eswapNode.*?(?P=var)\x2eselect/smiO"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,62811; reference:cve,2013-3897; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-080; classtype:attempted-user; sid:28208; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer swapNode memory corruption attempt"; flow:to_client,established; file_data; content:".onpropertychange"; nocase; content:"execCommand"; within:500; nocase; content:".onselect"; nocase; content:".swapNode"; within:500; fast_pattern; nocase; pcre:"/\x2eappendChild\s*\x28\s*(?P<var>\w+)\s*\x29.*?(?P=var)\x2eonselect[^\x7d]+\x2eswapNode.*?(?P=var)\x2eselect/smiO"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,62811; reference:cve,2013-3897; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-080; classtype:attempted-user; sid:28207; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 null character in string information disclosure attempt"; flow:to_client,established; file_data; content:"http-equiv=|22|X-UA-Compatible|22|"; nocase; content:"string.fromCharcode|28|0|29|"; fast_pattern:only; pcre:"/var\s+\w+\s+\x3D\s*\x22+[^\x22]+\x22\s*\x2B.*?String\.fromCharCode\x280\x29.*?\x22/Bsmi"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0012; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-010; classtype:attempted-recon; sid:28112; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt"; flow:to_server,established; file_data; content:".applyElement"; content:".onlosecapture"; within:500; fast_pattern; content:".setCapture"; within:500; content:".setCapture"; within:500; pcre:"/\x2eapplyElement\s*\x28\s*(?P<var>\w+)\s*\x29.*?(?P=var)\x2eonlosecapture\s*=.*?(?P=var)\x2esetCapture\s*\x28.*?\x2esetCapture\s*\x28/smiO"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,62453; reference:cve,2013-3893; reference:url,technet.microsoft.com/en-us/security/advisory/2887505; classtype:attempted-user; sid:27944; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt"; flow:to_client,established; file_data; content:".applyElement"; content:".onlosecapture"; within:500; fast_pattern; content:".setCapture"; within:500; content:".setCapture"; within:500; pcre:"/\x2eapplyElement\s*\x28\s*(?P<var>\w+)\s*\x29.*?(?P=var)\x2eonlosecapture\s*=.*?(?P=var)\x2esetCapture\s*\x28.*?\x2esetCapture\s*\x28/smiO"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,62453; reference:cve,2013-3893; reference:url,technet.microsoft.com/en-us/security/advisory/2887505; classtype:attempted-user; sid:27943; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos object use-after-free attempt"; flow:to_server,established; file_data; content:"document.getElementsByTagName"; nocase; content:"|28 22|textarea|22 29|"; within:12; nocase; content:"innerHTML"; within:75; nocase; content:"<blockcode>"; within:25; nocase; content:"document.getElementsByTagName"; within:60; nocase; content:"|28 22|textarea|22 29|"; within:12; nocase; content:"<textarea><script>"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3845; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-069; classtype:attempted-user; sid:27844; rev:7;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos object use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName"; nocase; content:"|28 22|textarea|22 29|"; within:12; nocase; content:"innerHTML"; within:75; nocase; content:"<blockcode>"; within:25; nocase; content:"document.getElementsByTagName"; within:60; nocase; content:"|28 22|textarea|22 29|"; within:12; nocase; content:"<textarea><script>"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3845; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-069; classtype:attempted-user; sid:27843; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CDisplayPointer use after free attempt"; flow:to_server,established; file_data; content:"document.write|28|"; nocase; content:"catch (err)"; within:25; distance:5; nocase; content:"document.body.contentEditable"; within:75; distance:20; nocase; content:"document.execCommand|28|"; within:55; distance:25; nocase; content:"document.body.innerHTML +="; within:55; distance:200; nocase; content:"catch |28|err|29|"; within:25; distance:5; nocase; content:"|3C|body onbeforeeditfocus=eval|28|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3205; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-069; classtype:attempted-user; sid:27838; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CDisplayPointer use after free attempt"; flow:to_client,established; file_data; content:"document.write|28|"; nocase; content:"catch |28|err|29|"; within:25; distance:5; nocase; content:"document.body.contentEditable"; within:75; distance:20; nocase; content:"document.execCommand|28|"; within:55; distance:25; nocase; content:"document.body.innerHTML +="; within:55; distance:200; nocase; content:"catch |28|err|29|"; within:25; distance:5; nocase; content:"|3C|body onbeforeeditfocus=eval|28|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3205; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-069; classtype:attempted-user; sid:27837; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer MoveToMarkupPointer call with CControlTracker OnExitTree use-after-free attempt"; flow:to_server,established; file_data; content:".innerText="; nocase; content:"body.contentEditable"; fast_pattern:only; content:"false"; nocase; content:"execCommand"; within:200; nocase; content:"InsertImage"; within:11; distance:2; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-059; classtype:attempted-user; sid:27616; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer MoveToMarkupPointer call with CControlTracker OnExitTree use-after-free attempt"; flow:to_client,established; file_data; content:".innerText="; nocase; content:"body.contentEditable"; fast_pattern:only; content:"false"; nocase; content:"execCommand"; within:200; nocase; content:"InsertImage"; within:11; distance:2; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-059; classtype:attempted-user; sid:27615; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"document.createElement("; nocase; content:"document.body.appendChild("; within:100; nocase; content:"applyElement("; within:100; fast_pattern; nocase; content:"innerHTML"; within:100; nocase; pcre:"/var\s*?(?P<badelement>\w+)\s*?=\s*?document\.createElement.*?document\.body\.appendChild[\x28]\s*?(?P=badelement)\s*?[\x29].*?applyElement[\x28]\s*?(?P=badelement)\s*?[\x29].*?innerHTML\s*?=\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27172; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"document.createElement("; nocase; content:"document.body.appendChild("; within:100; nocase; content:"applyElement("; within:100; fast_pattern; nocase; content:"innerHTML"; within:100; nocase; pcre:"/var\s*?(?P<badelement>\w+)\s*?=\s*?document\.createElement.*?document\.body\.appendChild[\x28]\s*?(?P=badelement)\s*?[\x29].*?applyElement[\x28]\s*?(?P=badelement)\s*?[\x29].*?innerHTML\s*?=\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27171; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"myObj[0].offset"; fast_pattern:only; content:"document.getElementsByName("; nocase; content:"document.execCommand(|22|Justify"; within:200; nocase; content:"document.execCommand("; within:100; nocase; content:"SelectAll"; within:9; distance:1; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27153; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"myObj[0].offset"; fast_pattern:only; content:"document.execCommand("; nocase; content:"SelectAll"; within:9; distance:1; nocase; content:"document.getElementsByName("; within:200; nocase; content:"document.execCommand(|22|Justify"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27152; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"myObj[0].offset"; fast_pattern:only; content:"document.getElementsByName("; nocase; content:"document.execCommand(|22|Justify"; within:200; nocase; content:"document.execCommand("; within:100; nocase; content:"SelectAll"; within:9; distance:1; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27151; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"myObj[0].offset"; fast_pattern:only; content:"document.execCommand("; nocase; content:"SelectAll"; within:9; distance:1; nocase; content:"document.getElementsByName("; within:200; nocase; content:"document.execCommand(|22|Justify"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27150; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 7 emulation via meta tag"; flow:to_client,established; file_data; content:"<meta "; content:"content=|22|IE=EmulateIE7|22|"; within:200; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:26848; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer vector graphics reference counting use-after-free attempt"; flow:to_server,established; file_data; content:"|3C 3F|IMPORT namespace=|22|"; nocase; content:"implementation=|22|#default#VML|22 3E|"; within:50; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,52906; reference:cve,2012-0172; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-023; classtype:attempted-user; sid:26584; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_server,established; file_data; content:"|3C|script|3E|"; nocase; content:"|2E|style|2E|behavior"; nocase; content:"|23|default|23|userData"; distance:0; nocase; content:"setAttribute|28|"; pcre:"/(?P<obj>[A-Z\d_]+)\x2Estyle\x2Ebehavior\s*\x3D\s*\x22url\x28\x27\x23default\x23userData\x27\x29\x22.*?(?P=obj)\x2EsetAttribute\x28[^,]+,\s*[A-Z]/smi"; content:"|3C 2F|script|3E|"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25986; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_server,established; file_data; content:"|6F 48 6F 6D 65 39 36 44 43 47 6F 48 6F 6D 65 38 33 38 33 47|"; fast_pattern:only; content:"|3C|script"; nocase; content:"addBehavior|28|"; nocase; content:"|23|default|23|userData"; within:30; nocase; content:"setAttribute|28|"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25985; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|6F 48 6F 6D 65 39 36 44 43 47 6F 48 6F 6D 65 38 33 38 33 47|"; fast_pattern:only; content:"|3C|script"; nocase; content:"addBehavior|28|"; nocase; content:"|23|default|23|userData"; within:30; nocase; content:"setAttribute|28|"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25984; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSS style memory corruption attempt"; flow:to_client,established; file_data; content:"table"; content:!"."; within:1; content:!"selec"; within:5; distance:-10; content:"clip"; within:120; nocase; content:"position"; within:120; nocase; content:"absolute"; within:80; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3962; reference:url,technet.microsoft.com/en-us/security/advisory/2458511; classtype:attempted-user; sid:25329; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer nonexistent attribute removal memory corruption attempt"; flow:to_client,established; file_data; content:"|22 70 22 29 5B 30 5D 2E 72 65 6D 6F 76 65 41 74 74 72 69 62 75 74 65 28 27 78 6D 6C 6E 73 3A 6F|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1524; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-044; classtype:attempted-dos; sid:25320; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Marquee stylesheet object removal"; flow:to_client,established; file_data; content:"marquee"; fast_pattern:only; pcre:"/getElementById\s*\x28\s*[\x22\x27](?P<id>[^\x22\x27]*?)[\x22\x27]\s*\x29\.remove.*?<\s*marquee[^>]*?id\s*=\s*[\x22\x27](?P=id)[\x22\x27]/ims"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49966; reference:cve,2011-2001; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-081; classtype:attempted-user; sid:25226; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Marquee stylesheet object removal"; flow:to_client,established; file_data; content:"marquee"; fast_pattern:only; pcre:"/<\s*marquee\s*([^>]*?height\s*=\s*[\x22\x27]?0[^\d]|>\s*<\s*\/\s*marquee\s*>|[^>]*?id\s*=\s*[\x22\x27](?P<id>[^\x22\x27]*?)[\x22\x27].*?getElementById\s*\x28\s*[\x22\x27](?P=id)[\x22\x27]\s*\x29\.remove)/ims"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49966; reference:cve,2011-2001; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-081; classtype:attempted-user; sid:25225; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer sign extension vulnerability exploitation attempt"; flow:to_client,established; file_data; content:"while|28| str2.length < 0x10000000|29|"; fast_pattern:only; content:"if |28|str1.length < 0x40000000|29|"; nocase; content:"setTimeout|28|poc, 10|29|"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2523; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-052; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-056; classtype:attempted-user; sid:25078; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_server,established; file_data; content:"body.mergeAttributes|28|body|29|"; fast_pattern:only; content:"body.swapNode|28|body|29|"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24872; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_server,established; file_data; content:"redhat.mergeAttributes|28|redhat|29|"; fast_pattern:only; content:"redhat.swapNode|28|redhat|29|"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24871; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_client,established; file_data; content:"body.mergeAttributes|28|body|29|"; fast_pattern:only; content:"body.swapNode|28|body|29|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24870; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_client,established; file_data; content:"redhat.mergeAttributes|28|redhat|29|"; fast_pattern:only; content:"redhat.swapNode|28|redhat|29|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24869; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer execCommand use embedded within javascript tags"; flow:to_client,established; file_data; content:"<script>"; nocase; content:"execCommand("; distance:0; content:"</script>"; distance:0; nocase; content:"onselect="; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-4969; classtype:attempted-user; sid:24252; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer execCommand use-after-free attempt"; flow:to_client,established; file_data; content:"body"; nocase; content:"onselect="; within:50; nocase; content:"selectAll"; fast_pattern:only; content:"document.write"; nocase; content:"execCommand"; nocase; pcre:"/execCommand\x28\s*?[\x22\x27]selectAll[\x22\x27]\s*?\x29/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-4969; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-063; classtype:attempted-user; sid:24212; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer execCommand use-after-free attempt"; flow:to_client,established; file_data; content:"execCommand(|22|selectAll|22|)"; fast_pattern:only; content:"onload="; nocase; content:"onselect="; within:50; nocase; pcre:"/body[^>]*?onload[^>]*?onselect/i"; metadata:policy max-detect-ips drop, service http; reference:url,labs.alienvault.com/labs/index.php/2012/new-internet-explorer-zero-day-being-exploited-in-the-wild/; classtype:attempted-user; sid:24210; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt"; flow:to_client,established; file_data; content:"<object"; nocase; content:"align="; within:60; nocase; content:"width"; within:100; distance:-50; nocase; content:!"height"; within:200; distance:-100; nocase; content:!"hspace"; within:200; distance:-100; nocase; content:"dir="; nocase; content:"margin"; nocase; pcre:"/<[^>]*?style\s*[>=].{1,1024}margin\s*\x3a\s*[^\x3b\x7d]*?-\d+.*?[\x7b\x3b]/ims"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,54950; reference:cve,2012-1526; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:23836; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer asynchronous code execution attempt"; flow:to_server,established; file_data; content:"font-face"; nocase; content:"font-family"; distance:0; nocase; content:"src"; distance:0; nocase; content:"url|28|"; within:30; nocase; content:"mailto|3A|"; within:12; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-2521; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:23835; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer asynchronous code execution attempt"; flow:to_client,established; file_data; content:"font-face"; nocase; content:"font-family"; distance:0; nocase; content:"src"; distance:0; nocase; content:"url|28|"; within:30; nocase; content:"mailto|3A|"; within:12; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2521; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:23834; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt"; flow:to_client,established; file_data; content:".getClientRects|28 29|"; fast_pattern:only; content:"for|28|n=0|3B|n<tList.length|3B|n++|29 7B|"; content:"tList|5B|n|5D|.tBodies|5B|0|5D|.appendChild|28|document.createElement|28 27|tr|27 29 29|"; content:"tList|5B|n|5D|.removeChild|28|tList|5B|n|5D|.children|5B|0|5D 29|"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-1880; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:23609; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer iframe onreadystatechange handler use after free attempt"; flow:to_client,established; file_data; content:".getElement"; nocase; content:"iframe"; within:25; nocase; content:".onreadystatechange"; within:75; fast_pattern; nocase; pcre:"/\x2eonreadystatechange\s*=\s*(?P<del_func>\w+)\s*\x3b.*?function\s+(?P=del_func)\s*\x28[^\x7b]*?\x7b[^\x7d]*?\x2e(?:innerHTML\s*=|outerHTML\s*=|write)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52904; reference:cve,2012-0170; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-023; classtype:attempted-user; sid:23285; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer corrupted HROW instance write access violation attempt"; flow:to_client,established; file_data; content:".cachesize"; fast_pattern:only; content:".recordset"; nocase; content:".move"; distance:0; nocase; pcre:"/\x2EcacheSize\s*=\s*-{0,1}0x.*?\x2EMove/si"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1891; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-045; classtype:attempted-user; sid:23280; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer nested list memory corruption attempt"; flow:to_client,established; file_data; content:"document.body.innerHTML"; fast_pattern:only; content:"<span>"; nocase; content:"<table"; distance:0; nocase; content:"<script>"; distance:0; nocase; pcre:"/(<span>.*?(<[uo]l[^>]*?>.*?){6,}<table[^>]*?>.*?<script[^>]*?>[^\x3b]*?innerHTML\s*=[^\x3b]*?\x3b)|(<script>.*?function\s+(?P<function>[a-z_-]+)\x28\x29\s+\{.*?document\.body\.innerHTML\s*=[^\x3b]*?\x3b.*?<span>.*?(<[uo]l[^>]*?>.*?){6,}<table[^>]*?>.*?<script[^>]*?>\s*(?P=function)\x28\x29\x3b)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-1522; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-044; classtype:attempted-user; sid:23278; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft multiple product toStaticHTML XSS attempt"; flow:to_server,established; file_data; content:"<style"; fast_pattern:only; pcre:"/<\s*style\s*>\s*\w+\s*\{\s*(\w+|\w+-\w+)\s*\:\s*\w+\s*\(.*?(\s*\x27\s*|\s*\&\#39\;\s*|\s*\&\#x27\;\s*|\s*\\u0027\;\s*){1}.*?\)\s*(\s*\x27\s*|\s*\&\#39\;\s*|\s*\&\#x27\;\s*|\s*\\u0027\;\s*){3,}.*?\}|(\s*\x27\s*|\s*\&\#39\;\s*|\s*\&\#x27\;\s*|\s*\\u0027\;\s*){1,}.*?\}\s*(\s*\x27\s*|\s*\&\#39\;\s*|\s*\&\#x27\;\s*|\s*\\u0027\;\s*){3,}/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-1858; reference:cve,2012-2520; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-039; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-050; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-066; classtype:attempted-user; sid:23137; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft multiple product toStaticHTML XSS attempt"; flow:to_client,established; file_data; content:"toStaticHTML"; fast_pattern:only; pcre:"/<\s*style\s*>\s*\w+\s*\{\s*(\w+|\w+-\w+)\s*\:\s*\w+\s*\(.*?(\s*\x27\s*|\s*\&\#39\;\s*|\s*\&\#x27\;\s*|\s*\\u0027\;\s*){1}.*?\)\s*(\s*\x27\s*|\s*\&\#39\;\s*|\s*\&\#x27\;\s*|\s*\\u0027\;\s*){3,}.*?\}|(\s*\x27\s*|\s*\&\#39\;\s*|\s*\&\#x27\;\s*|\s*\\u0027\;\s*){1,}.*?\}\s*(\s*\x27\s*|\s*\&\#39\;\s*|\s*\&\#x27\;\s*|\s*\\u0027\;\s*){3,}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1858; reference:cve,2012-2520; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-039; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-050; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-066; classtype:attempted-user; sid:23136; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DOM manipulation memory corruption attempt"; flow:to_client,established; file_data; content:"|5D|.fireEvent|28|"; fast_pattern:only; content:"document.getElementsByTagName|28|"; nocase; content:"<div "; nocase; content:"<img "; within:200; nocase; content:"<div "; within:200; nocase; content:".innerHTML"; distance:0; nocase; pcre:"/<img[^>]+id\s*=\s*(?P<q1>\x22|\x27|)(?P<id>[^\x22\x27\x20]+)(?P=q1)[^>]*?>.*?<div[^>]+id\s*=\s*(\x22|\x27|)(?P=id)/smi"; pcre:"/<div[^>]+id\s*=\s*(\x22|\x27|)(?P<id>[^\x22\x27\x20\x3E]+)[^>]*>.*?(?P=id)\.innerHTML/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53847; reference:cve,2012-1875; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:23125; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_client,established; file_data; content:"table-layout|3A|"; fast_pattern; nocase; content:"fixed"; within:7; nocase; pcre:"/<\s*script.*?(?P<var>\w+)\s*=\s*document\.getElementById\s*\x28\s*[\x22\x27](?P<col_id>[^\x22\x27]+)[\x22\x27]\s*\x29.*?((?P=var)\.span.*?<\s*table.*?<col[^>]*?id\s*=\s*[\x22\x27]?(?P=col_id)[^>]*?>.*?<\s*\/\s*table\s*>|<\s*col.*?id\s*=\s*[\x22\x27]?(?P=col_id)[^>]*?span\s*=\s*[\x22\x27]?\d)/ims"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:23124; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt"; flow:to_client,established; file_data; content:".getBoundingClientRect|28 29|"; fast_pattern:only; content:".insertAdjacentElement"; nocase; content:".insertRow|28 29|"; nocase; pcre:"/document.getElementById\x28\x22(?P<dfnelement>\w+?)\x22\x29\x2einsertAdjacentElement.*document.getElementById\x28\x22\w+?\x22\x29.getBoundingClientRect\x28\x29.*?document.getElementById\x28\x22\w+?\x22\x29.insertRow\x28\x29.*?\x3cdfn id\x3d\x22(?P=dfnelement)\x22\x3e/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1880; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:23123; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer center element dynamic manipulation attempt"; flow:to_client,established; file_data; content:"|3C|script|3E|"; nocase; content:"getElementsByTagName"; fast_pattern:only; content:"center"; nocase; content:"appendChild"; nocase; pcre:"/var (?P<centerelement>\w+)\s*\x3D\s*document\x2EgetElementsByTagName\x28\x22center\x22\x29.*?(?P=centerelement)\x5B\w+?\x5D\x2EappendChild\x28/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1523; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:23121; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer console object use after free attempt"; flow:to_client,established; file_data; content:"console."; fast_pattern:only; content:"CollectGarbage|28 29|"; nocase; content:"alert|28|"; nocase; pcre:"/\x7B\s*?(?P<consoleobject>\w+?)\s*\x3d\s*console\x2e(?=log|error).*?console\s*?\x3d\s*?[^\x3b]*?\x3b.*?CollectGarbage\x28\x29.*?alert\x28(?P=consoleobject)\x29/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-1874; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:23118; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 DOM element use after free attempt"; flow:to_client,established; file_data; content:"onpropertychange"; fast_pattern:only; pcre:"/<script[^>]*?for\s*=\s*[\x22\x27]?.*?event\s*=\s*[\x22\x27]?onpropertychange[\x22\x27]?[^>]*?>/ims"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-1877; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:23117; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNode use after free attempt"; flow:to_client,established; file_data; content:"srcElement.parentNode.removeChild"; fast_pattern:only; pcre:"/\w+\.getElementById\(.*?\)\.attachEvent\(\s*(?P<q1>[\x22\x27]?)(?P<eventid>.*?)(?P=q1)\s*,\s*(?P<repro>\w+)\s*\)\;.*?var\s+(?P<target>\w+)\s*=\s*\w+\.getElementById\(.*?\)\;.*?(?P=target)\.fireEvent\(\s*(?P<q2>[\x22\x27]?)(?P=eventid)(?P=q2)\s*\)\;.*?(?P=target)\.fireEvent\(\s*(?P<q3>[\x22\x27]?)(?P=eventid)(?P=q3)\s*\)\;.*?function\s+(?P=repro)\s*\(\s*(?P<arg>\w+)\s*\)\s*{.*?(?P=arg)\.srcElement\.parentNode\.removeChild\(\s*(?P=arg)\.srcElement\s*\)\;.*?}/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-1878; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:23116; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt"; flow:to_client,established; file_data; content:"style.position"; fast_pattern:only; content:"<script>"; content:"focus"; nocase; pcre:"/(?P<ElementName>\w+)\.focus\s*\x28\s*(?P=ElementName)\s*\x29.*?(?P=ElementName)\.style\.position\s*=\s*[\x27\x22\s]/ims"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0011; reference:cve,2012-0155; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-010; classtype:attempted-dos; sid:23060; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer SelectAll dangling pointer use after free attempt"; flow:to_client,established; file_data; content:"document.execCommand|28|'selectAll'|29|"; nocase; content:"document.execCommand|28|'selectAll'|29|"; distance:0; nocase; content:"<body onload"; distance:0; nocase; content:"onbeforedeactivate="; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0171; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-023; classtype:attempted-user; sid:22038; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer iframe onreadystatechange handler use after free attempt"; flow:to_client,established; file_data; content:"<iframe"; nocase; content:"onreadystatechange"; within:75; fast_pattern; nocase; pcre:"/function\s+(?P<del_func>\w+)\s*\x28[^\x7b]*?\x7b[^\x7d]*?\x2e(?:innerHTML\s*=|outerHTML\s*=|write).*?<iframe[^>]+onreadystatechange\s*=\s*[\x22\x27]\s*(?P=del_func)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52904; reference:cve,2012-0170; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-023; classtype:attempted-user; sid:21796; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer vector graphics reference counting use-after-free attempt"; flow:to_client,established; file_data; content:"|3C 3F|IMPORT namespace=|22|"; nocase; content:"implementation=|22|#default#VML|22 3E|"; within:50; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52906; reference:cve,2012-0172; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-023; classtype:attempted-user; sid:21793; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer writing-mode property memory corruption attempt"; flow:to_client,established; file_data; content:"table"; nocase; content:"span"; within:50; nocase; content:"writing-mode"; within:50; nocase; content:">"; within:50; content:"table"; within:50; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36616; reference:cve,2009-2531; classtype:attempted-user; sid:21392; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 null character in string information disclosure attempt"; flow:to_client,established; file_data; content:"http-equiv=|22|X-UA-Compatible|22|"; nocase; content:"content=|22|IE=9|22|"; fast_pattern:only; content:"|5C|u0000"; nocase; pcre:"/\x3Cmeta\s*http\x2Dequiv\x3D\x22X\x2DUA\x2DCompatible\x22[^\x3E]*content\x3D\x22IE\x3D9\x22.*?var\s*\w+\s*\x3D\s*\x22[^\x22]*\x5Cu0000/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0012; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-010; classtype:attempted-recon; sid:21300; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt"; flow:to_client,established; file_data; content:"style.position"; fast_pattern:only; content:"cloneNode"; nocase; pcre:"/var\s*(?P<v1>\w+).*?var\s*(?P<v2>\w+)\s*=\s*(?P=v1)\.cloneNode.*?\.focus\s*\x28\s*(?P=v2)\s*\x29.*?style\.position\s*=\s*[\x27\x22\s]/ims"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0011; reference:cve,2012-0155; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-010; classtype:attempted-dos; sid:21292; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption"; flow:to_client,established; file_data; content:"fromCharCode|28|parseInt|28|"; fast_pattern:only; content:"|22|.replace|28 2F 5B|A-Z|5D 2F|g,|22 22 29|]"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:21086; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt malicious string"; flow:to_client,established; file_data; content:"TTu0d0fu0d0eKKJJu0d0du0d0dLL1043416UU"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1255; classtype:attempted-user; sid:20822; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt"; flow:to_client,established; file_data; content:"#default#time2"; fast_pattern:only; content:"schemas-microsoft-com:time"; nocase; content:"contenteditable"; nocase; content:"|3A|switch"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:20811; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt"; flow:to_client,established; file_data; content:"#default#time2"; fast_pattern:only; content:"schemas-microsoft-com:time"; nocase; content:"contenteditable"; nocase; content:"|3A|animate"; nocase; pcre:"/^(Color|Motion)/Ri"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:20810; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt"; flow:to_client,established; file_data; content:"#default#time2"; fast_pattern:only; content:"schemas-microsoft-com:time"; nocase; content:"contenteditable"; nocase; content:"|3A|animate"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:20809; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt"; flow:to_client,established; file_data; content:"#default#time2"; fast_pattern:only; content:"schemas-microsoft-com:time"; nocase; content:"contenteditable"; nocase; content:"|3A|set"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:20808; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt"; flow:to_server,established; file_data; content:"#default#time2"; fast_pattern:only; content:"schemas-microsoft-com:time"; nocase; content:"contenteditable"; nocase; content:"|3A|switch"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-1255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:20807; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt"; flow:to_server,established; file_data; content:"#default#time2"; fast_pattern:only; content:"schemas-microsoft-com:time"; nocase; content:"contenteditable"; nocase; content:"|3A|animate"; nocase; pcre:"/^(Color|Motion)/Ri"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-1255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:20806; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt"; flow:to_server,established; file_data; content:"#default#time2"; fast_pattern:only; content:"schemas-microsoft-com:time"; nocase; content:"contenteditable"; nocase; content:"|3A|animate"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-1255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:20805; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt"; flow:to_server,established; file_data; content:"#default#time2"; fast_pattern:only; content:"schemas-microsoft-com:time"; nocase; content:"contenteditable"; nocase; content:"|3A|set"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-1255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:20804; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer layout-grid-char value exploit attempt"; flow:to_server,established; file_data; content:"heapspray|28 29|"; content:"document.body.innerHTML"; nocase; content:"1000pc"; distance:0; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-1260; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:20790; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer layout-grid-char value exploit attempt"; flow:to_server,established; file_data; content:"heap_obj"; content:"document.body.innerHTML += String.fromCharCode"; nocase; content:"1000pc"; distance:0; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-1260; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:20789; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer layout-grid-char value exploit attempt"; flow:to_client,established; file_data; content:"heap_obj"; content:"document.body.innerHTML += String.fromCharCode"; nocase; content:"1000pc"; distance:0; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1260; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:20788; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer layout-grid-char value exploit attempt"; flow:to_server,established; file_data; content:"document.body.innerHTML"; nocase; pcre:"/(0x2d|055|45),\s*(0x31|061|49),\s*(0x30|060|48),\s*(0x30|060|48),\s*(0x30|060|48),\s*(0x63|0143|99),\s*(0x6D|0155|109)/"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-1260; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:20787; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer layout-grid-char value exploit attempt"; flow:to_server,established; file_data; content:"layout-grid-char|3A|"; nocase; byte_test:10,>,9999,0,relative,string; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-1260; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-admin; sid:20786; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt"; flow:to_server,established; file_data; content:"#default#time2"; fast_pattern:only; content:"schemas-microsoft-com:time"; nocase; content:"contenteditable"; nocase; content:"|3A|transitionFilter"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-1255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:20766; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer onscroll DOS attempt"; flow:to_client,established; file_data; content:"function"; nocase; content:"createElement"; distance:0; nocase; content:"onscroll"; fast_pattern:only; pcre:"/function\s*(?P<badfunction>\w+)\s*\x28\s*\x29.+?onscroll\s*=\s*[\x22\x27]+(?P=badfunction).*?[\x22\x27]/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49947; reference:cve,2011-1993; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-081; classtype:attempted-user; sid:20634; rev:17;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Marquee stylesheet object removal"; flow:to_client,established; file_data; content:"marquee|2E|removeNode"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,49966; reference:cve,2011-2001; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-081; classtype:attempted-user; sid:20268; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer circular reference exploit attempt"; flow:to_client,established; file_data; content:"document|2E|body"; nocase; content:"applyElement"; fast_pattern; nocase; content:"clearAttributes"; nocase; pcre:"/var\s+(\w+)\s*=\s*document\x2Ebody.+applyElement\x28\s*\1/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,49965; reference:cve,2011-2000; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-081; classtype:attempted-user; sid:20267; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 Javascript negative option index attack attempt"; flow:to_client,established; file_data; content:"<script"; nocase; content:".options.add"; distance:0; nocase; pcre:"/options\.add\x28.*?,\s*?(\-0x[a-f0-9]+?\s*?|-[0-9]{6,15}\s*?)\x29/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,49964; reference:cve,2011-1999; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-081; classtype:attempted-user; sid:20266; rev:19;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer null attribute DoS attempt"; flow:to_client,established; file_data; content:"setTimeout("; fast_pattern:only; content:"<script"; nocase; content:"function "; distance:0; nocase; content:".attributes|3B|"; distance:0; nocase; content:"setTimeout("; distance:0; nocase; pcre:"/function\s+?(?P<function>\w+)\s*?\([^{]*?.*?\w+\s*?=\s*?null\x3b.*?setTimeout\([^,)\x3b]*?(?P=function)\(?/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,49962; reference:cve,2011-1997; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-081; classtype:attempted-user; sid:20265; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer form selection reset attempt"; flow:to_client,established; file_data; content:"document.getElementById"; fast_pattern:only; content:"form"; nocase; content:"document.createElement("; distance:0; nocase; content:".inner"; distance:0; nocase; content:".reset("; distance:0; nocase; pcre:"/document.getElementById.+?(\w+\.add\(\s*document.createElement|document.createElement\(.+?\w\.add\().+?\w\.inner(HTML|Text)\s*?=[^\x3b]+?\x3b.*?\w+\.reset\(/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49961; reference:cve,2011-1996; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-081; classtype:attempted-user; sid:20264; rev:19;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer htmlfile null attribute access attempt"; flow:to_client,established; file_data; content:"25336920-03F9-11CF-8FD0-00AA00686F13"; fast_pattern:only; content:".attributes["; nocase; pcre:"/<object[^>]+id\s*?=\s*?[\x22\x27]?([A-Z\d]+)[\x22\x27]?[^>]+classid\s*?=\s*?[\x22\x27]?clsid\x3A25336920-03F9-11CF-8FD0-00AA00686F13[\x22\x27]?.*?\1\.attributes.*?for\s*\x28[^\x29]+\1\.attributes\x5B/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,49960; reference:cve,2011-1995; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-081; classtype:attempted-user; sid:20263; rev:16;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer onscroll DOS attempt"; flow:to_client,established; file_data; content:"function"; nocase; content:"onscroll"; fast_pattern:only; nocase; content:"createElement"; nocase; pcre:"/function\s+(?P<q2>\w).*onscroll\s*=\s*(?P<q1>\w).*function\s+(?P=q1).*?createElement\s*\x28\s*(?P<q3>\x22|\x27|)\s*table\s*(?P=q3)\s*\x29.*?onload\s*=\s*(?P=q2)/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49947; reference:cve,2011-1993; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-081; classtype:attempted-user; sid:20262; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VML use after free attempt"; flow:to_client,established; file_data; content:"urn:schemas-microsoft-com:vml"; fast_pattern:only; pcre:"/<v\s*\x3a\s*(image|imagedata|fill|stroke)\s+id\s*=\s*\x22([^\x22]*)\x22[^\x3E]*style\s*=\s*\x22[^\x22]*\x23default\x23VML[^\x22]*\x22.*document\x2EgetElementById\s*\x28\s*\x22\2\x22\s*\x29\x2Esrc\s+\x3D/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,48173; reference:cve,2011-1266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-052; classtype:attempted-user; sid:19910; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer daxctle.ocx spline method buffer overflow attempt"; flow:to_client,established; file_data; content:"|28 28|0x200c-4|29 2F|2|29|"; fast_pattern; content:"|28|14|2F|2|29|"; within:150; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4446; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-067; classtype:attempted-user; sid:19885; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSS style memory corruption attempt"; flow:to_client,established; file_data; content:"table"; content:!"."; within:1; content:!"-"; within:1; content:!"selec"; within:5; distance:-10; content:"position"; within:70; nocase; content:"absolute"; within:20; nocase; content:"clip"; within:80; distance:-30; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3962; reference:url,technet.microsoft.com/en-us/security/advisory/2458511; classtype:attempted-user; sid:19873; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer MDAC remote code execution attempt"; flow:to_client,established; file_data; content:"eval|28 22|r|3D|o|22|"; nocase; content:"ect|28|n|2C 27 27 29|"; distance:0; nocase; pcre:"/bj\x22[\x0D\x0A\s\t]*\x2b[\x0D\x0A\s\t]*\x22ect\x28n\x2C\x27\x27\x29/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-014; classtype:attempted-user; sid:19872; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VML buffer overflow attempt"; flow:to_client,established; file_data; content:".length"; content:"<"; within:225; content:"="; within:150; content:"0x400000"; pcre:"/[a-z]+\.substring\x28\s+0\s+\x2c\s+0x100000\s+-\s+[a-z]+\.length\s+\x29/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-4868; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-055; classtype:attempted-user; sid:19871; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer empty table tag memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementsByName(|22|innertable|22|)[0]"; nocase; content:"appendChild(document.createElement(|27|TR|27|))"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2009-1918; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-034; classtype:attempted-user; sid:19814; rev:9;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer covered object memory corruption attempt"; flow:to_client,established; file_data; content:"style="; nocase; content:"padding-left|3A|-1000px"; distance:0; nocase; content:"text-indent|3A|-1000px"; distance:0; nocase; pcre:"/<[A-Z]+\s+[^>]*?padding-left\x3A\x2D1000px\x3B[^>]*text-indent\x3A\x2D1000px/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1256; reference:cve,2012-1260; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-050; classtype:attempted-user; sid:19809; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer covered object memory corruption attempt"; flow:to_client,established; file_data; content:".body.innerHTML +="; nocase; content:"function |28 29| |7B|"; within:50; nocase; isdataat:200,relative; content:!"|7D|"; within:200; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1256; reference:cve,2011-1260; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-050; classtype:attempted-user; sid:19808; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer stylesheet dynamic access memory corruption attempt"; flow:to_client,established; file_data; content:"addBehavior|28|"; nocase; content:".onreadystatechange"; distance:0; nocase; content:".innerHTML"; distance:0; nocase; pcre:"/([A-Z\d_]+)\.addBehavior\x28.*?\.onreadystatechange\s*=\s*function[^\x7B]+\x7B[^\x7D]*\1\.innerHTML/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1964; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-057; classtype:attempted-user; sid:19672; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer XSLT memory corruption attempt"; flow:to_client,established; file_data; content:"xmlns"; nocase; content:"|3A|xsl"; within:8; nocase; content:"http|2D|equiv|3D|"; nocase; content:"refresh"; within:10; nocase; content:"onunload"; fast_pattern:only; pcre:"/http\x2dequiv\x3d\s*?[\x22\x27]\s*?refresh\s*?[\x22\x27]\s*?content\s*?\x3d\s*?[\x22\x27]\s*?((1\s*?)|(0\s*?)|(\.\d\s*?)|(1\.\d\s*?))[\x22\x27]/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,49037; reference:cve,2011-1963; reference:url,attack.mitre.org/techniques/T1220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-057; classtype:attempted-user; sid:19671; rev:18;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-IE Microsoft Internet Explorer telnet.exe file load exploit attempt"; flow:to_server,established; content:"|2F|telnet.exe"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1961; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-057; classtype:attempted-user; sid:19670; rev:12;)
|
|
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"BROWSER-IE Microsoft Internet Explorer telnet.exe file load exploit attempt"; flow:to_server,established; content:"t|00|e|00|l|00|n|00|e|00|t|00|.|00|e|00|x|00|e|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2011-1961; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-057; classtype:attempted-user; sid:19668; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt"; flow:to_client,established; file_data; content:"document.styleSheets"; fast_pattern:only; content:".rules.item|28|"; nocase; content:"|29|.style"; within:40; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43705; reference:cve,2010-3328; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:19436; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Cross-Domain information disclosure attempt"; flow:to_client,established; file_data; content:"alert|28|myLink.styleSheet.cssText|29|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43709; reference:cve,2010-3330; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:19411; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer and SharePoint toStaticHTML information disclosure attempt"; flow:to_client,established; file_data; content:"|09 64 6F 63 75 6D 65 6E 74 2E 77 72 69 74 65 28 74 6F 53 74 61 74 69 63 48 54 4D 4C 28 61 63 74 69 76 65 43 6F 64 65 29 29 3B 0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3243; classtype:attempted-recon; sid:19322; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer layout-grid-char value exploit attempt"; flow:to_client,established; file_data; content:"document.body.innerHTML"; nocase; pcre:"/(0x2d|055|45),\s*(0x31|061|49),\s*(0x30|060|48),\s*(0x30|060|48),\s*(0x30|060|48),\s*(0x63|0143|99),\s*(0x6D|0155|109)/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1260; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:19266; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer layout-grid-char value exploit attempt"; flow:to_client,established; file_data; content:"heapspray|28 29|"; content:"document.body.innerHTML"; nocase; content:"1000pc"; distance:0; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1260; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:19265; rev:16;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSS expression defined to empty selection attempt"; flow:to_client,established; file_data; content:"expression"; nocase; content:"document.selection.empty"; within:50; pcre:"/expression\s*\x28\s*document\x2eselection\x2eempty\s*\x28\s*\x29\s*\x29/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,48210; reference:cve,2011-1261; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:19246; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer redirect to cdl protocol attempt"; flow:to_client,established; content:"302|20|"; nocase; content:"Location|3A 20|cdl|3A 2F 2F|"; distance:0; nocase; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1262; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-admin; sid:19245; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer layout-grid-char value exploit attempt"; flow:to_client,established; file_data; content:"layout-grid-char|3A|"; nocase; byte_test:10,>,9999,0,relative,string; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1260; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-admin; sid:19243; rev:16;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Windows Vector Markup Language imagedata page deconstruction attempt"; flow:to_client,established; file_data; content:"schemas-microsoft-com|3A|vml"; nocase; content:"getElementById|28 22|tshape|22 29 2E|imagedata|2E|src|20 3D 20 22|a|22|"; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,48173; reference:cve,2011-1264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-052; classtype:attempted-admin; sid:19242; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Windows Vector Markup Language imagedata page deconstruction attempt"; flow:to_client,established; file_data; content:"schemas-microsoft-com|3A|vml"; nocase; content:"getElementById|28 22|tshape|22 29 2E|fill|2E|src|20 3D 20 22|a|22|"; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,48173; reference:cve,2011-1264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-052; classtype:attempted-admin; sid:19241; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt"; flow:to_client,established; file_data; content:"#default#time2"; fast_pattern:only; content:"schemas-microsoft-com:time"; nocase; content:"contenteditable"; nocase; content:"|3A|transitionFilter"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:19237; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer MsgBox arbitrary code execution attempt"; flow:to_client,established; file_data; content:"MsgBox"; content:"|22 5C 5C|"; fast_pattern; content:".hlp|22|"; within:50; pcre:"/(^|\s)(?P<var>[^\s]+)\s*=\s*\x22\x5c\x5c[^\x22]*\x2ehlp\x22.*MsgBox\s+(\x22[^\x22]*\x22|[^,]*)\s*,\s*[0-9]*\s*,\s*(\x22[^\x22]*\x22|[^,]*)\s*,\s*(?P=var)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-0483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-022; classtype:attempted-user; sid:19204; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer MsgBox arbitrary code execution attempt"; flow:to_client,established; file_data; content:"MsgBox"; content:"|22 5C 5C|"; within:300; fast_pattern; content:".hlp|22|"; within:50; pcre:"/MsgBox\s+(\x22[^\x22]*\x22|[^,]*)\s*,\s*[0-9]*\s*,\s*(\x22[^\x22]*\x22|[^,]*)\s*,\s*\x22\x5c\x5c[^\x22]*\x2ehlp\x22/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-0483; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-022; classtype:attempted-user; sid:19203; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer iframe uninitialized memory corruption attempt"; flow:to_client,established; file_data; content:"setTimeout|28 27|removeiframe|28 29 27 2C|0|29|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,42257; reference:cve,2010-2556; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-053; classtype:attempted-user; sid:19181; rev:14;)
|
|
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"BROWSER-IE Microsoft Internet Explorer 8 ieshims.dll dll-load exploit attempt"; flow:to_server,established; content:"i|00|e|00|s|00|h|00|i|00|m|00|s|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,46159; reference:cve,2011-0038; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-003; classtype:attempted-user; sid:19172; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-IE Microsoft Internet Explorer 8 ieshims.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|ieshims.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,46159; reference:cve,2011-0038; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-003; classtype:attempted-user; sid:19171; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer malformed table tag memory corruption attempt"; flow:to_client,established; file_data; content:"rowspan"; fast_pattern:only; content:"<script>"; nocase; pcre:"/<t(d|r|h|head|foot)[^>]+id\s*=\s*(?P<q1>\x22|\x27|)([^\x22\x27]+)(?P=q1).*?\3\.rowspan.*?<\/script>.*?<\/table>/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2560; classtype:attempted-user; sid:19150; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer malformed table tag memory corruption attempt"; flow:to_client,established; file_data; content:"colspan"; fast_pattern:only; content:"<script>"; nocase; pcre:"/<t(d|r|h|head|foot)[^>]+id\s*=\s*(?P<q1>\x22|\x27|)([^\x22\x27]+)(?P=q1).*?\3\.colspan.*?<\/script>.*?<\/table>/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2560; classtype:attempted-user; sid:19149; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer outerHTML against incomplete element heap corruption attempt"; flow:to_client,established; file_data; content:".outerHTML"; fast_pattern; content:"document|2E|createStyleSheet"; within:75; nocase; pcre:"/\s(id|name)\s*?=\s*?[\x22\x27](?P<id1>\w+)[\x22\x27].*?<script[^<]*?(?P=id1)\x2eouterHTML(\x2b{2}|\s*?=\s*?[\x22\x27])/si"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0490; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:19147; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSS style memory corruption attempt"; flow:to_client,established; file_data; content:"<style type="; nocase; content:"text/css"; within:50; nocase; content:"position|3A|absolute"; within:50; nocase; content:"clip|3A 20|rect(1px)"; within:50; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3962; reference:url,technet.microsoft.com/en-us/security/advisory/2458511; classtype:attempted-user; sid:19084; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTableLayout memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElement"; nocase; content:".onpropertychange"; within:75; fast_pattern; nocase; content:"window."; within:75; nocase; content:"<table"; distance:0; nocase; content:"<col"; within:75; nocase; pcre:"/var\s+(?P<del_func>\w+)\s*=\s*function\s*\x28\s*\x29\s*\x7b[^\x7d]+?\x2e(inner|outer)HTML\s*=\s*[\x22\x27]\s*[\x22\x27].*?\x2eonpropertychange\s*=\s*window\x2e(?P=del_func)/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,37891; reference:cve,2010-0244; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:18951; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer object management memory corruption attempt"; flow:to_client,established; file_data; content:".onpropertychange"; nocase; content:".childNode"; within:50; nocase; content:".onpropertychange"; distance:0; nocase; content:"null"; within:50; nocase; pcre:"/(?P<q1>[A-Z\d_]+)\.onpropertychange\s*=\s*(?P=q1)\.childNode.*?(?P=q1)\.onpropertychange\s*=\s*null.*?(?P=q1)\.onpropertychange/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46821; reference:cve,2011-1345; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:attempted-user; sid:18671; rev:17;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer object management memory corruption attempt"; flow:to_client,established; file_data; content:".onpropertychange"; nocase; content:".attributes"; within:50; nocase; content:".onpropertychange"; distance:0; nocase; content:"null"; within:50; nocase; pcre:"/(?P<q1>[A-Z\d_]+)\.onpropertychange\s*=\s*(?P=q1)\.attributes.*?(?P=q1)\.onpropertychange\s*=\s*null.*?(?P=q1)\.onpropertychange/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46821; reference:cve,2011-1345; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:attempted-user; sid:18670; rev:17;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer event handling remote code execution attempt"; flow:to_client,established; file_data; content:"window.event.srcElement"; nocase; content:".innerHTML"; within:50; nocase; content:"onmouseleave"; within:30; fast_pattern; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2010-0267; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:18539; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"filler|20 2B 3D 20|unescape|28 22 25|u0000|25|u0000"; content:"obj|2E|insertBefore|28|document|2E|createElement|28|filler|29 29 3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18519; rev:10;)
|
|
# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"BROWSER-IE Microsoft Internet Explorer History.go method double free corruption attempt"; flow:to_client,established; file_data; content:"for|28|"; content:"<50|3B|"; within:20; distance:5; content:"history|2E|go|28|"; within:100; fast_pattern; pcre:"/for\(\s*var\s*\w+\x3D0\x3B\s*\w+\<50\x3B\s*\w+\x2B\x2B\s*\)\s*\{\s*history\.go\((?P<v2>\w+)[^}]{0,100}(?P=v2)(\[\w+\])?\s*\x2B\x3D\s*\w+\x3B/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34423; reference:cve,2009-0552; classtype:attempted-user; sid:18482; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer document.insertBefore memory corruption attempt"; flow:to_client,established; file_data; content:"document.insertBefore(document"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2011-0036; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-003; classtype:attempted-admin; sid:18404; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Data Source Object memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementById"; content:"onCellChange"; fast_pattern:only; pcre:"/function\s+([^\s]+)\x28.*?document\x2egetElementById\x28\x22([^\x22]+)\x22\x29\x2einnerHTML=\x22\x22.*?id\s*=\s*\x22\2\x22.*?onCellChange\s*=\s*\x22\1\x28\x29\x3b\x22/smiO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,46157; reference:cve,2011-0035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-003; classtype:attempted-user; sid:18403; rev:17;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Base64 encoded script overflow attempt"; flow:to_client,established; file_data; content:"//|2A|*Start Encode**#@~^"; fast_pattern; nocase; content:!"=="; within:2; distance:6; metadata:policy max-detect-ips drop, service http; reference:cve,2011-0031; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-009; classtype:attempted-admin; sid:18401; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer oversize recordset object cache size exploit attempt"; flow:to_client,established; file_data; content:"recordset"; content:".CacheSize"; within:100; pcre:"/^\s*=\s/R"; byte_test:10,>,0x3ffffffe,0,relative,string; metadata:policy max-detect-ips drop, service http; reference:cve,2010-1117; reference:cve,2010-1118; reference:cve,2010-1259; reference:cve,2010-1262; reference:cve,2011-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-002; classtype:attempted-user; sid:18280; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt"; flow:to_client,established; file_data; content:"@|00|i|00|m|00|p|00|o|00|r|00|t|00| |00|"; content:"@|00|i|00|m|00|p|00|o|00|r|00|t|00| |00|"; distance:0; content:"@|00|i|00|m|00|p|00|o|00|r|00|t|00| |00|"; distance:0; pcre:"/\x40\x00i\x00m\x00p\x00o\x00r\x00t\x00 \x00(u\x00r\x00l\x00\x28\x00)?\x22\x00([^\x22]+)\x22\x00(\x29\x00)?\x3B\x00[^\x40]*\x40\x00i\x00m\x00p\x00o\x00r\x00t\x00 \x00(u\x00r\x00l\x00\x28\x00)?\x22\x00\2\x22\x00(\x29\x00)?\x3B\x00[^\x40]*\x40\x00i\x00m\x00p\x00o\x00r\x00t\x00 \x00(u\x00r\x00l\x00\x28\x00)?\x22\x00\2\x22/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45246; reference:cve,2010-3971; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-003; classtype:attempted-user; sid:18240; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer malformed table remote code execution attempt"; flow:to_client,established; file_data; content:"position"; content:"absolute"; distance:0; content:"clip:"; pcre:"/table\s*\x7B[^\x7d]*position\x3a\s*absolute[^\x7d]*clip/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3962; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-090; classtype:attempted-user; sid:18221; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer time element memory corruption attempt"; flow:to_client,established; file_data; content:"timeParent.timeAll.item|28|0|29|"; fast_pattern; nocase; content:"appendChild"; within:200; nocase; content:"removeChild"; within:200; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45261; reference:cve,2010-3346; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-090; classtype:attempted-user; sid:18218; rev:16;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer select element memory corruption attempt"; flow:to_client,established; file_data; content:"http-equiv="; nocase; content:"X-UA-Compatible"; distance:0; nocase; content:"content="; nocase; content:"IE=8"; distance:0; nocase; content:"createElement"; distance:0; nocase; content:"select"; distance:0; nocase; pcre:"/createElement\s*\x28\s*(?P<a>[\x22\x27])\s*select\s*(?P=a)\s*\x29/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45260; reference:cve,2010-3345; classtype:attempted-user; sid:18217; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 6 #default#anim attempt"; flow:to_client,established; file_data; content:"behavior:url('#default#anim')"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3343; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-090; classtype:attempted-user; sid:18216; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt"; flow:to_client,established; file_data; content:"@import "; content:"@import "; distance:0; content:"@import "; distance:0; pcre:"/\x40import (url\x28)?\x22([^\x22]+)\x22\x29?\x3B[^\x40]*\x40import (url\x28)?\x22\2\x22\x29?\x3B[^\x40]*\x40import (url\x28)?\x22\2\x22/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45246; reference:cve,2010-3971; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-003; classtype:attempted-user; sid:18196; rev:18;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer cross-domain information disclosure attempt"; flow:to_client,established; file_data; content:"var|20|s|20 3D 20|linkEle|2E|styleSheet|2E|cssText"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3330; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17771; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 CSS invalid mapping exploit attempt"; flow:to_client,established; file_data; content:"var x = document.styleSheets|5B 30 5D 3B 0A|"; content:"var s = x.rules.item|28 30 29|.style|3B 0A|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3328; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17769; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 object event handler use after free exploit attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6"; fast_pattern:only; content:"playStateChange(state)"; nocase; pcre:"/(<\w+\s+id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1).*?(\w+\.getElementById\((?P<m2>\x22|\x27|)(?P=id1)(?P=m2)\)|(?P<elem>\w+)\s*=\s*document\.getElementById\((?P<m3>\x22|\x27|)(?P<id2>.+?)(?P=m3)\).*?(?P=elem)\.(inner|outer)HTML\s*(\+?=)\s*)|\w+\.getElementById\((?P<m5>\x22|\x27|)(?P<id3>.+?)(?P=m5)\).*?<\w+\s+id\s*=\s*(?P<m6>\x22|\x27|)(?P=id3)(?P=m6))/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3326; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17768; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 tostaticHTML CSS import vulnerability"; flow:to_client,established; file_data; content:"toStaticHTML"; nocase; content:"@import"; distance:0; nocase; pcre:"/toStaticHTML[^\x7b].*\x7d\s*\x40import/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3324; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-072; classtype:attempted-user; sid:17767; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 XSS in toStaticHTML API attempt"; flow:to_client,established; file_data; content:"toStaticHTML"; content:"style"; distance:0; pcre:"/toStaticHTML\x28\x22\x3cstyle\x3e\x2a.*\x5bx=(\x27|&39)\x3b/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3243; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-072; classtype:attempted-user; sid:17766; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer compressed HDMX font processing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.eot; file_data; content:"|35 1E 8C F3 EA 69 54 52 D3 04 21 97 B9 56 49 31 28 EA D2 95 1D 8C 6C 5B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1883; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-076; classtype:attempted-admin; sid:17747; rev:16;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer EMBED element memory corruption attempt"; flow:to_client,established; file_data; content:"<embed type=|27 22| + asMimeTypes.shift"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34424; reference:cve,2009-0553; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:17729; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer address bar spoofing attempt"; flow:to_client,established; file_data; content:"win = window.open|28 27|"; nocase; content:".swf|27|"; within:50; nocase; content:"win = window.open|28 27|http|3A 2F 2F|"; within:100; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17404; reference:cve,2006-1626; classtype:misc-activity; sid:17726; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer static text range overflow attempt"; flow:to_client,established; file_data; content:"createTextRange"; content:".text = |27|AAAAAAAAAAAAA"; distance:0; metadata:policy max-detect-ips drop, service http; reference:cve,2008-2255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-045; classtype:attempted-user; sid:17720; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer EMBED element memory corruption attempt"; flow:to_client,established; file_data; content:"function|20|open|5F|win|28 29|"; content:"document|2E|body|2E|innerHTML|20 3D|"; distance:0; content:"|22 3C|embed|20|type|3D 27|audio|2F|midi|27 3E|"; distance:0; content:"setInterval|28 27|open|5F|win|28 29 27 2C 20|1|29 3B|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34424; reference:cve,2009-0553; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:17709; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer popup title bar spoofing attempt"; flow:to_client,established; file_data; content:"window.open|28|"; nocase; content:"authentication.trusted.com"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,12602; reference:cve,2005-0500; classtype:misc-activity; sid:17703; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer ExecWB security zone bypass attempt"; flow:to_client,established; file_data; content:"ExecWB"; nocase; pcre:"/ExecWB\s*\x28\s*[^\x2c\x29]*(7|IDM_PRINTPREVIEW)[^\x29]+http\x3a\x2f\x2f/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30612; reference:cve,2008-2259; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-045; classtype:attempted-user; sid:17692; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|7B|behavior"; nocase; content:"url|28 23|default|23|userData|29|"; distance:0; nocase; content:"setAttribute"; pcre:"/(?P<class>[A-Z\d_]+)\s*\x7Bbehavior\s*\x3a\s*url\x28\x23default\x23userData\x29.*?(?P<obj>[A-Z\d_]+)\x2EsetAttribute\x28[^,]+,\s*[A-Z]\x29.*?\x3cMARQUEE\s*id\x3d\x22(?P=obj)\x22\s*class\x3d\x22(?P=class)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-0806; reference:url,support.microsoft.com/kb/980182; classtype:attempted-user; sid:17689; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|script|3E|"; nocase; content:"|2E|style|2E|behavior"; nocase; content:"|23|default|23|userData"; distance:0; nocase; content:"setAttribute|28|"; pcre:"/(?P<obj>[A-Z\d_]+)\x2Estyle\x2Ebehavior\s*\x3D\s*\x22url\x28\x27\x23default\x23userData\x27\x29\x22.*?(?P=obj)\x2EsetAttribute\x28[^,]+,\s*[A-Z]/smi"; content:"|3C 2F|script|3E|"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:17688; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer invalid pointer memory corruption attempt"; flow:to_client,established; file_data; content:"|2E|test|20 7B|behavior|3A 20|url|28 23|default|23|userData|29|"; nocase; content:"|39 39 5C 78 39 35 5C 78 39 62 5C 78 63 63 5C 78|"; distance:0; content:"|39 64 5C 78 63 39 5C 78 38 38 5C 78 64 38 5C 78 39 65 5C 78 39 64 5C 78 39 35 5C 78 39 64 5C 78|"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-018; classtype:attempted-user; sid:17687; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer invalid pointer memory corruption attempt"; flow:to_client,established; file_data; content:"|2E|test|20 7B|behavior|3A 20|url|28 23|default|23|userData|29|"; nocase; content:"|61 66 5C 78 61 63 5C 78 62 64 5C 78 65 64 5C 78|"; distance:0; content:"|62 64 5C 78 65 64 5C 78 61 65 5C 78 66 39 5C 78 61 62 5C 78 61 63 5C 78 62 64 5C 78 65 64 5C 78|"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-018; classtype:attempted-user; sid:17686; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer invalid pointer memory corruption attempt"; flow:to_client,established; file_data; content:"setAttribute"; content:"document.location"; distance:0; content:"about|3A 5C|u0c0c|5C|u0c0c|5C|u0c0c|5C|u0c0cblank|22|"; within:40; content:"<marquee"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-018; classtype:attempted-user; sid:17685; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSS strings parsing memory corruption attempt"; flow:to_client,established; file_data; content:"text-decoration"; nocase; pcre:"/\x2E[A-Z\d_]+\s*\x7b\s*text-decoration[^\x3A]*?\x7d/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0943; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-045; classtype:attempted-user; sid:17645; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer object reference memory corruption attempt"; flow:to_client,established; file_data; content:"obj|2E|setExpression|28 22|width"; fast_pattern; nocase; content:"|22 2C 22|document|2E|body|2E|offsetWidth|22 29|"; within:30; metadata:policy max-detect-ips drop, service http; reference:cve,2007-3902; reference:url,www.securityfocus.com/bid/26506; classtype:attempted-user; sid:17622; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer possible javascript onunload event memory corruption"; flow:to_client,established; file_data; content:"document.write("; content:"body|20|onunload=|22|exploit"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,22678; reference:cve,2007-1094; classtype:attempted-user; sid:17585; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt"; flow:to_client, established; file_data; content:"<pre>|0A 09 09|<span style=|22|white-space|3A|normal|3B 22 2F|><span>"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17468; reference:cve,2006-1188; classtype:attempted-user; sid:17580; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer event handler memory corruption attempt"; flow:to_client,established; file_data; content:"activate = function ()"; fast_pattern:only; pcre:"/on(before|de)activate\s*\x3d\s*function\s*\x28\x29\s*\x7b\s*call(back|malFunc)\x28\x29/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35224; reference:cve,2009-1530; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-019; classtype:attempted-user; sid:17566; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Script Engine Stack Exhaustion Denial of Service attempt"; flow:to_client,established; file_data; content:"<script"; nocase; content:"javascript"; distance:0; nocase; content:"location="; distance:0; nocase; pcre:"/javascript.+?function\s+(\w+)\s*\(\w*\)\s*\{.+?location=[^}]+\1\(.+?\}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,16687; reference:cve,2006-0753; classtype:attempted-dos; sid:17487; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer File Download Dialog Box Manipulation"; flow:to_client,established; content:"spoffset()|20|{|0A 20 20 20 20 20 20|"; nocase; content:"var|20|mv|20|=|20|window|2E|navi"; within:20; nocase; content:"var|20|sp2"; within:7; distance:29; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,15823; reference:cve,2005-2829; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:17463; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer marquee object handling memory corruption attempt"; flow:to_client,established; file_data; content:"MARQUEE"; nocase; content:"onstart"; distance:0; nocase; pcre:"/\x3c\s*Marquee[^\x3e]*onstart\s*\x3D\s*\x22\s*document\x2e(write|writeln|open)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0554; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-014; classtype:attempted-user; sid:17462; rev:13;)
|
|
# alert tcp $HOME_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BROWSER-IE Microsoft Internet Explorer HTTPS proxy information disclosure vulnerability"; flow:to_server,established; content:"|2F|accounts|2F|ServiceLogin|3F|service|3D|mail|26|passive|3D|true|26|rm|3D|false|26|continue|3D|http"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2830; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:misc-attack; sid:17448; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer FTP client directory traversal attempt"; flow:to_server,established; content:"RETR|20 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 74 65 73 74 2F 70 6F 63 2E 61 61 61|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp; reference:cve,2004-1376; classtype:misc-activity; sid:17446; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CDF cross-domain scripting attempt"; flow:to_client,established; file_data; content:"|3C|channel|20 0D 0A 20 20|href|3D 22|file|3A 2F 2F|"; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,12427; reference:cve,2005-0056; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-014; classtype:attempted-user; sid:17411; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt"; flow:to_client,established; file_data; content:"adong7"; nocase; content:"adong7"; distance:0; nocase; content:"datasrc"; distance:0; nocase; content:"datafld"; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,32721; reference:cve,2008-4844; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-078; classtype:attempted-user; sid:17402; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt - unescaped"; flow:to_client,established; file_data; content:"%53%52%43%3d%5c%5c%26%23"; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,32721; reference:cve,2008-4844; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-078; classtype:attempted-user; sid:17401; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSS import cross-domain restriction bypass attempt"; flow:to_client,established; file_data; content:"|3C|style"; nocase; content:"@import url|28 22|http|3A 2F 2F|search|2E|msn|2E|com|2F|results|2E|aspx|3F|q|3D 25|7D|25|7B|22 29|"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,15660; reference:cve,2005-4089; classtype:attempted-user; sid:17312; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer clone object memory corruption attempt"; flow:to_client,established; file_data; content:"document.createElement"; nocase; content:".attributes["; within:100; fast_pattern; content:"CollectGarbage("; within:100; content:".cloneNode("; within:100; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26816; reference:cve,2007-3903; classtype:attempted-user; sid:17303; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; file_data; content:".createTextRange|28 29 3B|"; fast_pattern:only; content:"<input type|3D 22|checkbox|22|"; nocase; pcre:"/\x3Cinput\s+type\x3D\x22checkbox\x22\s+id\x3D(?P<q1>(\x22|\x27|))(?P<t>\S+)(?P=q1).*?document\x2EgetElementById\x28(?P<q2>(\x22|\x27|))(?P=t)(?P=q2)\x29\x2EcreateTextRange/isO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:17261; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer invalid object access attempt"; flow:to_client,established; file_data; content:"<thead>"; nocase; content:"<th id|3D|"; within:50; nocase; content:".colSpan=|22|500|22 3B|"; within:100; nocase; content:"</table>"; within:50; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2010-2560; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-053; classtype:attempted-user; sid:17132; rev:18;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 parent style rendering arbitrary code execution"; flow:to_client,established; file_data; content:"parentNode.style."; content:".focus"; within:100; pcre:"/(^|[^\w])(?P<obj>\w+)\.parentNode\.style\.[^\s]+\s*[^!]=.*?(?P=obj)\.focus/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-2559; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-053; classtype:attempted-user; sid:17131; rev:21;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer boundElements arbitrary code execution attempt"; flow:to_client,established; file_data; content:"event.boundElements"; fast_pattern:only; content:"onload"; nocase; content:"window.close"; within:40; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,42288; reference:cve,2010-2557; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-053; classtype:attempted-user; sid:17130; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer use-after-free memory corruption attempt"; flow:to_client,established; file_data; content:"<script>"; nocase; content:"function"; distance:0; nocase; content:"()"; within:30; content:"location."; fast_pattern:only; pcre:"/function\s+?\w+\s*?\x28[^\x7b]+?\x7b[^\x7d]*?location\.(protocol|href)\s*?=\s*?[\x22\x27]\s*?(mailto|http|file).*?[\x22\x27]/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,42257; reference:cve,2010-2556; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-053; classtype:attempted-dos; sid:17129; rev:24;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer style sheet array memory corruption attempt"; flow:to_client,established; file_data; content:"document.styleSheets|5B|"; fast_pattern; nocase; content:"|5D|.imports"; within:10; nocase; content:".appendChild|28|"; within:40; nocase; content:".removeChild|28|"; within:40; nocase; content:"outerHTML"; within:40; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40410; reference:cve,2010-1117; reference:cve,2010-1118; reference:cve,2010-1259; reference:cve,2010-1262; reference:cve,2011-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-002; classtype:attempted-user; sid:16659; rev:17;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer security zone restriction bypass attempt"; flow:to_client,established; file_data; content:"|2F|test|2F|setScript|2E|htm|5C 3F 5C 3C|script language|3D 5C 27|vbscript|5C 27| src|3D 5C 27|http|3A 2F 2F 3C|server|3E 2F|test|2F|test|2E|vbs|5C 27 5C 3E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2010-0255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-035; classtype:attempted-user; sid:16637; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer nested SPAN tag memory corruption attempt"; flow:to_client,established; file_data; content:"%3c%53%50%41%4e%20%44%41%54%41%53%52%43%3d%23%49%20%44%41%54%41%46%4c%44%3d%43%20%44%41%54%41%46%4f%52%4d%41%54%41%53%3d%48%54%4d%4c%3e"; fast_pattern:only; content:"%3c%53%50%41%4e%20%44%41%54%41%53%52%43%3d%23%49%20%44%41%54%41%46%4c%44%3d%43%20%44%41%54%41%46%4f%52%4d%41%54%41%53%3d%54%45%58%54%3e"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32721; reference:cve,2008-4844; classtype:attempted-user; sid:16605; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer malformed span/div html document heap corruption attempt"; flow:to_client,established; file_data; content:"position|3A|absolute"; nocase; content:"position|3A|relative"; nocase; content:"<div>"; nocase; content:"<span>"; nocase; pcre:"/(<div><\/span>|<span><\/div>)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-0807; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16512; rev:16;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 non-IE8 compatibility mode htmltime remote code execution attempt"; flow:to_client,established; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=7|22|"; nocase; content:"TIMEACTION"; nocase; pcre:"/BEGIN=[^>]+DUR=[^>]+TIMEACTION/i"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-0492; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16508; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer onreadystatechange memory corruption attempt"; flow:to_client,established; file_data; content:"onreadystatechange"; nocase; content:".innerHTML"; within:50; nocase; content:"|3B|"; within:8; pcre:"/(?P<obj>[A-Z\d_]+)\.innerHTML\s*=\s*(\x22[^\x22]*<[A-Z]+\s+[^>]*onreadystatechange\s*=|\x27[^\x27]*<[A-Z]+\s+[^>]*onreadystatechange\s*=).*?(?P=obj)\.innerHTML\s*=\s*(\x22\x22|\x27\x27)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-0491; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16507; rev:16;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer innerHTML against incomplete element heap corruption attempt"; flow:to_client,established; file_data; content:".innerHTML"; fast_pattern:only; content:"<script"; nocase; pcre:"/<(?P<elem>\w+)\s[^>]*?(id|name)=\s*?(?P<q1>\x22|\x27|)\s*?(?P<id1>\w+)\s*?(?P=q1)[^>]*?(?<!\x2f)>(?!.*?<\x2f(?P=elem)>).*?<script(?=.*?(?P=id1)\.innerHTML(\x2b{2}|\s*?=\s*?(\x22|\x27){2}))/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,39031; reference:cve,2010-0490; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16506; rev:20;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer event handling remote code execution attempt"; flow:to_client,established; file_data; content:"|22|mouseleave|22|"; fast_pattern; nocase; content:"window.event.type"; within:30; nocase; pcre:"/\x22mouseleave\x22\s*\x3D\x3D\s*window\x2Eevent\x2Etype\x29[^\x7D]*\x2EparentNode\x2EinnerHTML\s*\x3D\s*\x22/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-0267; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16503; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|script"; nocase; content:"addBehavior|28|"; nocase; content:"|23|default|23|userData"; within:30; nocase; content:"setAttribute|28|"; distance:0; nocase; pcre:"/(?P<obj>[A-Z\d_]+)\.addBehavior\x28(?P<q1>\x22|\x27|)[^\x29]*\x23default\x23userData(?P=q1)\x29.*?(?P=obj)\.setAttribute\x28[^,]+,\s*[A-Z]/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16482; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer .hlp samba share download attempt"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:".hlp"; nocase; content:"|5C|"; pcre:"/\\\\[^\x20\x0a\x0d]*\.hlp/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-0483; classtype:attempted-user; sid:16452; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 7/8 execute local file in Internet zone redirect attempt"; flow:to_client,established; content:"Location: file://127.0.0.1"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2009-1140; reference:cve,2010-0255; reference:cve,2010-0555; reference:url,technet.microsoft.com/en-us/security/advisory/980088; classtype:attempted-user; sid:16423; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer HTML+TIME animatemotion property memory corruption attempt"; flow:to_client,established; file_data; content:"ANIMATEMOTION"; nocase; pcre:"/<[A-Z_]+\s*\x3A\s*ANIMATEMOTION[^>]+?id=(?P<q>\x22|\x27|)(?P<n>[A-Z][A-Z\d\x2D\x2E\x3A\x5F]*)(?P=q).*?(?P=n)\./Osmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,27666; reference:cve,2008-0077; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-010; classtype:attempted-user; sid:16382; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer deleted object cells reference memory corruption vulnerability"; flow:to_client,established; file_data; content:"outerText"; nocase; content:"cells.item"; distance:0; nocase; pcre:"/([A-Z0-9_]+)\.outerText.*?\1\.cells\.item/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-0248; classtype:attempted-user; sid:16378; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_client,established; file_data; content:".mergeAttributes|28|"; fast_pattern:only; pcre:"/(\w+)\x2emergeAttributes\x28\1\x29\x3b/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:16377; rev:18;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTableLayout memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElement"; nocase; content:".onpropertychange"; within:75; fast_pattern; nocase; content:"function"; within:75; nocase; content:"<table"; distance:0; nocase; content:"<col"; within:75; nocase; pcre:"/\x2eonpropertychange\s*=\s*function\s*\x28\s*\x29\s*\x7b[^\x7d]+?\x2e(inner|outer)HTML(\s*=\s*[\x22\x27]\s*[\x22\x27]|\x2b\x2b)/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,37891; reference:cve,2010-0244; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:16376; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"100 112 99 118 109 102 110 117 46 100 114 102 97 117 101 70 118 102 110 117 79 99 106 102 99 117 40 102 118 117 41 60 32 101 111 100 117 110 101 111 116 47 103 102 116 70 108 102 109 102 110 117 66 122 73 101 40 35 115 113 49 35 41 47 105 111 110 102 114 73 84 78 76 62 34 35 59 120 105 111 100 112 119 47 115 102 116 74 110 117 101 115 118 98 108"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:16369; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer invalid object access memory corruption attempt"; flow:to_client,established; file_data; content:"createEventObject"; fast_pattern:only; content:"innerHTML"; content:"setTimeout"; within:250; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:16367; rev:17;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated"; flow:to_client,established; dsize:<2056; file_data; content:"CollectGarbage"; fast_pattern:only; content:"createElement"; nocase; content:"cloneNode"; within:128; nocase; content:"clearAttributes"; within:128; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0075; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:16339; rev:14;)
|
|
# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"BROWSER-IE Apple Safari-Internet Explorer SearchPath blended threat attempt"; flow:to_client,established; flowbits:isset,safari.dll; file_data; content:"MZ|90 00|"; byte_jump:4,56,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy max-detect-ips drop, service http; reference:bugtraq,29445; reference:cve,2008-2540; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-015; classtype:attempted-user; sid:16319; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 6/7 single line outerHTML invalid reference arbitrary code execution attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName|28|'STYLE'|29|[0]"; content:".outerHTML"; within:30; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,37085; reference:cve,2009-3672; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:16311; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 6/7 single line outerHTML invalid reference arbitrary code execution attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName|28 22|STYLE|22 29|[0]"; content:".outerHTML"; within:30; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,37085; reference:cve,2009-3672; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:16310; rev:18;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML textnode creation attempt"; flow:to_client,established; file_data; content:"document.location.href"; fast_pattern:only; content:".createTextNode("; pcre:"/(?P<obj1>\w+)\s*?=\s*?\w+\.createTextNode\((\x22{2}|\x27{2}|[A-z]\w*)\)\s*?\; .*?\w+\.(insertBefore|insertAfter|appendChild)\((?P=obj1)\)\; |\w+\.(insertBefore|insertAfter|appendChild)\(\w+\.createTextNode\((\x22{2}|\x27{2}|[A-z]\w*)\)/s"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:16301; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML comment creation attempt"; flow:to_client,established; file_data; content:"document.location.href"; fast_pattern:only; content:".createComment("; pcre:"/(?P<obj1>\w+)\s*?=\s*?\w+\.createComment\((\x22{2}|\x27{2}|[A-z]\w*)\)\s*?\; .*?\w+\.(insertBefore|insertAfter|appendChild)\((?P=obj1)\)\; |\w+\.(insertBefore|insertAfter|appendChild)\(\w+\.createComment\((\x22{2}|\x27{2}|[A-z]\w*)\)/s"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:16300; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer dynamic style update memory corruption attempt"; flow:to_client,established; file_data; content:"strict.dtd"; nocase; content:"<code"; nocase; content:"<textarea"; within:50; fast_pattern; nocase; content:"</textarea"; within:100; nocase; content:".getElementByID"; distance:0; nocase; content:".className"; within:50; nocase; pcre:"/<code\s[^>]*?id\s*?=\s*?[\x22\x27]?(?P<id>\w+)[\x22\x27]?[^>]*?>[\r\n\s]+<textarea.*?\.(?P<class>\w+)[\r\n\s]*?\{[\r\n\s]*?zoom\x3a\s*?\d+px\x3b.*?document\.getElementById\s*?\(\s*?[\x22\x27]?(?P=id).*?\.className\s*?=\s*?[\x22\x27]?(?P=class)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:16169; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DOM object cache management memory corruption attempt"; flow:to_client,established; file_data; content:".removeNode"; fast_pattern:only; content:"true"; pcre:"/(\w+)\x2EremoveNode\s*\x28\s*true\s*\x29.*\1\x2EremoveNode\s*\x28\s*\x29.*?\1\x2E[^r]/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-5344; classtype:attempted-user; sid:16067; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer location.replace memory corruption attempt"; flow:to_client,established; file_data; content:"execScript|28|'function f|28 29|{location.replace|28 22|about|3A|blank|22 29 3B|}|3B|setTimeout|28 22|f|28 29 22|,5|29 3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26427; reference:cve,2007-5347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-069; classtype:attempted-user; sid:16065; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer onBeforeUnload address bar spoofing attempt"; flow:to_client,established; file_data; content:"onbeforeunload="; nocase; content:".document.body."; content:".document.open("; content:"<body"; nocase; content:" onBeforeUnload="; within:25; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24911; reference:cve,2007-3826; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:misc-activity; sid:16064; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer isindex buffer overflow attempt"; flow:to_client,established; file_data; content:"<style>"; nocase; content:"<isindex>"; distance:0; fast_pattern; nocase; content:"<style>"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,27668; reference:cve,2008-0076; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-010; classtype:attempted-user; sid:16063; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer cross domain information disclosure attempt"; flow:to_client,established; file_data; content:"document.getElementById|28|'testdiv'|29|.innerHTML='<object data=|22|/~"; content:"/poc.php|22| type=text/html id=|22|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,18682; reference:cve,2006-3280; classtype:attempted-user; sid:16045; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; file_data; content:".createTextRange|28 29 3B|"; fast_pattern:only; content:"<input type|3D 22|image|22|"; nocase; pcre:"/\x3Cinput\s+type\x3D\x22image\x22\s+id\x3D(?P<q1>(\x22|\x27|))(?P<t>\S+)(?P=q1).*?document\x2EgetElementById\x28(?P<q2>(\x22|\x27|))(?P=t)(?P=q2)\x29\x2EcreateTextRange/isO"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:16035; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer compressed content attempt"; flow:to_client,established; content:"Location|3A|"; nocase; http_header; content:"/ABCDEFGHIJ"; within:20; nocase; http_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,19987; reference:cve,2006-3873; classtype:attempted-user; sid:16033; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer HTML Decoding memory corruption attempt"; flow:to_client,established; content:"charset=UTF-8"; nocase; file_data; content:"|F8|AAA|F8|AA|C8|"; within:8; metadata:policy max-detect-ips drop, service http; reference:bugtraq,18309; reference:cve,2006-2382; classtype:attempted-user; sid:16032; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer nested object tag memory corruption attempt"; flow:to_client,established; file_data; content:"<STYLE></STYLE>|0A|<OBJECT"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17658; reference:cve,2006-1992; classtype:attempted-user; sid:16031; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSS property method handling memory corruption attempt"; flow:to_client,established; file_data; content:".cols=0x41414141|3B|"; content:".mergeAttributes("; within:50; content:".src="; within:50; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23769; reference:cve,2007-0945; classtype:attempted-user; sid:16011; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Javascript Page update race condition attempt"; flow:to_client,established; file_data; content:"win = open|28 22|poc_dummy.html|22|,|22|victim|22 29 3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,24283; reference:cve,2007-3091; classtype:misc-activity; sid:16010; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer colgroup tag uninitialized memory exploit attempt"; flow:to_client,established; file_data; content:"<COLGROUP id=|22|colgroupid|22| span=2>"; content:"colgroupid.test = 'something'|3B|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,23771; reference:cve,2007-0944; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; classtype:attempted-user; sid:16007; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer getElementById object corruption attempt"; flow:to_client,established; file_data; content:"document.getElementById(|27|ctrl1|27|).innerHTML=|22 22 3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30614; reference:cve,2008-2254; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-045; classtype:attempted-user; sid:15910; rev:18;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer empty table tag memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|SPAN|22|)[0]"; nocase; content:"document.createElement(|27|TR|27|)"; distance:0; nocase; content:"appendChild(tr)"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2009-1918; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-034; classtype:attempted-user; sid:15733; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSS handling memory corruption attempt"; flow:to_client,established; file_data; content:"<style"; nocase; content:"document.styleSheets[0].rules[0].style"; distance:0; nocase; content:"document.styleSheets[0].cssText"; distance:0; nocase; content:".font"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2009-1919; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-034; classtype:attempted-user; sid:15732; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer javascript deleted reference arbitrary code execution attempt"; flow:to_client,established; file_data; content:".outerHTML"; content:"CollectGarbage"; distance:0; content:".innerHTML ="; distance:0; pcre:"/(\S*)\x2EouterHTML\s*\x3D.*CollectGarbage\s?\x28\x29.*\1\x2EinnerHTML/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-1917; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-034; classtype:attempted-user; sid:15731; rev:16;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer layout object use after free attempt"; flow:to_client,established; file_data; content:"<script"; nocase; content:".rows"; distance:0; nocase; content:"null"; within:150; nocase; content:"null"; within:50; nocase; content:"CollectGarbage("; within:50; content:".item("; distance:0; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-1532; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-019; classtype:attempted-admin; sid:15540; rev:16;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-IE Apple Safari-Internet Explorer SearchPath blended threat dll request"; flow:to_server,established; content:".dll"; nocase; http_uri; content:"Safari"; http_header; pcre:"/^User\x2dAgent\x3a\s*[^\n]*Safari[^\n]*\r\n/smi"; flowbits:set,safari.dll; flowbits:noalert; metadata:policy max-detect-ips drop, service http; reference:cve,2008-2540; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-015; classtype:attempted-user; sid:15468; rev:16;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer dynamic style update memory corruption attempt"; flow:to_client,established; file_data; content:"strict.dtd"; nocase; content:"<li"; nocase; content:"<textarea"; within:50; fast_pattern; nocase; content:"</textarea"; within:100; nocase; content:".getElementByID"; distance:0; nocase; content:".className"; within:50; nocase; pcre:"/<li\s[^>]*?id\s*?=\s*?[\x22\x27]?(?P<id>\w+)[\x22\x27]?[^>]*?>[\r\n\s]+<textarea.*?\.(?P<class>\w+)[\r\n\s]*?\{[\r\n\s]*?zoom\x3a\s*?\d+px\x3b.*?document\.getElementById\s*?\(\s*?[\x22\x27]?(?P=id).*?\.className\s*?=\s*?[\x22\x27]?(?P=class)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:15305; rev:17;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt"; flow:to_client,established; file_data; content:"cloneNode"; nocase; content:"clearAttributes"; within:128; nocase; pcre:"/var\s*(?P<cl>\w+)\s*=\s*(?P<o>\w+)\.cloneNode.*?(?P=o)\.clearAttributes.*?(?P=o)\s*=\s*null\s*\x3B.*?(?P=cl)\.click\s*\x3B/Osmi"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:15304; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt"; flow:to_client,established; file_data; content:"iframe"; nocase; content:"name"; within:1000; nocase; isdataat:750,relative; pcre:"/iframe[^>]*?[\s\x3b\x22\x27]name\s*=\s*[\x22\x27]?[^\x22\x27\s]{750}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11515; reference:cve,2004-1050; classtype:attempted-user; sid:15147; rev:22;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt"; flow:to_client,established; file_data; content:"datasrc"; nocase; content:"datafld"; fast_pattern:only; pcre:"/<(?P<t1>button|div|input[^>]+?type\s*=\s*(\x22|\x27)button(\x22|\x27)|label|legend|marquee|param|span)\s+[^>]*(datasrc\s*=\s*(?P<q1>\x22|\x27|)(?P<d1>\S+)(?P=q1)\s+[^>]*datafld\s*=\s*(?P<q2>\x22|\x27|)(?P<d2>\S+)(?P=q2)|datafld\s*=\s*(?P<q3>\x22|\x27|)(?P<d3>\S+)(?P=q3)\s+[^>]*datasrc\s*=\s*(?P<q4>\x22|\x27|)(?P<d4>\S+)(?P=q4))[^>]*>(?!.*?<\/\s*(?P=t1)\s*>.*?<(?P=t1)).*?<(?P=t1)\s+[^>]*(datasrc\s*=\s*(?P<q5>\x22|\x27|)((?P=d1)|(?P=d3))(?P=q5)\s+datafld\s*=\s*(?P<q6>\x22|\x27|)((?P=d2)|(?P=d4))(?P=q6)|(datafld\s*=\s*(?P<q7>\x22|\x27|)(?P=d1)(?P=q7)\s+datasrc\s*=\s*(?P<q8>\x22|\x27|)(?P=d2)(?P=q8)))/Osi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32721; reference:cve,2008-4844; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-078; classtype:attempted-user; sid:15126; rev:17;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer embed src buffer overflow attempt"; flow:to_client,established; file_data; content:"embed src"; nocase; isdataat:1000,relative; pcre:"/embed src=\s*(\x27[^\x27]{1000}|\x22[^\x22]{1000}|[^\s\x22\x27]{1000})/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-4261; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-073; classtype:attempted-user; sid:15114; rev:16;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer cross domain componentFromPoint memory corruption attempt"; flow:to_client,established; file_data; content:"|2E|componentFromPoint|28|"; nocase; pcre:"/(\S+)\s+\x3d[^\x3b]*\x2e(createElement|getElementById)\x28.*\1\x2ecomponentFromPoint\x28/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-3475; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-058; classtype:attempted-user; sid:14657; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer cross domain setExpression exploit attempt"; flow:to_client,established; file_data; content:"setexpression"; nocase; content:"clearattributes"; distance:0; fast_pattern; nocase; pcre:"/(\w+)\x2Esetexpression\s*\x28\x29.+\1\x2Eclearattributes\s*\x28\x29/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-3476; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-058; classtype:attempted-user; sid:14645; rev:18;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer createRange cross domain scripting"; flow:to_client,established; file_data; content:"tabindex"; fast_pattern:only; content:"getElementById("; content:".focus("; within:80; nocase; content:".createRange("; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-3472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-058; classtype:attempted-user; sid:14644; rev:19;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer location and location.href cross domain security bypass vulnerability"; flow:to_client,established; file_data; content:"window.open"; nocase; content:".location"; nocase; pcre:"/\.location(\.href)?\s*=\s*new\s+String\s*\x28\s*\x22\s*javascript\x3A/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-2947; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-058; classtype:attempted-user; sid:14643; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer http status response memory corruption vulnerability"; flow:to_client,established; content:"HTTP/1"; depth:6; nocase; content:"449"; within:10; fast_pattern; pcre:"/^http\/1\x2e[01][ \t]+449/i"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-2256; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-045; classtype:attempted-user; sid:13980; rev:16;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer request header overwrite"; flow:to_client,established; file_data; content:"XMLHttpRequest|28|"; nocase; content:"setRequestHeader|28 22|"; distance:0; nocase; pcre:"/setRequestHeader\x28\x22(host|referer|content\x2dlength)\x22\s*\x2B/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28379; reference:cve,2008-1544; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-031; classtype:misc-activity; sid:13834; rev:18;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer data stream memory corruption attempt"; flow:to_client,established; file_data; content:"%PDFAAAAAAAA"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28552; reference:cve,2008-1085; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-024; classtype:attempted-user; sid:13677; rev:19;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DXLUTBuilder ActiveX function call access"; flow:to_client,established; file_data; content:"DXTransform.Microsoft.DXLUTBuilder"; pcre:"/(?P<c>\w+)\s*=\s*(\x22DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x22|\x27DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x22|\x27DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x27)\s*\)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-010; classtype:attempted-user; sid:13455; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt"; flow:to_client,established; file_data; content:"rect"; nocase; content:"imagedata"; within:100; nocase; content:"urn:schemas-microsoft-com:vml"; fast_pattern:only; pcre:"/<(?P<t>[\w\x2D\x2E]+)\x3A[^>]+>.*?<(?P=t)\x3Aimagedata\s+[^>]*src\s*=\s*(?P<q>\x22|\x27)[\w\x25\x2D\x2E\x2F\x3A]+\x2E\w{2,4}(?P=q)/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25310; reference:cve,2007-1749; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-050; classtype:attempted-user; sid:12280; rev:17;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSS tag memory corruption attempt"; flow:to_client,established; file_data; content:"style"; nocase; content:"csstext"; distance:0; nocase; pcre:"/\x3c[^\x3e]*style\s*=[^\x3e]*?csstext\x3a/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,24423; reference:cve,2007-1750; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-033; classtype:attempted-user; sid:11966; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer navcancl.htm url spoofing attempt"; flow:to_client,established; file_data; content:"ieframe.dll/navcancl.htm|23|"; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,22966; reference:cve,2007-1499; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-033; classtype:misc-attack; sid:11834; rev:21;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer isComponentInstalled function buffer overflow"; flow:to_client,established; file_data; content:"isComponentInstalled"; nocase; isdataat:256,relative; pcre:"/isComponentInstalled\s*\([^,\)]{256}/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,16870; reference:cve,2006-1016; classtype:attempted-user; sid:7020; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer mhtml uri href buffer overflow attempt"; flow:to_client,established; file_data; content:"mhtml|3A|//"; nocase; pcre:"/href\s*=\s*(\x22mhtml\x3A\x2F\x2F[A-Z\x2D]{2,31}\x3A[^\x22]{1253}|\x27mhtml\x3A\x2F\x2F[A-Z\x2D]{2,31}\x3A[^\x27]{1253}|mhtml\x3A\x2F\x2F[A-Z\x2D]{2,31}\x3A[^\x09\r\n\x20]{1253})/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,18198; reference:cve,2006-2766; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-043; classtype:attempted-user; sid:6509; rev:16;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer javascript onload prompt obfuscation overflow attempt"; flow:to_client,established; file_data; content:"prompt"; nocase; content:"fillmem"; distance:0; nocase; content:"body"; nocase; content:"onLoad"; distance:0; nocase; content:"setTimeout"; distance:0; nocase; pcre:"/prompt\(fillmem[^\)]*\).*?<body\s+[^>]*onLoad\s*=\s*[\x22\x27]?setTimeout\(/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13799; reference:cve,2005-1790; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,computerterrorism.com/research/ie/ct21-11-2005; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4917; rev:16;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer javascript onload document.write obfuscation overflow attempt"; flow:to_client,established; file_data; content:"document.write"; nocase; pcre:"/document\.write\(([^\x22\x27\x29\x3B]*([\x22\x27]))((?(?=\2)\2(?1)))\x3C(?3)b(?3)o(?3)d(?3)y(?3)\s*(?3)o(?3)n(?3)l(?3)o(?3)a(?3)d(?3)\s*(?3)=(?3)\s*(?3)w(?3)i(?3)n(?3)d(?3)o(?3)w(?3)\x28(?3)\x29/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13799; reference:cve,2005-1790; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,computerterrorism.com/research/ie/ct21-11-2005; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4916; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer javascript onload overflow attempt"; flow:to_client,established; file_data; content:"body"; nocase; content:"on"; within:20; nocase; content:"window"; within:20; nocase; pcre:"/<body\s+[^>]*on(Load|Blur)\s*=\s*[\x22\x27]?window\(\)/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13799; reference:cve,2005-1790; reference:url,computerterrorism.com/research/ie/ct21-11-2005; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-054; classtype:attempted-user; sid:4647; rev:17;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer JPEG rendering buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FA FF DA 00 0C 03|"; content:!"R|00|G|00|B|00|"; within:6; pcre:!"/\xFA\xFF\xDA\x00\x0C\x03((\x00.\x01.\x02)|(\x01.\x02.\x03)|(\x01.\x04.\x05))/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,14282; reference:bugtraq,14284; reference:cve,2005-1988; reference:cve,2005-2308; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-038; classtype:attempted-user; sid:4135; rev:23;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer javaprxy.dll COM access"; flow:to_client,established; file_data; content:"03D9F3F2-B0E3-11D2-B081-006008039BF0"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*03D9F3F2-B0E3-11D2-B081-006008039BF0/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14087; reference:cve,2005-2087; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-037; classtype:attempted-user; sid:3814; rev:19;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Content Advisor memory corruption attempt"; flow:to_client,established; flowbits:isset,file.rat; file_data; content:"name"; nocase; content:"rating-service"; fast_pattern:only; pcre:"/rating\x2Dservice.{0,300}\x28\s*name\s*\x22[^\x22]{261}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13117; reference:cve,2005-0555; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-020; classtype:attempted-user; sid:3686; rev:24;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer HTML http/https scheme hostname overflow attempt"; flow:to_client,established; file_data; content:"http"; nocase; content:"://"; within:4; content:!">"; within:400; pcre:"/(href|src|\.location|\.navigation)\s*?=\s*?[\x22\x27]?\s*?https?\x3a\x2f{2}[^@&?\s\x22\x27\x2f\x3a]{255}/i"; metadata:service http; reference:bugtraq,33894; reference:cve,2005-0554; reference:cve,2009-0187; classtype:attempted-user; sid:3550; rev:18;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer ANI file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ani; file_data; content:"RIFF"; depth:4; content:"ACON"; within:4; distance:4; content:"anih"; distance:0; nocase; byte_test:4,>,36,0,relative,little; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2004-1049; reference:cve,2007-0038; reference:cve,2007-1765; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-017; classtype:attempted-user; sid:3079; rev:25;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access"; flow:established,to_client; content:"8fe85d00-4647-40b9-87e4-5eb8a52f4759"; fast_pattern:only; reference:cve,2011-0811; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-027; classtype:attempted-user; sid:18672; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer cross-domain object manipulation attempt"; flow:established,to_client; file_data; content:".opener"; nocase; content:"parent|3A|"; distance:0; nocase; content:"function "; distance:0; nocase; pcre:"/[A-Z\d_]+\.opener\s*=\s*{\s*parent\x3A\s*{[^}]+function/smi"; metadata:service http; reference:cve,2011-1245; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:web-application-activity; sid:18669; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer cross domain information disclosure attempt"; flow:to_client,established; content:"<iframe"; content:"document.execCommand"; fast_pattern:only; pcre:"/\x3Ciframe\s+id\x3D\s*\x22(?P<id>[^\x22]+)\x22\s+src\s*\x3D\s*\x22http.*?document.getElementById\x28\x27(?P=id)\x27\x29\x2Eonfocus/isO"; metadata:service http; reference:cve,2010-1258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-053; classtype:attempted-user; sid:17115; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 cross-site scripting attempt"; flow:to_client,established; content:"toStaticHTML"; nocase; content:"ff5d"; distance:0; nocase; pcre:"/\x2EtoStaticHTML\s*\x28[^\x29]*ff5d[^\x29]*\x40import/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-1257; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-035; classtype:attempted-user; sid:16658; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer designMode-enabled information disclosure attempt"; flow:to_client,established; content:"frame.contentWindow.document.designMode = 'on'|3B|"; content:"window.parent.document.domain"; distance:0; reference:cve,2010-0494; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:misc-attack; sid:16509; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer HTML parsing memory corruption attempt"; flow:to_client,established; content:"function WriteASPX|28|uri|29|"; content:"WriteASPX|28|'repro.aspx'|29|"; distance:0; metadata:service http; reference:cve,2010-0489; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16505; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 7 encoded content handling exploit attempt"; flow:to_client,established; content:"<meta http-equiv=|22|Content-Type|22| content=|22|text/html|3B| charset=UTF-7|22|>"; content:"<form id=|22|form1|22| method=|22|POST|22|"; distance:0; reference:cve,2010-0488; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:misc-attack; sid:16504; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer variant argument validation remote code execution attempt"; flow:to_client,established; content:"function foo|28|arg|29| {|0D 0A| var oDiv=document.createElement|28 22|DIV|22 29 3B 0D 0A| oDiv.appendChild|28|arg|29 3B|"; nocase; metadata:service http; reference:cve,2009-2529; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:misc-activity; sid:16150; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer out of bounds memory access attempt"; flow:to_server,established; file_data; content:"<area id="; content:"document.createElement|28|"; nocase; content:"AREA"; within:15; nocase; content:".appendChild|28|"; distance:0; content:".insertAdjacentText|28|"; distance:0; content:"document.createElement|28|"; distance:0; nocase; content:"IFRAME"; within:15; nocase; content:"document.execCommand|28|"; distance:0; nocase; content:"undo"; within:15; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1732; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-056; classtype:attempted-admin; sid:34791; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer out of bounds memory access attempt"; flow:to_client,established; file_data; content:"<area id="; content:"document.createElement|28|"; nocase; content:"AREA"; within:15; nocase; content:".appendChild|28|"; distance:0; content:".insertAdjacentText|28|"; distance:0; content:"document.createElement|28|"; distance:0; nocase; content:"IFRAME"; within:15; nocase; content:"document.execCommand|28|"; distance:0; nocase; content:"undo"; within:15; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1732; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-056; classtype:attempted-admin; sid:34790; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer LayoutLineBoxFullShort use after free attempt"; flow:to_server,established; file_data; content:".createElement"; nocase; content:"optgroup"; within:15; nocase; content:".createElement"; nocase; content:"canvas"; within:15; nocase; content:".outerHTML"; content:".outerHTML"; within:50; content:".execCommand"; nocase; content:"JustifyRight"; within:15; nocase; content:".execCommand"; nocase; content:"BackColor"; within:15; nocase; content:".execCommand"; nocase; content:"FontSize"; within:15; nocase; content:"window.location.reload|28 29 3B|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1731; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-056; classtype:attempted-user; sid:34779; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer LayoutLineBoxFullShort use after free attempt"; flow:to_client,established; file_data; content:".createElement"; nocase; content:"optgroup"; within:15; nocase; content:".createElement"; nocase; content:"canvas"; within:15; nocase; content:".outerHTML"; content:".outerHTML"; within:50; content:".execCommand"; nocase; content:"JustifyRight"; within:15; nocase; content:".execCommand"; nocase; content:"BackColor"; within:15; nocase; content:".execCommand"; nocase; content:"FontSize"; within:15; nocase; content:"window.location.reload|28 29 3B|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1731; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-056; classtype:attempted-user; sid:34778; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer MOTW.dll sandbox escape attempt"; flow:to_server,established; file_data; content:"|AC 00 00 E9 4B 5C 00 00 E9 82 3C 01 00 E9 C1 95 00 00 E9 5C 4D 00 00 E9 27 95 00 00 E9 68 3C 01 00 E9 BD|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1739; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-056; classtype:attempted-admin; sid:34773; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer MOTW.dll sandbox escape attempt"; flow:to_client,established; file_data; content:"|AC 00 00 E9 4B 5C 00 00 E9 82 3C 01 00 E9 C1 95 00 00 E9 5C 4D 00 00 E9 27 95 00 00 E9 68 3C 01 00 E9 BD|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1739; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-056; classtype:attempted-admin; sid:34772; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer textarea parent use-after-free attempt"; flow:to_server,established; file_data; content:"IE=8"; nocase; content:"body onpropertychange"; nocase; content:"document.body.applyElement"; within:30; nocase; content:"textarea"; within:100; nocase; content:"body style"; within:100; nocase; content:"border-image-slice"; within:30; nocase; content:"<q></q>"; within:50; fast_pattern; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1750; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34768; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer textarea parent use-after-free attempt"; flow:to_client,established; file_data; content:"IE=8"; nocase; content:"body onpropertychange"; nocase; content:"document.body.applyElement"; within:30; nocase; content:"textarea"; within:100; nocase; content:"body style"; within:100; nocase; content:"border-image-slice"; within:30; nocase; content:"<q></q>"; within:50; fast_pattern; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1750; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34767; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CStyleAttrArray use after free attempt"; flow:established,to_server; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=EmulateIE7|22|"; fast_pattern:only; content:".getAttributeNode("; content:"spellcheck"; within:30; content:"-ms-block-progression:lr"; content:"CollectGarbage()"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1736; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-056; classtype:policy-violation; sid:34766; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CStyleAttrArray use after free attempt"; flow:established,to_client; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=EmulateIE7|22|"; fast_pattern:only; content:".getAttributeNode("; content:"spellcheck"; within:30; content:"-ms-block-progression:lr"; content:"CollectGarbage()"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1736; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-056; classtype:policy-violation; sid:34765; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 8 mode menu tag out-of-bounds access attempt"; flow:to_server,established; file_data; content:"http://http://<>http://http://<>"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1752; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34764; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 8 mode menu tag out-of-bounds access attempt"; flow:to_client,established; file_data; content:"http://http://<>http://http://<>"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1752; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34763; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 9 CTableSection object use-after-free attempt"; flow:to_server,established; file_data; content:"childNodes[0]"; nocase; content:"height"; within:20; nocase; content:"listStyleImage"; within:35; nocase; content:"none"; within:10; nocase; content:"posHeight"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service smtp; reference:cve,2015-1687; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34760; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 CTableSection object use-after-free attempt"; flow:to_client,established; file_data; content:"childNodes[0]"; nocase; content:"height"; within:20; nocase; content:"listStyleImage"; within:35; nocase; content:"none"; within:10; nocase; content:"posHeight"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1687; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34759; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CDXTFilterNode object remote code execution attempt"; flow:to_server,established; file_data; content:"IE=9"; nocase; content:"first-l"; nocase; content:"background-color"; within:100; nocase; content:"DXImageTransform.Microsoft."; fast_pattern:only; content:"filters"; nocase; content:".apply"; within:100; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1744; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-056; classtype:attempted-admin; sid:34758; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CDXTFilterNode object remote code execution attempt"; flow:to_client,established; file_data; content:"IE=9"; nocase; content:"first-l"; nocase; content:"background-color"; within:100; nocase; content:"DXImageTransform.Microsoft."; fast_pattern:only; content:"filters"; nocase; content:".apply"; within:100; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1744; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-056; classtype:attempted-admin; sid:34757; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer uninitialized VARIANT object remote code execution attempt"; flow:to_server,established; file_data; content:"tabIndex=|22|1|22|"; nocase; content:"setActive"; nocase; content:"ForeColor"; within:50; nocase; content:"getElementsByClassName"; within:150; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1735; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-056; classtype:attempted-admin; sid:34756; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer uninitialized VARIANT object remote code execution attempt"; flow:to_client,established; file_data; content:"tabIndex=|22|1|22|"; nocase; content:"setActive"; nocase; content:"ForeColor"; within:50; nocase; content:"getElementsByClassName"; within:150; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1735; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-056; classtype:attempted-admin; sid:34755; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CLegendElement object use after free attempt"; flow:to_server,established; file_data; content:".createTextRange"; nocase; content:".execCommand"; within:100; nocase; content:"insertMarquee"; within:25; fast_pattern; nocase; content:".scrollIntoView"; within:100; nocase; content:".execCommand"; nocase; content:"Undo"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1753; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34754; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CLegendElement object use after free attempt"; flow:to_client,established; file_data; content:".createTextRange"; nocase; content:".execCommand"; within:100; nocase; content:"insertMarquee"; within:25; fast_pattern; nocase; content:".scrollIntoView"; within:100; nocase; content:".execCommand"; nocase; content:"Undo"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1753; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34753; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer ieframe.dll privilege escalation attempt"; flow:to_server,established; file_data; content:"res://ieframe.dll"; fast_pattern:only; content:"apds.dll/redirect.html"; nocase; content:"target=javascript"; nocase; metadata:service smtp; reference:cve,2015-1748; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34752; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer ieframe.dll privilege escalation attempt"; flow:to_client,established; file_data; content:"res://ieframe.dll"; fast_pattern:only; content:"apds.dll/redirect.html"; nocase; content:"target=javascript"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1748; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34751; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer TableGridBlock object use after free attempt"; flow:to_client,established; file_data; content:".replaceChild"; fast_pattern; nocase; content:".hidden"; within:75; nocase; content:"true"; within:25; nocase; content:".createElementNS"; nocase; content:"xhtml"; within:50; nocase; content:"tfoot"; within:25; nocase; content:".innerText"; nocase; content:".innerText"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1751; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34750; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer TableGridBlock object use after free attempt"; flow:to_server,established; file_data; content:".replaceChild"; fast_pattern; nocase; content:".hidden"; within:75; nocase; content:"true"; within:25; nocase; content:".createElementNS"; nocase; content:"xhtml"; within:50; nocase; content:"tfoot"; within:25; nocase; content:".innerText"; nocase; content:".innerText"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1751; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34749; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CoInternetParseUrl use-after-free attempt"; flow:to_server,established; file_data; content:"document.body.setCapture"; nocase; content:"document.body.onlostpointercapture"; within:60; nocase; content:"document.open"; within:50; nocase; content:".getElementbyId"; within:50; nocase; content:".contentWindow.showModelessDialog"; within:60; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1740; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34748; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CoInternetParseUrl use-after-free attempt"; flow:to_client,established; file_data; content:"document.body.setCapture"; nocase; content:"document.body.onlostpointercapture"; within:60; nocase; content:"document.open"; within:50; nocase; content:".getElementbyId"; within:50; nocase; content:".contentWindow.showModelessDialog"; within:60; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1740; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34747; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer TextNode object use after free attempt"; flow:to_server,established; file_data; content:".execCommand"; nocase; content:"BlockDirLTR"; within:25; fast_pattern; nocase; content:".body.contentEditable"; nocase; content:"true"; within:15; nocase; content:".msElementsFromRect"; nocase; content:".reload"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1737; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-056; classtype:attempted-user; sid:34746; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer TextNode object use after free attempt"; flow:to_client,established; file_data; content:".execCommand"; nocase; content:"BlockDirLTR"; within:25; fast_pattern; nocase; content:".body.contentEditable"; nocase; content:"true"; within:15; nocase; content:".msElementsFromRect"; nocase; content:".reload"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1737; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-056; classtype:attempted-user; sid:34745; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer COptionElement object use after free attempt"; flow:to_server,established; file_data; content:".createElement"; nocase; content:"datalist"; within:25; nocase; content:".appendChild"; within:100; nocase; content:".removeNode"; within:100; nocase; content:".options.item"; within:100; fast_pattern; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1755; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34736; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer COptionElement object use after free attempt"; flow:to_client,established; file_data; content:".createElement"; nocase; content:"datalist"; within:25; nocase; content:".appendChild"; within:100; nocase; content:".removeNode"; within:100; nocase; content:".options.item"; within:100; fast_pattern; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1755; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34735; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CAttrValue uninitialized object access attempt"; flow:to_server,established; file_data; content:"IE=EmulateIE8"; nocase; content:".setAttribute"; nocase; content:".childNodes"; within:100; nocase; content:".mergeAttributes"; within:100; nocase; content:"location.reload"; nocase; content:"<video"; nocase; content:"<video"; within:25; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1745; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-056; classtype:attempted-admin; sid:34734; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CAttrValue uninitialized object access attempt"; flow:to_client,established; file_data; content:"IE=EmulateIE8"; nocase; content:".setAttribute"; nocase; content:".childNodes"; within:100; nocase; content:".mergeAttributes"; within:100; nocase; content:"location.reload"; nocase; content:"<video"; nocase; content:"<video"; within:25; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1745; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-056; classtype:attempted-admin; sid:34733; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer stack exhaustion handler remote code execution attempt"; flow:to_server,established; file_data; content:"window.open"; content:"about:blank"; within:50; content:"execScript"; content:"URIError"; within:100; content:"location.reload"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1730; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-056; classtype:attempted-admin; sid:34730; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer stack exhaustion handler remote code execution attempt"; flow:to_client,established; file_data; content:"window.open"; content:"about:blank"; within:50; content:"execScript"; content:"URIError"; within:100; content:"location.reload"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1730; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-056; classtype:attempted-admin; sid:34729; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt"; flow:to_server,established; file_data; content:"getInt"; fast_pattern:only; content:"DataView"; content:"valueOf"; content:"postMessage"; within:150; metadata:service smtp; reference:cve,2015-1747; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34728; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt"; flow:to_client,established; file_data; content:"getInt"; fast_pattern:only; content:"DataView"; content:"valueOf"; content:"postMessage"; within:150; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1747; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34727; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode undefined beforeElement use-after-free attempt"; flow:to_server,established; file_data; content:".addEventListener"; nocase; content:"load"; within:10; content:".document.designMode"; within:50; nocase; content:"on"; within:20; nocase; content:".document.write"; within:50; nocase; content:"<pre>"; within:50; nocase; content:".document.insertBefore"; within:100; nocase; pcre:"/\x2Edocument\x2EinsertBefore\s*\x28[^\x2C]+\x29/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1766; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34726; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode undefined beforeElement use-after-free attempt"; flow:to_client,established; file_data; content:".addEventListener"; nocase; content:"load"; within:10; content:".document.designMode"; within:50; nocase; content:"on"; within:20; nocase; content:".document.write"; within:50; nocase; content:"<pre>"; within:50; nocase; content:".document.insertBefore"; within:100; nocase; pcre:"/\x2Edocument\x2EinsertBefore\s*\x28[^\x2C]+\x29/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1766; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34725; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer out of bounds array access attempt"; flow:to_server,established; file_data; content:".createElement"; nocase; content:"rtc"; within:15; nocase; content:".innerText"; within:500; nocase; content:"table-footer-group"; within:50; nocase; content:".scrollTop"; within:100; nocase; content:".background"; within:100; nocase; pcre:"/\.background\s*=\s*[\x22\x27]{2}/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1742; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34724; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer out of bounds array access attempt"; flow:to_client,established; file_data; content:".createElement"; nocase; content:"rtc"; within:15; nocase; content:".innerText"; within:500; nocase; content:"table-footer-group"; within:50; nocase; content:".scrollTop"; within:100; nocase; content:".background"; within:100; nocase; pcre:"/\.background\s*=\s*[\x22\x27]{2}/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1742; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34723; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer callback function use-after-free attempt"; flow:to_server,established; file_data; content:"function()"; nocase; content:"cloneContents()"; within:100; nocase; content:"toString"; within:75; nocase; content:"document.write"; within:50; nocase; content:"window"; within:100; nocase; content:"styleMedia"; within:30; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1741; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34722; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer callback function use-after-free attempt"; flow:to_client,established; file_data; content:"function()"; nocase; content:"cloneContents()"; within:100; nocase; content:"toString"; within:75; nocase; content:"document.write"; within:50; nocase; content:"window"; within:100; nocase; content:"styleMedia"; within:30; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1741; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:34721; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer moveEnd information disclosure attempt"; flow:to_server,established; file_data; content:".appendChild"; content:".appendChild"; within:50; content:"document.createElement"; content:":nth-"; content:".createTextRange"; content:".moveEnd"; fast_pattern; content:"-"; within:30; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,garage4hackers.com/showthread.php?t=6246; classtype:attempted-recon; sid:34825; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer moveEnd information disclosure attempt"; flow:to_client,established; file_data; content:".appendChild"; content:".appendChild"; within:50; content:"document.createElement"; content:":nth-"; content:".createTextRange"; content:".moveEnd"; fast_pattern; content:"-"; within:30; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,garage4hackers.com/showthread.php?t=6246; classtype:attempted-recon; sid:34824; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt"; flow:to_server,established; file_data; content:"<form"; content:"<textarea"; distance:0; content:"onpropertychange="; distance:0; content:"document.getElementById"; within:200; nocase; content:".reset()|3B|"; within:200; content:".innerHTML = |22 22 3B|"; within:200; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-2782; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-035; classtype:attempted-user; sid:34874; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt"; flow:to_client,established; file_data; content:"<form"; content:"<textarea"; distance:0; content:"onpropertychange="; distance:0; content:"document.getElementById"; within:200; nocase; content:".reset()|3B|"; within:200; content:".innerHTML = |22 22 3B|"; within:200; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-2782; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-035; classtype:attempted-user; sid:34873; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use-after-free attempt"; flow:to_server,established; file_data; content:".contentEditable"; nocase; content:"true"; within:20; content:".onfocusout"; nocase; content:".focus"; fast_pattern; nocase; content:".focus"; within:40; nocase; content:".focus"; within:40; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0100; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-018; classtype:attempted-user; sid:35013; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use-after-free attempt"; flow:to_client,established; file_data; content:".contentEditable"; nocase; content:"true"; within:20; content:".onfocusout"; nocase; content:".focus"; fast_pattern; nocase; content:".focus"; within:40; nocase; content:".focus"; within:40; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0100; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-018; classtype:attempted-user; sid:35012; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt "; flow:to_client,established; file_data; content:"[|22|baseVal|22|][|27|con|27| +|22|vertToS|22| + |27|pecifiedU|27| +|22|nits|22|]"; fast_pattern:only; content:"document.createRange|28|"; content:"<marker"; distance:0; content:"<marker"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1668; classtype:attempted-user; sid:35053; rev:1;)
|
|
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"BROWSER-IE Microsoft Internet Explorer protected mode request for atlthunk.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"a|00|t|00|l|00|t|00|h|00|u|00|n|00|k|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:cve,2015-2368; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-069; classtype:attempted-user; sid:35216; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-IE Microsoft Internet Explorer protected mode atlthunk.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|atlthunk.dll"; nocase; http_uri; metadata:service http; reference:cve,2015-2368; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-069; classtype:attempted-user; sid:35215; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 10 VBScript array element use after free attempt"; flow:to_server,established; file_data; content:"ReDim"; nocase; content:"Property Get"; nocase; content:"Erase"; within:50; nocase; content:"End Property"; within:50; nocase; content:"Set"; distance:0; nocase; content:"Join"; within:30; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2372; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35214; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 10 VBScript array element use after free attempt"; flow:to_client,established; file_data; content:"ReDim"; nocase; content:"Property Get"; nocase; content:"Erase"; within:50; nocase; content:"End Property"; within:50; nocase; content:"Set"; distance:0; nocase; content:"Join"; within:30; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2372; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35213; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CMarkup object use after free attempt"; flow:to_server,established; file_data; content:"<applet"; fast_pattern; nocase; content:"codebase"; within:100; nocase; content:"|27 27|"; within:5; content:"onerror"; within:150; distance:-50; nocase; content:".styleSheets"; nocase; content:".cssText"; within:100; nocase; content:"CollectGarbage"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2404; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35212; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CMarkup object use after free attempt"; flow:to_server,established; file_data; content:"<applet"; fast_pattern; nocase; content:"codebase"; within:100; nocase; content:"|22 22|"; within:5; content:"onerror"; within:150; distance:-50; nocase; content:".styleSheets"; nocase; content:".cssText"; within:100; nocase; content:"CollectGarbage"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2404; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35211; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CMarkup object use after free attempt"; flow:to_client,established; file_data; content:"<applet"; fast_pattern; nocase; content:"codebase"; within:100; nocase; content:"|27 27|"; within:5; content:"onerror"; within:150; distance:-50; nocase; content:".styleSheets"; nocase; content:".cssText"; within:100; nocase; content:"CollectGarbage"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2404; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35210; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CMarkup object use after free attempt"; flow:to_client,established; file_data; content:"<applet"; fast_pattern; nocase; content:"codebase"; within:100; nocase; content:"|22 22|"; within:5; content:"onerror"; within:150; distance:-50; nocase; content:".styleSheets"; nocase; content:".cssText"; within:100; nocase; content:"CollectGarbage"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2404; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35209; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer JSON stringify double free attempt"; flow:to_server,established; file_data; content:"JSON.stringify"; content:": {"; within:50; content:": {"; within:50; content:": {"; within:50; content:": {"; within:50; content:": {"; within:50; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-2419; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35208; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer JSON stringify double free attempt"; flow:to_client,established; file_data; content:"JSON.stringify"; content:": {"; within:50; content:": {"; within:50; content:": {"; within:50; content:": {"; within:50; content:": {"; within:50; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2419; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35207; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CImgElement object use after free attempt"; flow:to_server,established; file_data; content:".appendChild"; nocase; content:".replaceNode"; within:125; fast_pattern; nocase; content:".location.reload"; within:125; nocase; content:".addEventListener"; nocase; content:"DOMAttrModified"; within:30; nocase; content:"<base"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2383; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35206; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CImgElement object use after free attempt"; flow:to_client,established; file_data; content:".appendChild"; nocase; content:".replaceNode"; within:125; fast_pattern; nocase; content:".location.reload"; within:125; nocase; content:".addEventListener"; nocase; content:"DOMAttrModified"; within:30; nocase; content:"<base"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2383; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35205; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CImgElement object use after free attempt"; flow:to_server,established; file_data; content:".createElement"; nocase; content:"base"; within:25; nocase; content:".applyElement"; within:100; nocase; content:"inside"; within:50; nocase; content:".createRange"; fast_pattern; nocase; content:".selectNode"; within:75; nocase; content:".insertNode"; within:75; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2383; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35204; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CImgElement object use after free attempt"; flow:to_client,established; file_data; content:".createElement"; nocase; content:"base"; within:25; nocase; content:".applyElement"; within:100; nocase; content:"inside"; within:50; nocase; content:".createRange"; fast_pattern; nocase; content:".selectNode"; within:75; nocase; content:".insertNode"; within:75; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2383; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35203; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer TreeComputedContent object use after free attempt"; flow:to_server,established; file_data; content:"addEventListener"; content:"DOMNodeRemoved"; within:30; content:"swapNode"; distance:0; fast_pattern; content:"insertAdjacentHTML"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2411; reference:cve,2015-6073; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-112; classtype:attempted-user; sid:35200; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer TreeComputedContent object use after free attempt"; flow:to_client,established; file_data; content:"addEventListener"; content:"DOMNodeRemoved"; within:30; content:"swapNode"; distance:0; fast_pattern; content:"insertAdjacentHTML"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2411; reference:cve,2015-6073; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-112; classtype:attempted-user; sid:35199; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CFieldSetElement object use after free attempt"; flow:to_server,established; file_data; content:"document.charset"; nocase; content:"gb2312"; within:25; fast_pattern; nocase; content:"addEventListener"; nocase; content:"DOMNodeRemoved"; within:25; content:"insertFieldset"; nocase; content:".execCommand"; nocase; content:"delete"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1738; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-user; sid:35197; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CFieldSetElement object use after free attempt"; flow:to_client,established; file_data; content:"document.charset"; nocase; content:"gb2312"; within:25; fast_pattern; nocase; content:"addEventListener"; nocase; content:"DOMNodeRemoved"; within:25; nocase; content:"insertFieldset"; nocase; content:".execCommand"; nocase; content:"delete"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1738; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-user; sid:35196; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer meta tag double free attempt"; flow:to_server,established; file_data; content:"<meta name=|22|msapplication-task|22| content=|22|"; nocase; content:"name="; within:25; nocase; content:"<meta name=|22|msapplication-task|22| content=|22|"; distance:0; nocase; content:!"name="; within:5; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2391; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-user; sid:35185; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer meta tag double free attempt"; flow:to_client,established; file_data; content:"<meta name=|22|msapplication-task|22| content=|22|"; nocase; content:"name="; within:25; nocase; content:"<meta name=|22|msapplication-task|22| content=|22|"; distance:0; nocase; content:!"name="; within:5; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2391; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-user; sid:35184; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer table column resize use-after-free attempt"; flow:to_server,established; file_data; content:"x-ua-compatible"; nocase; content:"IE=8"; within:25; nocase; content:".createElement|28|"; content:"frameset"; within:20; fast_pattern; nocase; content:".colSpan"; nocase; content:".cells"; within:60; nocase; content:".colSpan"; within:25; nocase; content:".cells"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2388; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-user; sid:35183; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer table column resize use-after-free attempt"; flow:to_client,established; file_data; content:"x-ua-compatible"; nocase; content:"IE=8"; within:25; nocase; content:".createElement|28|"; content:"frameset"; within:20; fast_pattern; nocase; content:".colSpan"; nocase; content:".cells"; within:50; nocase; content:".colSpan"; within:25; nocase; content:".cells"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2388; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-user; sid:35182; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CAttribute object use after free attempt"; flow:to_server,established; file_data; content:"addEventListener"; nocase; content:"DOMNodeRemoved"; within:30; nocase; content:"swapNode"; distance:0; content:"execCommand"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2389; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-admin; sid:35179; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CAttribute object use after free attempt"; flow:to_client,established; file_data; content:"addEventListener"; nocase; content:"DOMNodeRemoved"; within:30; nocase; content:"swapNode"; distance:0; content:"execCommand"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2389; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-admin; sid:35178; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTitleElement object use after free attempt"; flow:to_server,established; file_data; content:".addEventListener"; nocase; content:"DOMNodeRemoved"; within:25; nocase; content:"createTreeWalker"; fast_pattern; nocase; content:"execCommand"; nocase; content:"formatblock"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2408; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35173; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTitleElement object use after free attempt"; flow:to_client,established; file_data; content:".addEventListener"; nocase; content:"DOMNodeRemoved"; within:25; nocase; content:"createTreeWalker"; fast_pattern; nocase; content:"execCommand"; nocase; content:"formatblock"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2408; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35172; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt"; flow:to_server,established; file_data; content:"new MutationObserver("; nocase; content:"new MutationObserver("; distance:0; nocase; content:".observe"; distance:0; nocase; content:"childList"; distance:0; nocase; content:"true"; within:50; nocase; content:".inner"; distance:0; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,75745; reference:cve,2015-2425; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35171; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt"; flow:to_client,established; file_data; content:"new MutationObserver("; nocase; content:"new MutationObserver("; distance:0; nocase; content:".observe"; distance:0; nocase; content:"childList"; distance:0; nocase; content:"true"; within:50; nocase; content:".inner"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,75745; reference:cve,2015-2425; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35170; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode object use after free attempt"; flow:to_server,established; file_data; content:"CollectGarbage"; nocase; content:"createElement"; nocase; content:"iframe"; within:25; nocase; content:"createElement"; nocase; content:"progress"; within:25; nocase; content:"DOMNodeRemoved"; content:"swapNode"; within:50; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2390; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-admin; sid:35165; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode object use after free attempt"; flow:to_client,established; file_data; content:"CollectGarbage"; nocase; content:"createElement"; nocase; content:"iframe"; within:25; nocase; content:"createElement"; nocase; content:"progress"; within:25; nocase; content:"DOMNodeRemoved"; content:"swapNode"; within:50; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2390; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-admin; sid:35164; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CFancyFormat object use-after-free attempt"; flow:to_server,established; file_data; content:"IE=EmulateIE7"; nocase; content:".body.contentEditable"; nocase; content:"true"; within:20; content:"window.navigate"; nocase; content:"onactivate"; fast_pattern; nocase; content:".applyElement"; within:25; nocase; content:".createElement"; within:25; nocase; content:"strong"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2422; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-user; sid:35159; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CFancyFormat object use-after-free attempt"; flow:to_client,established; file_data; content:"IE=EmulateIE7"; nocase; content:".body.contentEditable"; nocase; content:"true"; within:20; content:"window.navigate"; nocase; content:"onactivate"; fast_pattern; nocase; content:".applyElement"; within:25; nocase; content:".createElement"; within:25; nocase; content:"strong"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2422; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-user; sid:35158; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTableSection object out of bounds memory access attempt"; flow:to_server,established; file_data; content:"<meta http-equiv="; content:"x-ua-compatible"; within:20; content:"IE=8"; within:20; content:"frameset"; fast_pattern:only; content:".createElement"; content:".appendChild"; within:100; content:".createElement"; content:"style"; within:20; nocase; content:".replaceNode("; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2403; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-user; sid:35157; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTableSection object out of bounds memory access attempt"; flow:to_client,established; file_data; content:"<meta http-equiv="; content:"x-ua-compatible"; within:20; content:"IE=8"; within:20; content:"frameset"; fast_pattern:only; content:".createElement"; content:".appendChild"; within:100; content:".createElement"; content:"style"; within:20; nocase; content:".replaceNode("; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2403; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-user; sid:35156; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CGeneratedTreeNode use after free attempt"; flow:to_server,established; file_data; content:".createTreeWalker"; fast_pattern:only; content:".createElement("; nocase; content:"noscript"; within:20; nocase; content:".addEventListener"; nocase; content:"DOMNodeInserted"; within:50; nocase; content:"swapNode"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1767; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-user; sid:35155; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CGeneratedTreeNode use after free attempt"; flow:to_client,established; file_data; content:".createTreeWalker"; fast_pattern:only; content:".createElement("; nocase; content:"noscript"; within:20; nocase; content:".addEventListener"; nocase; content:"DOMNodeInserted"; within:50; nocase; content:"swapNode"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1767; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-user; sid:35154; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer memory access through an uninitialized pointer attempt"; flow:to_server,established; file_data; content:".createNodeIterator"; nocase; content:".documentElement"; within:100; nocase; content:"NodeFilter.SHOW_ALL"; within:100; nocase; content:"SelectAll"; within:100; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2406; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-admin; sid:35153; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer memory access through an uninitialized pointer attempt"; flow:to_client,established; file_data; content:".createNodeIterator"; nocase; content:".documentElement"; within:100; nocase; content:"NodeFilter.SHOW_ALL"; within:100; nocase; content:"SelectAll"; within:100; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2406; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-admin; sid:35152; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTableSection use after free attempt"; flow:to_server,established; file_data; content:"http-equiv="; nocase; content:"X-UA-Compatible"; within:50; nocase; content:"content="; within:50; nocase; content:"IE=6"; within:50; nocase; content:"onmouseover"; content:".createTHead()"; fast_pattern:only; content:"window.setTimeout("; content:"window.setTimeout("; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1733; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-user; sid:35146; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTableSection use after free attempt"; flow:to_client,established; file_data; content:"http-equiv="; nocase; content:"X-UA-Compatible"; within:50; nocase; content:"content="; within:50; nocase; content:"IE=6"; within:50; nocase; content:"onmouseover"; content:".createTHead()"; fast_pattern:only; content:"window.setTimeout("; content:"window.setTimeout("; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1733; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-user; sid:35145; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer sandbox permission bypass registry read attempt"; flow:to_server,established; file_data; content:"|48 89 44 24 20 41 B9 19 00 02 00 45 33 C0 48 8D 15 E0 67 01 00 48 C7 C1 01 00 00 80 FF 15 53 EF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2413; reference:cve,2015-2429; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-090; classtype:attempted-user; sid:35140; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer sandbox permission bypass registry read attempt"; flow:to_client,established; file_data; content:"|48 89 44 24 20 41 B9 19 00 02 00 45 33 C0 48 8D 15 E0 67 01 00 48 C7 C1 01 00 00 80 FF 15 53 EF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2413; reference:cve,2015-2429; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-090; classtype:attempted-user; sid:35139; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer sandbox read permission bypass attempt"; flow:to_server,established; file_data; content:"|44 24 20 03 00 00 00 FF 15 10 19 01 00 48 8D 48 FF 48 8B E8 48 83 F9 FD|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2412; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35134; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer sandbox read permission bypass attempt"; flow:to_client,established; file_data; content:"|44 24 20 03 00 00 00 FF 15 10 19 01 00 48 8D 48 FF 48 8B E8 48 83 F9 FD|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2412; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35133; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer local file information disclosure attempt"; flow:to_server,established; file_data; content:"res|3A 2F 2F|c|3A 5C 5C|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2413; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35128; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer local file information disclosure attempt"; flow:to_client,established; file_data; content:"res|3A 2F 2F|c|3A 5C 5C|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2413; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35127; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CInput use after free attempt"; flow:to_server,established; file_data; content:"<meter"; nocase; content:"<output"; nocase; content:"<button"; nocase; content:"<form"; nocase; content:!"</form"; nocase; content:".getElementsByTagName"; nocase; content:"meter"; within:20; nocase; content:".getElementsByTagName"; nocase; content:"button"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2401; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-user; sid:35126; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CInput use after free attempt"; flow:to_client,established; file_data; content:"<meter"; nocase; content:"<output"; nocase; content:"<button"; nocase; content:"<form"; nocase; content:!"</form"; nocase; content:".getElementsByTagName"; nocase; content:"meter"; within:20; nocase; content:".getElementsByTagName"; nocase; content:"button"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2401; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-user; sid:35125; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTableRow use after free attempt"; flow:to_server,established; file_data; content:"x-ua-compatible"; nocase; content:"IE=5"; within:25; nocase; content:"insertRow()"; nocase; content:"deleteRow(0)"; within:50; fast_pattern; nocase; content:"<body"; nocase; content:"</body"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2406; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-user; sid:35124; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTableRow use after free attempt"; flow:to_client,established; file_data; content:"x-ua-compatible"; nocase; content:"IE=5"; within:25; nocase; content:"insertRow()"; nocase; content:"deleteRow(0)"; within:50; fast_pattern; nocase; content:"<body"; nocase; content:"</body"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2406; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-user; sid:35123; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTextArea use after free attempt"; flow:to_server,established; file_data; content:"x-ua-compatible"; nocase; content:"IE=5"; within:50; nocase; content:"createElement"; nocase; content:"applyElement"; within:50; nocase; content:"CollectGarbage"; within:100; nocase; content:"parentNode.removechild"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2397; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-user; sid:35122; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTextArea use after free attempt"; flow:to_client,established; file_data; content:"x-ua-compatible"; nocase; content:"IE=5"; within:50; nocase; content:"createElement"; nocase; content:"applyElement"; within:50; nocase; content:"CollectGarbage"; within:100; nocase; content:"parentNode.removechild"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2397; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-user; sid:35121; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode type confusion attempt"; flow:to_server,established; file_data; content:"createElementNS"; nocase; content:"svg"; within:25; nocase; content:"createTextNode"; within:300; nocase; content:"xlink:href"; within:200; nocase; content:"MutationObserver"; within:150; nocase; content:"childList"; within:75; nocase; content:"extractContents"; within:300; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2384; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35120; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode type confusion attempt"; flow:to_client,established; file_data; content:"createElementNS"; nocase; content:"svg"; within:25; nocase; content:"createTextNode"; within:300; nocase; content:"xlink:href"; within:200; nocase; content:"MutationObserver"; within:150; nocase; content:"childList"; within:75; nocase; content:"extractContents"; within:300; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2384; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35119; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer svg elements use after free attempt"; flow:to_server,established; file_data; content:"first-child|3A 3A|before"; content:"first-child|3A 3A|after"; within:100; content:"range.moveEnd|28|"; content:"sentence"; within:15; content:"-1"; within:10; metadata:service smtp; reference:cve,2015-2421; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35117; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer svg elements use after free attempt"; flow:to_client,established; file_data; content:"first-child|3A 3A|before"; content:"first-child|3A 3A|after"; within:100; content:"range.moveEnd|28|"; content:"sentence"; within:15; content:"-1"; within:10; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2421; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:35116; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer replaceChild function memory corruption attempt"; flow:to_server,established; file_data; content:".getElement"; nocase; content:".replaceChild"; within:100; nocase; content:"<object"; nocase; content:"<param"; within:100; nocase; pcre:"/\.replaceChild\x28\s*(?P<param>\w+)\s*,\s*(?P=param)\s*\x29/i"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0280; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-010; classtype:attempted-user; sid:35115; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer replaceChild function memory corruption attempt"; flow:to_client,established; file_data; content:".getElement"; nocase; content:".replaceChild"; within:100; nocase; content:"<object"; nocase; content:"<param"; within:100; nocase; pcre:"/\.replaceChild\x28\s*(?P<param>\w+)\s*,\s*(?P=param)\s*\x29/i"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0280; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-010; classtype:attempted-user; sid:35114; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt"; flow:to_server,established; file_data; content:"Number.prototype.length"; nocase; content:".join."; distance:0; nocase; pcre:"/(Array\x2eprototype|\x5b\x5d)\x2ejoin\x2e(call|apply)/i"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-2448; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-079; classtype:attempted-user; sid:35508; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt"; flow:to_client,established; file_data; content:"Number.prototype.length"; nocase; content:".join."; distance:0; nocase; pcre:"/(Array\x2eprototype|\x5b\x5d)\x2ejoin\x2e(call|apply)/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2448; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-079; classtype:attempted-user; sid:35507; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt"; flow:to_server,established; file_data; content:"window.scrollBy"; fast_pattern:only; content:"onload"; content:"onresize"; within:200; content:"<input "; content:"type"; within:50; content:"range"; within:15; content:"document.body"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,76193; reference:cve,2015-2446; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-079; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-091; classtype:attempted-user; sid:35500; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt"; flow:to_client,established; file_data; content:"window.scrollBy"; fast_pattern:only; content:"onload"; content:"onresize"; within:200; content:"<input "; content:"type"; within:50; content:"range"; within:15; content:"document.body"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,76193; reference:cve,2015-2446; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-079; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-091; classtype:attempted-user; sid:35499; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt"; flow:to_server,established; file_data; content:".style."; content:"createAttribute"; within:100; content:"style"; within:15; content:"setAttributeNode"; within:50; content:"setAttributeNode"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2452; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-079; classtype:attempted-admin; sid:35494; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt"; flow:to_client,established; file_data; content:".style."; content:"createAttribute"; within:100; content:"style"; within:15; content:"setAttributeNode"; within:50; content:"setAttributeNode"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2452; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-079; classtype:attempted-admin; sid:35493; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CParaElement use-after-free attempt"; flow:to_server,established; file_data; content:"document.getElementsByTagName"; nocase; content:"p"; within:5; nocase; content:"id"; within:10; content:".execCommand"; within:300; nocase; content:"undo"; within:30; nocase; content:"CollectGarbage"; distance:0; fast_pattern; nocase; content:"document.getElementById"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2442; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-079; classtype:attempted-user; sid:35482; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CParaElement use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName"; nocase; content:"p"; within:5; nocase; content:"id"; within:10; content:".execCommand"; within:300; nocase; content:"undo"; within:30; nocase; content:"CollectGarbage"; distance:0; fast_pattern; nocase; content:"document.getElementById"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2442; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-079; classtype:attempted-user; sid:35481; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt"; flow:to_server,established; file_data; content:"new Error"; content:"Object.getOwnPropertyDescriptor"; within:250; content:".call("; within:850; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-2443; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-079; classtype:attempted-user; sid:35480; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt"; flow:to_client,established; file_data; content:"new Error"; content:"Object.getOwnPropertyDescriptor"; within:250; content:".call("; within:850; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2443; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-079; classtype:attempted-user; sid:35479; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt"; flow:to_server,established; file_data; content:"-ms-behavior"; fast_pattern:only; content:"X-UA-Compatible"; nocase; content:"IE=10"; within:50; nocase; content:"getElementsByTagName"; nocase; content:"meter"; within:15; nocase; content:"location.reload"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,69325; reference:cve,2015-2444; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-079; classtype:attempted-user; sid:35478; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt"; flow:to_client,established; file_data; content:"-ms-behavior"; fast_pattern:only; content:"X-UA-Compatible"; nocase; content:"IE=10"; within:50; nocase; content:"getElementsByTagName"; nocase; content:"meter"; within:15; nocase; content:"location.reload"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,69325; reference:cve,2015-2444; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-079; classtype:attempted-user; sid:35477; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer COrphanedStylesheetArray use after free attempt"; flow:to_server,established; file_data; content:"Math/MathML"; nocase; content:"owningElement"; nocase; content:".removeNode"; within:50; nocase; content:"owningElement"; within:100; nocase; content:".getAdjacentText"; within:50; nocase; content:".addImport"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2451; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-079; classtype:attempted-user; sid:35476; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer COrphanedStylesheetArray use after free attempt"; flow:to_client,established; file_data; content:"Math/MathML"; nocase; content:"owningElement"; nocase; content:".removeNode"; within:50; nocase; content:"owningElement"; within:100; nocase; content:".getAdjacentText"; within:50; nocase; content:".addImport"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2451; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-079; classtype:attempted-user; sid:35475; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer COrphanedStylesheetArray use-after-free attempt"; flow:to_server,established; file_data; content:".addImport"; nocase; content:"CollectGarbage"; within:200; nocase; content:".styleSheet.addRule"; within:300; nocase; content:".styleSheet.deleteRule"; within:100; nocase; content:".reload"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2450; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-079; classtype:attempted-user; sid:35474; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer COrphanedStylesheetArray use-after-free attempt"; flow:to_client,established; file_data; content:".addImport"; nocase; content:"CollectGarbage"; within:200; nocase; content:".styleSheet.addRule"; within:300; nocase; content:".styleSheet.deleteRule"; within:100; nocase; content:".reload"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2450; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-079; classtype:attempted-user; sid:35473; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer table layout cache arbitrary code execution attempt"; flow:to_server,established; file_data; content:".insertRow"; nocase; content:".applyElement"; within:100; nocase; content:"outside"; within:20; nocase; content:"document.body.contentEditable"; nocase; content:"false"; within:20; nocase; content:"document.body.contentEditable"; nocase; content:"true"; within:20; nocase; content:"body"; nocase; content:"onpropertychange"; within:100; fast_pattern; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-093; classtype:attempted-user; sid:35537; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer table layout cache arbitrary code execution attempt"; flow:to_client,established; file_data; content:".insertRow"; nocase; content:".applyElement"; within:100; nocase; content:"outside"; within:20; nocase; content:"document.body.contentEditable"; nocase; content:"false"; within:20; nocase; content:"document.body.contentEditable"; nocase; content:"true"; within:20; nocase; content:"body"; nocase; content:"onpropertychange"; within:100; fast_pattern; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-093; classtype:attempted-user; sid:35536; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge history.state use after free attempt"; flow:to_server,established; file_data; content:".location.href"; nocase; content:"#"; within:35; content:".parentNode.removeChild"; within:250; nocase; content:"history.state"; within:250; fast_pattern; nocase; content:"iframe"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:35706; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge history.state use after free attempt"; flow:to_client,established; file_data; content:".location.href"; nocase; content:"#"; within:35; content:".parentNode.removeChild"; within:250; nocase; content:"history.state"; within:250; fast_pattern; nocase; content:"iframe"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:35705; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer iframe onreadystatechange handler use after free attempt"; flow:to_client,established; file_data; content:".addEventListener"; nocase; content:"readystatechange"; within:25; nocase; content:"document.write"; within:50; nocase; content:"iframe"; within:100; nocase; content:".appendChild"; within:100; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52904; reference:cve,2012-0170; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-023; classtype:attempted-user; sid:35748; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer iframe onreadystatechange handler use after free attempt"; flow:to_client,established; file_data; content:"document.write"; nocase; content:".addEventListener"; distance:0; nocase; content:"readystatechange"; within:25; nocase; content:"iframe"; within:100; nocase; content:".appendChild"; within:100; nocase; pcre:"/function\s+(?P<del_func>\w+)\s*\x28[^\x7b]*?\x7b[^\x7d]*?document\.write.*?\.addEventListener\s*\x28\s*[\x22\x27]readystatechange[\x22\x27]\s*,\s*(?P=del_func)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52904; reference:cve,2012-0170; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-023; classtype:attempted-user; sid:35747; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer iframe onreadystatechange handler use after free attempt"; flow:to_server,established; file_data; content:"document.write"; nocase; content:".addEventListener"; distance:0; nocase; content:"readystatechange"; within:25; nocase; content:"iframe"; within:100; nocase; content:".appendChild"; within:100; nocase; pcre:"/function\s+(?P<del_func>\w+)\s*\x28[^\x7b]*?\x7b[^\x7d]*?document\.write.*?\.addEventListener\s*\x28\s*[\x22\x27]readystatechange[\x22\x27]\s*,\s*(?P=del_func)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,52904; reference:cve,2012-0170; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-023; classtype:attempted-user; sid:35772; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer iframe onreadystatechange handler use after free attempt"; flow:to_server,established; file_data; content:".addEventListener"; nocase; content:"readystatechange"; within:25; nocase; content:"document.write"; within:50; nocase; content:"iframe"; within:100; nocase; content:".appendChild"; within:100; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,52904; reference:cve,2012-0170; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-023; classtype:attempted-user; sid:35771; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt"; flow:to_server,established; file_data; content:"window.location.href"; fast_pattern:only; content:"X-UA-Compatible"; nocase; content:"IE=10"; within:50; nocase; content:"meter."; nocase; content:"textContent"; within:15; nocase; content:"window.location.href"; nocase; content:"window.location.href"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,69325; reference:cve,2015-2444; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-079; classtype:attempted-user; sid:35837; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt"; flow:to_client,established; file_data; content:"window.location.href"; fast_pattern:only; content:"X-UA-Compatible"; nocase; content:"IE=10"; within:50; nocase; content:"meter."; nocase; content:"textContent"; within:15; nocase; content:"window.location.href"; nocase; content:"window.location.href"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,69325; reference:cve,2015-2444; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-079; classtype:attempted-user; sid:35836; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer EPM SetValue sandbox bypass attempt"; flow:to_server,established; file_data; content:"|C7 05 E0 F5 02 10 09 04 00 C0 C7 05 E4 F5 02 10 01 00 00 00 C7 05 F0 F5|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2489; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:policy-violation; sid:36021; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer EPM SetValue sandbox bypass attempt"; flow:to_client,established; file_data; content:"|C7 05 E0 F5 02 10 09 04 00 C0 C7 05 E4 F5 02 10 01 00 00 00 C7 05 F0 F5|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2489; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:policy-violation; sid:36020; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer invalid memory access attempt"; flow:to_server,established; file_data; content:"<th"; content:"onload"; content:".insertBefore"; content:".colSpan"; within:50; content:".insertRow"; within:50; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2492; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:attempted-user; sid:36019; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer invalid memory access attempt"; flow:to_client,established; file_data; content:"<th"; content:"onload"; content:".insertBefore"; content:".colSpan"; within:50; content:".insertRow"; within:50; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2492; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:attempted-user; sid:36018; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer out of bounds array memory access attempt"; flow:to_server,established; file_data; content:".createElement"; nocase; content:"body"; within:25; nocase; content:".createElement"; within:250; nocase; content:"area"; within:25; nocase; content:".createTextRange"; within:500; nocase; content:".pasteHTML"; within:50; nocase; content:"<form>"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:attempted-user; sid:36009; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer out of bounds array memory access attempt"; flow:to_client,established; file_data; content:".createElement"; nocase; content:"body"; within:25; nocase; content:".createElement"; within:250; nocase; content:"area"; within:25; nocase; content:".createTextRange"; within:500; nocase; content:".pasteHTML"; within:50; nocase; content:"<form>"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:attempted-user; sid:36008; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTableColCalc out of bounds memory write attempt"; flow:to_server,established; file_data; content:"table-layout"; content:"fixed"; within:20; content:"colSpan"; content:"|22|"; within:10; byte_extract:10,0,colspan,relative,string; content:"<col "; content:"span"; within:40; pcre:"/<\s*col[^>]*span\s*=\s*[\x22\x27]/i"; byte_test:10,>,colspan,0,relative,string; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2499; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-094; classtype:attempted-user; sid:36007; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTableColCalc out of bounds memory write attempt"; flow:to_client,established; file_data; content:"table-layout"; content:"fixed"; within:20; content:"colSpan"; content:"|22|"; within:10; byte_extract:10,0,colspan,relative,string; content:"<col "; content:"span"; within:40; pcre:"/<\s*col[^>]*span\s*=\s*[\x22\x27]/i"; byte_test:10,>,colspan,0,relative,string; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2499; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-094; classtype:attempted-user; sid:36006; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CImgElement object double free attempt"; flow:to_server,established; file_data; content:"for("; content:"null"; within:50; content:"for("; within:50; content:".createElement("; within:100; content:".shape"; within:100; content:"document.images.length"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2500; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:attempted-user; sid:36005; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CImgElement object double free attempt"; flow:to_client,established; file_data; content:"for("; content:"null"; within:50; content:"for("; within:50; content:".createElement("; within:100; content:".shape"; within:100; content:"document.images.length"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2500; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:attempted-user; sid:36004; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"BROWSER-IE Microsoft Internet Explorer msGetRegionContent memory corruption attempt"; flow:to_server,established; file_data; content:".style.display"; content:"run-in"; within:50; nocase; content:".style.position"; within:200; nocase; content:"absolute"; within:50; nocase; content:".msGetRegionContent"; within:200; nocase; content:".width"; within:200; nocase; content:".accessKey"; within:200; nocase; metadata:service http, service smtp; reference:cve,2015-2483; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:attempted-user; sid:35999; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer msGetRegionContent memory corruption attempt"; flow:to_client,established; file_data; content:".style.display"; content:"run-in"; within:50; nocase; content:".style.position"; within:200; nocase; content:"absolute"; within:50; nocase; content:".msGetRegionContent"; within:200; nocase; content:".width"; within:200; nocase; content:".accessKey"; within:200; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2483; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:attempted-user; sid:35998; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CImgTaskSvgDoc object double free attempt"; flow:to_server,established; file_data; content:"svg"; content:"window.setTimeout("; within:100; content:"window.location.reload()"; within:50; content:"onload="; within:500; content:"<img"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2501; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:attempted-user; sid:35993; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CImgTaskSvgDoc object double free attempt"; flow:to_client,established; file_data; content:"svg"; content:"window.setTimeout("; within:100; content:"window.location.reload()"; within:50; content:"onload="; within:500; content:"<img"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2501; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:attempted-user; sid:35992; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer JScript.Compact insertBefore memory corruption attempt"; flow:to_server,established; file_data; content:"JScript.Compact"; fast_pattern:only; content:"IE=edge"; nocase; content:".getElementsByTagName"; nocase; content:"script"; within:25; nocase; content:".createElement"; within:75; nocase; content:"script"; within:25; nocase; content:".parentNode.insertBefore"; within:75; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2493; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:attempted-user; sid:35991; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer JScript.Compact insertBefore memory corruption attempt"; flow:to_client,established; file_data; content:"JScript.Compact"; fast_pattern:only; content:"IE=edge"; nocase; content:".getElementsByTagName"; nocase; content:"script"; within:25; nocase; content:".createElement"; within:75; nocase; content:"script"; within:25; nocase; content:".parentNode.insertBefore"; within:75; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2493; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:attempted-user; sid:35990; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CElement object use-after-free attempt"; flow:to_server,established; file_data; content:"createTextRange"; content:".execCommand"; within:20; content:"InsertIFrame"; within:20; fast_pattern; nocase; content:"innerHTML"; within:500; content:"onpropertychange"; within:50; nocase; content:"removeAttribute"; within:150; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2491; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:attempted-user; sid:35976; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CElement object use-after-free attempt"; flow:to_client,established; file_data; file_data; content:"createTextRange"; content:".execCommand"; within:20; content:"InsertIFrame"; within:20; fast_pattern; nocase; content:"innerHTML"; within:500; content:"onpropertychange"; within:50; nocase; content:"removeAttribute"; within:150; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2491; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:attempted-user; sid:35975; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt"; flow:to_server,established; file_data; content:"OpenStateChange"; fast_pattern:only; content:"PlayStateChange"; nocase; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6"; nocase; content:"removeNode"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2487; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:attempted-user; sid:35972; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt"; flow:to_server,established; file_data; content:"OpenStateChange"; fast_pattern:only; content:"PlayStateChange"; nocase; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6"; nocase; content:"removeChild"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2487; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:attempted-user; sid:35971; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt"; flow:to_client,established; file_data; content:"OpenStateChange"; fast_pattern:only; content:"PlayStateChange"; nocase; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6"; nocase; content:"removeNode"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2487; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:attempted-user; sid:35970; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt"; flow:to_client,established; file_data; content:"OpenStateChange"; fast_pattern:only; content:"PlayStateChange"; nocase; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6"; nocase; content:"removeChild"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2487; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:attempted-user; sid:35969; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge sandbox CreateFileW arbitrary file delete attempt"; flow:to_server,established; file_data; content:"|50 68 00 00 00 04 6A 03 6A 01 68 00 00 00 80 8D 85 54 FF FF FF 50 68 41 41 41 41 8B 45 F4 50 8B 08 FF 51 0C|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2484; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-094; classtype:attempted-user; sid:35968; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge sandbox CreateFileW arbitrary file delete attempt"; flow:to_client,established; file_data; content:"|50 68 00 00 00 04 6A 03 6A 01 68 00 00 00 80 8D 85 54 FF FF FF 50 68 41 41 41 41 8B 45 F4 50 8B 08 FF 51 0C|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2484; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-094; classtype:attempted-user; sid:35967; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CElement input type memory corruption attempt"; flow:to_server,established; file_data; content:".createElement"; nocase; content:"input"; within:25; nocase; content:".setAttributeNS"; within:75; fast_pattern; nocase; content:"value"; within:25; nocase; content:".attributes.value"; within:75; nocase; content:".mergeAttributes"; within:75; nocase; content:".mergeAttributes"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2486; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-095; classtype:attempted-user; sid:35966; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CElement input type memory corruption attempt"; flow:to_client,established; file_data; content:".createElement"; nocase; content:"input"; within:25; nocase; content:".setAttributeNS"; within:75; fast_pattern; nocase; content:"value"; within:25; nocase; content:".attributes.value"; within:75; nocase; content:".mergeAttributes"; within:75; nocase; content:".mergeAttributes"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2486; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-095; classtype:attempted-user; sid:35965; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer element attribute use after free attempt"; flow:to_server,established; file_data; content:"document.createElement"; content:".attributes|3B|"; within:100; content:".runtimeStyle|3B|"; within:200; distance:-100; content:".classList|3B|"; within:200; distance:-100; content:".style|3B|"; within:200; distance:-100; content:".uniqueNumber|3B|"; within:200; distance:-100; content:".createAttributeNS"; content:"style"; within:100; content:".setAttributeNode"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2485; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-095; classtype:attempted-user; sid:35964; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer element attribute use after free attempt"; flow:to_client,established; file_data; content:"document.createElement"; content:".attributes|3B|"; within:100; content:".runtimeStyle|3B|"; within:200; distance:-100; content:".classList|3B|"; within:200; distance:-100; content:".style|3B|"; within:200; distance:-100; content:".uniqueNumber|3B|"; within:200; distance:-100; content:".createAttributeNS"; content:"style"; within:100; content:".setAttributeNode"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2485; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-095; classtype:attempted-user; sid:35963; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge DOMNode manipulation use after free attempt"; flow:to_server,established; file_data; content:"<textarea"; nocase; content:"addEventListener|28|"; nocase; content:"DOMNodeRemoved"; within:20; fast_pattern; nocase; content:"addEventListener|28|"; nocase; content:"DOMNodeInserted"; within:21; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2488; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-094; classtype:attempted-user; sid:35960; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge DOMNode manipulation use after free attempt"; flow:to_client,established; file_data; content:"<textarea"; nocase; content:"addEventListener|28|"; nocase; content:"DOMNodeRemoved"; within:20; fast_pattern; nocase; content:"addEventListener|28|"; nocase; content:"DOMNodeInserted"; within:21; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2488; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-094; classtype:attempted-user; sid:35959; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge CStr object use after free attempt"; flow:to_server,established; file_data; content:"document.write"; nocase; content:"<body"; distance:0; nocase; content:"onbeforeunload"; within:75; fast_pattern; nocase; pcre:"/function\s+(?P<del_func>\w+)\s*\x28[^\x7b]*?\x7b[^\x7d]*?document\.write.*?onbeforeunload\s*=\s*[\x22\x27]?(?P=del_func)/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2490; reference:cve,2015-6087; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-112; classtype:attempted-user; sid:35958; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge CStr object use after free attempt"; flow:to_server,established; file_data; content:"<body"; nocase; content:"onbeforeunload"; within:75; fast_pattern; nocase; content:"document.write"; distance:0; nocase; pcre:"/onbeforeunload\s*=\s*[\x22\x27]?(?P<del_func>\w+)\s*\x28.*?(?P=del_func)\s*\x28[^\x7b]*?\x7b[^\x7d]*?document\.write/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2490; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:attempted-user; sid:35957; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge CStr object use after free attempt"; flow:to_client,established; file_data; content:"document.write"; nocase; content:"<body"; distance:0; nocase; content:"onbeforeunload"; within:75; fast_pattern; nocase; pcre:"/function\s+(?P<del_func>\w+)\s*\x28[^\x7b]*?\x7b[^\x7d]*?document\.write.*?onbeforeunload\s*=\s*[\x22\x27]?(?P=del_func)/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2490; reference:cve,2015-6087; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-112; classtype:attempted-user; sid:35956; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge CStr object use after free attempt"; flow:to_client,established; file_data; content:"<body"; nocase; content:"onbeforeunload"; within:75; fast_pattern; nocase; content:"document.write"; distance:0; nocase; pcre:"/onbeforeunload\s*=\s*[\x22\x27]?(?P<del_func>\w+)\s*\x28.*?(?P=del_func)\s*\x28[^\x7b]*?\x7b[^\x7d]*?document\.write/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2490; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:attempted-user; sid:35955; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt"; flow:to_client,established; file_data; content:"window.resizeTo"; fast_pattern:only; content:"onload"; content:"onresize"; within:200; content:"<input "; content:"type"; within:50; content:"range"; within:15; content:"document.body"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,76193; reference:cve,2015-2446; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-079; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-091; classtype:attempted-user; sid:36069; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt"; flow:to_server,established; file_data; content:"window.resizeTo"; fast_pattern:only; content:"onload"; content:"onresize"; within:200; content:"<input "; content:"type"; within:50; content:"range"; within:15; content:"document.body"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,76193; reference:cve,2015-2446; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-079; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-091; classtype:attempted-user; sid:36068; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSelectElement SetCurSel remote code execution attempt"; flow:to_server,established; file_data; content:"<select"; nocase; content:"attachEvent("; nocase; content:"onpropertychange"; within:50; nocase; content:"selected"; nocase; content:"true"; within:15; nocase; content:"setTimeout"; nocase; content:"CollectGarbage"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0312; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-012; classtype:attempted-user; sid:36249; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CGenericElement use after free attempt"; flow:established,to_server; file_data; content:"scrollIntoView("; fast_pattern:only; content:"createElement"; nocase; content:"frameset"; within:20; nocase; content:".selection.createRange"; within:75; nocase; content:"onload"; nocase; content:"onresize"; nocase; content:"CollectGarbage()"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0017; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:36238; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CGenericElement use after free attempt"; flow:established,to_client; file_data; content:"scrollIntoView("; fast_pattern:only; content:"createElement"; nocase; content:"frameset"; within:20; nocase; content:".selection.createRange"; within:75; nocase; content:"onload"; nocase; content:"onresize"; nocase; content:"CollectGarbage()"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0017; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:36237; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CGenericElement use after free attempt"; flow:established,to_server; file_data; content:"[|22|applyElement|22|]( document[|22|create|22| + |27|Element|27|]"; fast_pattern:only; content:"document[|22|select|22|+|27|ion|27|][|27|create|27|+|27|Range|27|]()|3B|"; nocase; content:"[|22|move|22| + |27|ToEle|27| + |22|ment|22| + |27|Text|27|]"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0017; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:36236; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CGenericElement use after free attempt"; flow:established,to_client; file_data; content:"[|22|applyElement|22|]( document[|22|create|22| + |27|Element|27|]"; fast_pattern:only; content:"document[|22|select|22|+|27|ion|27|][|27|create|27|+|27|Range|27|]()|3B|"; nocase; content:"[|22|move|22| + |27|ToEle|27| + |22|ment|22| + |27|Text|27|]"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0017; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:36235; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer superscript use after free attempt"; flow:to_server,established; file_data; content:"document.execCommand"; nocase; content:"selectall"; within:20; nocase; content:"setTimeout"; nocase; content:"Node("; within:170; nocase; content:"document."; within:20; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3111; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:36224; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt"; flow:to_server,established; file_data; content:"<script"; nocase; content:"vbscript"; within:30; nocase; content:"|5C 22 0D|"; fast_pattern:only; content:"regexp"; nocase; content:".execute"; within:500; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-1686; reference:cve,2015-6052; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-106; classtype:attempted-recon; sid:36459; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt"; flow:to_client,established; file_data; content:"<script"; nocase; content:"vbscript"; within:30; nocase; content:"|5C 22 0D|"; fast_pattern:only; content:"regexp"; nocase; content:".execute"; within:500; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1686; reference:cve,2015-6052; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-106; classtype:attempted-recon; sid:36458; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer argument validation in print preview handling exploitation attempt"; flow:to_server,established; file_data; content:"|2E|ExecWB"; fast_pattern:only; pcre:"/\x2eExecWB\s*\x28(IDM_PRINTPREVIEW|7)\x2c\s+(0|2)\x2C\s+[\x22\x27]http/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30612; reference:cve,2008-2259; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-045; classtype:attempted-user; sid:36453; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BROWSER-IE Microsoft Edge cross site scripting filter bypass attempt"; flow:to_server,established; content:"|60|//"; fast_pattern:only; content:"|60|//"; http_raw_uri; content:"|20|Edge/"; http_header; metadata:service http; reference:cve,2015-6058; reference:cve,2016-7280; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-107; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-145; classtype:attempted-user; sid:36452; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer RegExp object use after free attempt"; flow:to_server,established; file_data; content:"RegExp("; content:".replace("; distance:0; content:"function"; within:50; content:"for"; within:50; content:".compile()"; within:500; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2482; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; classtype:attempted-user; sid:36451; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer RegExp object use after free attempt"; flow:to_client,established; file_data; content:"RegExp("; content:".replace("; distance:0; content:"function"; within:50; content:"for"; within:50; content:".compile()"; within:500; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2482; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; classtype:attempted-user; sid:36450; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSharedStyle object out-of-bounds read attempt"; flow:to_server,established; file_data; content:".getElement"; nocase; content:".appendChild"; within:75; nocase; content:"chunks"; within:25; nocase; content:"styleSheets"; nocase; content:"addRule"; within:25; nocase; content:"styleSheets"; nocase; content:"addRule"; within:25; nocase; content:"styleSheets"; nocase; content:"addRule"; within:25; nocase; metadata:service smtp; reference:cve,2015-6046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-106; classtype:attempted-admin; sid:36448; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSharedStyle object out-of-bounds read attempt"; flow:to_client,established; file_data; content:".getElement"; nocase; content:".appendChild"; within:75; nocase; content:"chunks"; within:25; nocase; content:"styleSheets"; nocase; content:"addRule"; within:25; nocase; content:"styleSheets"; nocase; content:"addRule"; within:25; nocase; content:"styleSheets"; nocase; content:"addRule"; within:25; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-106; classtype:attempted-admin; sid:36447; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer EventListener use after free attempt"; flow:to_server,established; file_data; content:".removeEventListener"; content:"DOMNodeRemoved"; within:30; content:"addEventListener"; distance:0; content:"DOMNodeRemoved"; within:30; content:".removeEventListener"; distance:0; content:"DOMNodeRemoved"; within:30; content:".removeEventListener"; distance:0; content:"DOMNodeRemoved"; within:30; content:"addEventListener"; distance:0; content:"DOMNodeRemoved"; within:30; content:"addEventListener"; distance:0; content:"DOMNodeRemoved"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-106; classtype:attempted-user; sid:36444; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer EventListener use after free attempt"; flow:to_client,established; file_data; content:".removeEventListener"; content:"DOMNodeRemoved"; within:30; content:"addEventListener"; distance:0; content:"DOMNodeRemoved"; within:30; content:".removeEventListener"; distance:0; content:"DOMNodeRemoved"; within:30; content:".removeEventListener"; distance:0; content:"DOMNodeRemoved"; within:30; content:"addEventListener"; distance:0; content:"DOMNodeRemoved"; within:30; content:"addEventListener"; distance:0; content:"DOMNodeRemoved"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-106; classtype:attempted-user; sid:36443; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTableSelection use-after-free attempt"; flow:to_server,established; file_data; content:".removeNode"; nocase; content:".execCommand"; within:150; nocase; content:"InsertFieldset"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6048; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; classtype:attempted-user; sid:36440; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTableSelection use-after-free attempt"; flow:to_client,established; file_data; content:".removeNode"; nocase; content:".execCommand"; within:150; nocase; content:"InsertFieldset"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6048; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; classtype:attempted-user; sid:36439; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer ieframe.dll ActiveX clsid access"; flow:to_server,established; file_data; content:"6CF48EF8-44CD-45d2-8832-A16EA016311B"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6049; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; classtype:attempted-user; sid:36438; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer ieframe.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"6CF48EF8-44CD-45d2-8832-A16EA016311B"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6049; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; classtype:attempted-user; sid:36437; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer pre-line use after free attempt"; flow:to_server,established; file_data; content:".style.whiteSpace = |22|pre-line|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0025; reference:cve,2013-1288; reference:cve,2015-6050; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-021; classtype:attempted-user; sid:36436; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt"; flow:to_server,established; file_data; content:"ArrayBuffer("; fast_pattern:only; content:"valueOf"; content:"function"; within:50; content:".postMessage("; within:100; content:"DataView"; distance:0; nocase; content:".slice("; within:100; distance:-50; nocase; content:".getUint"; within:150; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-6053; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; classtype:attempted-user; sid:36432; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt"; flow:to_client,established; file_data; content:"ArrayBuffer("; fast_pattern:only; content:"valueOf"; content:"function"; within:50; content:".postMessage("; within:100; content:"DataView"; distance:0; nocase; content:".slice("; within:100; distance:-50; nocase; content:".getUint"; within:150; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6053; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; classtype:attempted-user; sid:36431; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CDeskBand use-after-free attempt"; flow:to_server,established; file_data; content:"<b></b>"; content:"15D633E2-AD00-465b-9EC7-F56B7CDF8E27"; within:200; nocase; content:"location.href"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2548; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-109; classtype:attempted-user; sid:36424; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CDeskBand use-after-free attempt"; flow:to_client,established; file_data; content:"<b></b>"; content:"15D633E2-AD00-465b-9EC7-F56B7CDF8E27"; within:200; nocase; content:"location.href"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2548; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-109; classtype:attempted-user; sid:36423; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CWindow object use after free attempt"; flow:to_server,established; file_data; content:"MutationObserver"; nocase; content:"childList"; within:150; nocase; content:"addEventListener"; within:150; nocase; content:"DOMSubtreeModified"; within:50; nocase; content:"setInterval"; within:150; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6042; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; classtype:attempted-user; sid:36418; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CWindow object use after free attempt"; flow:to_client,established; file_data; content:"MutationObserver"; nocase; content:"childList"; within:150; nocase; content:"addEventListener"; within:150; nocase; content:"DOMSubtreeModified"; within:50; nocase; content:"setInterval"; within:150; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6042; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; classtype:attempted-user; sid:36417; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer sandbox escape attempt"; flow:to_server,established; file_data; content:"|FF 15 E2 E2 00 00 85 C0 0F 85 1D 02 00 00 C7 44 24 28 4E 00 00 00 48 8D 05 B3 58 01 00 48 89 44|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-6047; reference:url,reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; classtype:attempted-user; sid:36414; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer sandbox escape attempt"; flow:to_client,established; file_data; content:"|FF 15 E2 E2 00 00 85 C0 0F 85 1D 02 00 00 C7 44 24 28 4E 00 00 00 48 8D 05 B3 58 01 00 48 89 44|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6047; reference:url,reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; classtype:attempted-user; sid:36413; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer sandbox escape attempt"; flow:to_server,established; file_data; content:"|48 8D 7C 24 48 E8 C0 2E 00 00 48 8D 50 30 B9 01 00 00 00 E8 22 2F 00 00 90 E8 AC 2E 00 00 48 8D|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-6047; reference:url,reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; classtype:attempted-user; sid:36412; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer sandbox escape attempt"; flow:to_client,established; file_data; content:"|48 8D 7C 24 48 E8 C0 2E 00 00 48 8D 50 30 B9 01 00 00 00 E8 22 2F 00 00 90 E8 AC 2E 00 00 48 8D|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6047; reference:url,reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; classtype:attempted-user; sid:36411; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt"; flow:to_server,established; file_data; content:"0E5CBF21-D15F-11D0-8301-00AA005B4383"; content:"</object>"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2515; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-109; classtype:attempted-user; sid:36402; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt"; flow:to_client,established; file_data; content:"0E5CBF21-D15F-11D0-8301-00AA005B4383"; content:"</object>"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2515; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-109; classtype:attempted-user; sid:36401; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Script Engine Stack Exhaustion Denial of Service attempt"; flow:to_server,established; file_data; content:"<script"; nocase; content:"javascript"; distance:0; nocase; content:"location="; distance:0; nocase; pcre:"/javascript.+?function\s+(\w+)\s*\(\w*\)\s*\{.+?location=[^}]+\1\(.+?\}/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,16687; reference:cve,2006-0753; classtype:attempted-dos; sid:36494; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt"; flow:to_server,established; file_data; content:"ArrayBuffer("; fast_pattern:only; content:"valueOf"; content:"function"; within:50; content:".postMessage("; within:100; content:"DataView"; distance:0; nocase; content:".slice("; within:100; distance:-50; nocase; content:".getInt"; within:150; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-6053; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; classtype:attempted-user; sid:36560; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt"; flow:to_client,established; file_data; content:"ArrayBuffer("; fast_pattern:only; content:"valueOf"; content:"function"; within:50; content:".postMessage("; within:100; content:"DataView"; distance:0; nocase; content:".slice("; within:100; distance:-50; nocase; content:".getInt"; within:150; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6053; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; classtype:attempted-user; sid:36559; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer meta tag double free attempt"; flow:to_client,established; file_data; content:"|27|msapplication-task|27|"; content:"content"; within:50; content:"name"; within:25; content:"|27|msapplication-task|27|"; distance:0; content:"content"; within:20; isdataat:15,relative; content:!"name"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2391; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-user; sid:36605; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer meta tag double free attempt"; flow:to_server,established; file_data; content:"|27|msapplication-task|27|"; content:"content"; within:50; content:"name"; within:25; content:"|27|msapplication-task|27|"; distance:0; content:"content"; within:20; isdataat:15,relative; content:!"name"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2391; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:attempted-user; sid:36604; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CElement JSON write-what-where attempt"; flow:to_server,established; file_data; content:"for"; nocase; content:".push"; within:50; nocase; content:".substr"; within:25; distance:1; nocase; content:"JSON.parse"; fast_pattern; nocase; content:"<body onload"; metadata:service smtp; reference:cve,2015-6089; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36754; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CElement JSON write-what-where attempt"; flow:to_client,established; file_data; content:"for"; nocase; content:".push"; within:50; nocase; content:".substr"; within:25; distance:1; nocase; content:"JSON.parse"; fast_pattern; nocase; content:"<body onload"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6089; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36753; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge click method use after free attempt"; flow:to_server,established; file_data; content:"document.createElement|28|"; content:".href"; content:".protocol"; content:".hash"; fast_pattern:only; content:".target"; content:".host"; content:".click"; pcre:"/document\x2EcreateElement\x28[\x22\x27]\s*(?P<element>\w+)[\x22\x27]\s*\x29(.*(?P=element)\x2E(href|protocol|hash|target|host|click)){6}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6088; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36747; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge click method use after free attempt"; flow:to_client,established; file_data; content:"document.createElement|28|"; content:".href"; content:".protocol"; content:".hash"; fast_pattern:only; content:".target"; content:".host"; content:".click"; pcre:"/document\x2EcreateElement\x28[\x22\x27]\s*(?P<element>\w+)[\x22\x27]\s*\x29(.*(?P=element)\x2E(href|protocol|hash|target|host|click)){6}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6088; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36746; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CElement use after free attempt"; flow:to_server,established; file_data; content:"ms-beginUndoUnit"; fast_pattern:only; content:"setAttribute"; nocase; content:"spellcheck"; within:25; nocase; content:"removeAttribute"; distance:0; nocase; content:"spellcheck"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36743; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CElement use after free attempt"; flow:to_client,established; file_data; content:"ms-beginUndoUnit"; fast_pattern:only; content:"setAttribute"; nocase; content:"spellcheck"; within:25; nocase; content:"removeAttribute"; distance:0; nocase; content:"spellcheck"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36742; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTsfTextStore use-after-free attempt"; flow:to_server,established; file_data; content:".replaceNode("; fast_pattern:only; content:"document.createElement"; nocase; content:"input"; within:7; nocase; content:".createTextRange()|3B|"; nocase; content:".select()|3B|"; within:110; content:".reload()|3B|"; within:55; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6077; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-112; classtype:attempted-user; sid:36739; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTsfTextStore use-after-free attempt"; flow:to_client,established; file_data; content:".replaceNode("; fast_pattern:only; content:"document.createElement"; nocase; content:"input"; within:7; nocase; content:".createTextRange()|3B|"; nocase; content:".select()|3B|"; within:110; content:".reload()|3B|"; within:55; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6077; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-112; classtype:attempted-user; sid:36738; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CEditEventSink navigate use after free attempt"; flow:to_server,established; file_data; content:"onresize"; nocase; content:"navigate"; within:50; fast_pattern; nocase; content:"#"; within:25; content:"contenteditable"; nocase; content:"false"; within:25; nocase; content:".value"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,77445; reference:cve,2015-6071; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36702; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CEditEventSink navigate use after free attempt"; flow:to_client,established; file_data; content:"onresize"; nocase; content:"navigate"; within:50; fast_pattern; nocase; content:"#"; within:25; content:"contenteditable"; nocase; content:"false"; within:25; nocase; content:".value"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,77445; reference:cve,2015-6071; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36701; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode row element removal remote code execution attempt"; flow:to_server,established; file_data; content:".moveToElementText"; content:".execCommand"; within:250; content:".moveToElementText"; within:250; content:".pasteHTML"; within:250; content:".swapNode"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6072; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36700; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode row element removal remote code execution attempt"; flow:to_client,established; file_data; content:".moveToElementText"; content:".execCommand"; within:250; content:".moveToElementText"; within:250; content:".pasteHTML"; within:250; content:".swapNode"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6072; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36699; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer table element modification use after free attempt"; flow:to_server,established; file_data; content:".createElement("; nocase; content:".applyElement("; within:80; nocase; content:".innerHTML"; within:80; nocase; content:".navigate("; within:80; nocase; content:".runtimeStyle.cssText"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6066; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36696; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer table element modification use after free attempt"; flow:to_client,established; file_data; content:".createElement("; nocase; content:".applyElement("; within:80; nocase; content:".innerHTML"; within:80; nocase; content:".navigate("; within:80; nocase; content:".runtimeStyle.cssText"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6066; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36695; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer style object stylesheet use after free attempt"; flow:to_server,established; file_data; content:".styleSheet"; content:".addRule("; within:100; content:".deleteRule("; within:400; content:".removeRule("; within:100; fast_pattern; content:"load"; within:400; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36694; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer style object stylesheet use after free attempt"; flow:to_client,established; file_data; content:".styleSheet"; content:".addRule("; within:100; content:".deleteRule("; within:400; content:".removeRule("; within:100; fast_pattern; content:"load"; within:400; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36693; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CUListElement use-after-free attempt"; flow:to_server,established; file_data; content:".execCommand"; content:"ms-beginUndoUnit"; fast_pattern:only; content:"moveToElementText"; content:".execCommand"; content:"createElement"; content:"HGROUP"; within:20; nocase; content:".appendChild"; content:"addEventListener"; content:"DOMNodeRemoved"; within:20; content:".appendChild"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36692; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CUListElement use-after-free attempt"; flow:to_client,established; file_data; content:".execCommand"; content:"ms-beginUndoUnit"; fast_pattern:only; content:"moveToElementText"; content:".execCommand"; content:"createElement"; content:"HGROUP"; within:20; nocase; content:".appendChild"; content:"addEventListener"; content:"DOMNodeRemoved"; within:20; content:".appendChild"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36691; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer managed CDispNode objects use-after-free attempt"; flow:to_server,established; file_data; content:"<script"; nocase; content:"src"; within:15; nocase; content:"#"; within:5; content:"<script"; within:50; nocase; content:"src"; within:15; nocase; content:"#"; within:5; content:"CollectGarbage"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6082; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36690; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer managed CDispNode objects use-after-free attempt"; flow:to_client,established; file_data; content:"<script"; nocase; content:"src"; within:15; nocase; content:"#"; within:5; content:"<script"; within:50; nocase; content:"src"; within:15; nocase; content:"#"; within:5; content:"CollectGarbage"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6082; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36689; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CElement use after free attempt"; flow:to_server,established; file_data; content:".htmlFor"; fast_pattern:only; nocase; content:"|20|for="; nocase; content:"|20|event="; within:200; nocase; content:"|20|for="; distance:0; nocase; content:"|20|event="; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112 ; classtype:attempted-user; sid:36688; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CElement use after free attempt"; flow:to_client,established; file_data; content:".htmlFor"; fast_pattern:only; nocase; content:"|20|for="; nocase; content:"|20|event="; within:200; nocase; content:"|20|for="; distance:0; nocase; content:"|20|event="; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36687; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer col onpropertychange memory corruption attempt"; flow:to_server,established; file_data; content:".background"; nocase; content:"Node.insert"; within:200; nocase; content:".createCaption"; within:50; fast_pattern; nocase; content:"<col"; within:200; nocase; content:"<th"; within:100; nocase; content:"onpropertychange"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6070; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-112; classtype:attempted-user; sid:36686; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer col onpropertychange memory corruption attempt"; flow:to_client,established; file_data; content:".background"; nocase; content:"Node.insert"; within:200; nocase; content:".createCaption"; within:50; fast_pattern; nocase; content:"<col"; within:200; nocase; content:"<th"; within:100; nocase; content:"onpropertychange"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6070; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-112; classtype:attempted-user; sid:36685; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTableCell object use after free attempt"; flow:to_server,established; file_data; content:"getElementsByTagName("; content:".createTextRange("; within:100; content:".moveToElementText"; within:100; content:"CollectGarbage"; within:300; fast_pattern; content:".cloneNode"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6079; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36684; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTableCell object use after free attempt"; flow:to_client,established; file_data; content:"getElementsByTagName("; content:".createTextRange("; within:100; content:".moveToElementText"; within:100; content:"CollectGarbage"; within:300; fast_pattern; content:".cloneNode"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6079; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36683; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer access violation attempt"; flow:to_server,established; file_data; content:".createElement"; content:"TABLE"; within:20; nocase; content:".appendChild"; content:".createElement"; within:25; content:"FRAMESET"; within:20; nocase; content:".createTFoot"; fast_pattern:only; content:"getElement"; content:"TBODY"; within:20; nocase; content:"insertRow"; content:"removeNode"; content:".createElement"; content:"TR"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6081; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36682; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer access violation attempt"; flow:to_client,established; file_data; content:".createElement"; content:"TABLE"; within:20; nocase; content:".appendChild"; content:".createElement"; within:25; content:"FRAMESET"; within:20; nocase; content:".createTFoot"; fast_pattern:only; content:"getElement"; content:"TBODY"; within:20; nocase; content:"insertRow"; content:"removeNode"; content:".createElement"; content:"TR"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6081; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36681; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer cache management code overflow attempt"; flow:to_server,established; content:".appendChild("; content:".createElement("; within:50; content:"window.setTimeout("; within:200; fast_pattern; content:"CollectGarbage()"; within:50; content:".options.item("; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36680; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer cache management code overflow attempt"; flow:to_client,established; content:".appendChild("; content:".createElement("; within:50; content:"window.setTimeout("; within:200; fast_pattern; content:"CollectGarbage()"; within:50; content:".options.item("; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36679; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer SVG textbox out of bound memory access attempt"; flow:to_server,established; file_data; content:"createElementNS"; nocase; content:"http://www.w3.org/2000/svg"; within:35; nocase; content:"text"; within:15; nocase; content:"createElementNS"; nocase; content:"http://www.w3.org/2000/svg"; within:35; nocase; content:"svg"; within:15; nocase; content:".createElement"; nocase; content:"area"; within:10; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6085; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36678; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer SVG textbox out of bound memory access attempt"; flow:to_client,established; file_data; content:"createElementNS"; nocase; content:"http://www.w3.org/2000/svg"; within:35; nocase; content:"text"; within:15; nocase; content:"createElementNS"; nocase; content:"http://www.w3.org/2000/svg"; within:35; nocase; content:"svg"; within:15; nocase; content:".createElement"; nocase; content:"area"; within:10; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6085; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:36677; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CMarkup use-after-free attempt"; flow:to_server,established; file_data; content:"getElement"; content:"click()"; within:50; content:"onload"; within:100; content:"onbeforeunload"; within:50; content:"designMode"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6078; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-112; classtype:attempted-user; sid:36676; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CMarkup use-after-free attempt"; flow:to_client,established; file_data; content:"getElement"; content:"click()"; within:50; content:"onload"; within:100; content:"onbeforeunload"; within:50; content:"designMode"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6078; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-112; classtype:attempted-user; sid:36675; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer GetPlainText negative start index out of bounds write attempt"; flow:to_server,established; file_data; content:"document.body.cloneNode"; nocase; content:"appendChild"; within:300; nocase; content:"replaceChild"; within:400; nocase; content:".children"; within:50; nocase; pcre:"/\.replaceChild\s*\x28\s*(?P<ele>\w+)\s*,\s*[^\x29,]*?\.children.*?(?P=ele)\.(inner|outer)(HTML|Text)\s*=\s*[\x22\x27]?-/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6084; reference:cve,2015-6158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-125; classtype:attempted-user; sid:36674; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer GetPlainText negative start index out of bounds write attempt"; flow:to_client,established; file_data; content:"document.body.cloneNode"; nocase; content:"appendChild"; within:300; nocase; content:"replaceChild"; within:400; nocase; content:".children"; within:50; nocase; pcre:"/\.replaceChild\s*\x28\s*(?P<ele>\w+)\s*,\s*[^\x29,]*?\.children.*?(?P=ele)\.(inner|outer)(HTML|Text)\s*=\s*[\x22\x27]?-/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6084; reference:cve,2015-6158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-125; classtype:attempted-user; sid:36673; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer fragmented CtxtBlk heap overflow attempt"; flow:to_server,established; file_data; content:".body.CreateText"; nocase; content:".execCommand"; within:300; nocase; content:"JustifyFull"; within:20; fast_pattern; nocase; content:".execCommand"; within:100; nocase; content:"RemoveFormat"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6068; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-112; classtype:attempted-user; sid:36672; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer fragmented CtxtBlk heap overflow attempt"; flow:to_client,established; file_data; content:".body.CreateText"; nocase; content:".execCommand"; within:300; nocase; content:"JustifyFull"; within:20; fast_pattern; nocase; content:".execCommand"; within:100; nocase; content:"RemoveFormat"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6068; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-112; classtype:attempted-user; sid:36671; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"Content-Encoding:deflate|0A|Content-Range:|0A 0A|"; fast_pattern:only; http_header; metadata:service http; reference:bugtraq,36622; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:36791; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer nonexistent attribute removal memory corruption attempt"; flow:to_client,established; file_data; content:"|72 61 73 68 27 29 2E 72 65 6D 6F 76 65 41 74 74 72 69 62 75 74 65 28 27 3A 6F 6E 63 68 61 6E 67|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1524; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-044; classtype:attempted-dos; sid:36813; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer nonexistent attribute removal memory corruption attempt"; flow:to_client,established; file_data; content:"|71 22 29 29 29 5B 30 5D 2E 72 65 6D 6F 76 65 41 74 74 72 69 62 75 74 65 4E 53 28 22 22 2C 53 74 72 69|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1524; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-044; classtype:attempted-dos; sid:36812; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer nonexistent attribute removal memory corruption attempt"; flow:to_client,established; file_data; content:"|22 74 22 29 29 29 5B 28 2D 7E 2D 30 2D 31 29 5D 2E 72 65 6D 6F 76 65 41 74 74 72 69 62 75 74 65|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1524; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-044; classtype:attempted-dos; sid:36811; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt"; flow:to_client,established; content:"stream.ReadText()"; content:"new ActiveXObject"; within:50; content:"WScript.Shell"; within:30; content:"Run("; within:30; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-6332; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-064; classtype:attempted-user; sid:36896; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer TextBlock object use after free attempt"; flow:to_server,established; file_data; content:".createTextRange"; nocase; content:".moveToElementText"; within:100; nocase; content:".moveEnd"; within:100; nocase; content:".execCommand"; within:200; nocase; content:"delete"; within:30; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6162; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-124; classtype:attempted-user; sid:37010; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer TextBlock object use after free attempt"; flow:to_client,established; file_data; content:".createTextRange"; nocase; content:".moveToElementText"; within:100; nocase; content:".moveEnd"; within:100; nocase; content:".execCommand"; within:200; nocase; content:"delete"; within:30; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6162; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-124; classtype:attempted-user; sid:37009; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CMarkupPointer UnEmbed out of bounds read attempt"; flow:to_server,established; file_data; content:"createTextRange"; nocase; content:"text"; within:40; nocase; content:"|5C|u"; within:40; content:"CollectGarbage"; distance:0; nocase; content:"findText"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6154; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-124; classtype:attempted-user; sid:37004; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CMarkupPointer UnEmbed out of bounds read attempt"; flow:to_client,established; file_data; content:"createTextRange"; nocase; content:"text"; within:40; nocase; content:"|5C|u"; within:40; content:"CollectGarbage"; distance:0; nocase; content:"findText"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6154; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-124; classtype:attempted-user; sid:37003; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CDispContainer out of bounds read attempt"; flow:to_server,established; file_data; content:"X-UA-Compatible"; nocase; content:"IE=8"; within:25; nocase; content:"-ms-block-progression"; fast_pattern:only; content:".execCommand"; nocase; content:"Justify"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6152; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; classtype:attempted-user; sid:36992; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CDispContainer out of bounds read attempt"; flow:to_client,established; file_data; content:"X-UA-Compatible"; nocase; content:"IE=8"; within:25; nocase; content:"-ms-block-progression"; fast_pattern:only; content:".execCommand"; nocase; content:"Justify"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6152; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; classtype:attempted-user; sid:36991; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer cross origin policy bypass via redirect attempt"; flow:to_client,established; content:"|0D 0A|Location|3A|"; http_header; content:"returnValue"; distance:0; fast_pattern; nocase; http_header; content:"//|0D 0A|"; distance:0; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6164; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-124; classtype:attempted-user; sid:36988; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt"; flow:to_server,established; file_data; content:".addEventListener"; nocase; content:"DOMAttrModified"; within:25; nocase; content:".execCommand"; nocase; content:"ms-beginUndoUnit"; within:25; fast_pattern; nocase; content:".execCommand"; nocase; content:"undo"; within:15; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6143; reference:cve,2016-0082; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-011; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-124; classtype:attempted-user; sid:36987; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt"; flow:to_client,established; file_data; content:".addEventListener"; nocase; content:"DOMAttrModified"; within:25; nocase; content:".execCommand"; nocase; content:"ms-beginUndoUnit"; within:25; fast_pattern; nocase; content:".execCommand"; nocase; content:"undo"; within:15; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6143; reference:cve,2016-0082; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-011; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-124; classtype:attempted-user; sid:36986; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge CAttrArray out of bounds read attempt"; flow:to_server,established; file_data; content:"/<style>{{}}:"; depth:13; nocase; content:!"<!DOCTYPE"; nocase; content:!"<html"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6168; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-125; classtype:attempted-user; sid:36985; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge CAttrArray out of bounds read attempt"; flow:to_client,established; file_data; content:"/<style>{{}}:"; depth:13; nocase; content:!"<!DOCTYPE"; nocase; content:!"<html"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6168; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-125; classtype:attempted-user; sid:36984; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer select use after free attempt"; flow:to_server,established; file_data; content:".replaceNode"; fast_pattern; nocase; content:".cloneNode"; within:50; nocase; content:".applyElement"; content:".removeNode"; nocase; content:"<SELECT"; nocase; content:"<OPT"; within:30; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6145; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; classtype:attempted-user; sid:36983; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer select use after free attempt"; flow:to_client,established; file_data; content:".replaceNode"; fast_pattern; nocase; content:".cloneNode"; within:50; nocase; content:".applyElement"; content:".removeNode"; nocase; content:"<SELECT"; nocase; content:"<OPT"; within:30; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6145; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; classtype:attempted-user; sid:36982; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer javascript argument type confusion attempt"; flow:to_server,established; file_data; content:"<svg"; nocase; content:"<script"; distance:0; nocase; content:".call.call"; distance:0; nocase; pcre:"/\x2Ecall\x2Ecall\s*\x28[^\x29\x2C]*?\x2C\s*\x28?(0x|\d)/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6134; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; classtype:attempted-user; sid:36981; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer javascript argument type confusion attempt"; flow:to_client,established; file_data; content:"<svg"; nocase; content:"<script"; distance:0; nocase; content:".call.call"; distance:0; nocase; pcre:"/\x2Ecall\x2Ecall\s*\x28[^\x29\x2C]*?\x2C\s*\x28?(0x|\d)/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6134; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; classtype:attempted-user; sid:36980; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTableRow memory corruption attempt"; flow:to_server,established; file_data; content:".parentNode"; nocase; content:".swapNode"; within:50; nocase; content:".insertRow"; within:40; nocase; content:"<table"; nocase; pcre:"/parentNode[^>]*?swapNode\((?P<swap>\w+)\).*?(?P=swap)\.insertRow.*?<table\sid\s?=\s?[\x22\x27]?(?P=swap)[\x22\x27]?/smi"; metadata:service smtp; reference:cve,2015-6083; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; classtype:attempted-user; sid:36969; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTableRow memory corruption attempt"; flow:to_client,established; file_data; content:".parentNode"; nocase; content:".swapNode"; within:50; nocase; content:".insertRow"; within:40; nocase; content:"<table"; nocase; pcre:"/parentNode[^>]*?swapNode\((?P<swap>\w+)\).*?(?P=swap)\.insertRow.*?<table\sid\s?=\s?[\x22\x27]?(?P=swap)[\x22\x27]?/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6083; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; classtype:attempted-user; sid:36968; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CAttribute to CStyleAttrArray type confusion attempt"; flow:to_server,established; file_data; content:"ms-beginUndoUnit"; fast_pattern:only; content:"execCommand"; nocase; content:"undo"; within:10; nocase; content:"addEventListener"; within:40; nocase; content:"DOMAttrModified"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6142; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-124; classtype:attempted-user; sid:36963; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CAttribute to CStyleAttrArray type confusion attempt"; flow:to_client,established; file_data; content:"ms-beginUndoUnit"; fast_pattern:only; content:"execCommand"; nocase; content:"undo"; within:10; nocase; content:"addEventListener"; within:40; nocase; content:"DOMAttrModified"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6142; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-124; classtype:attempted-user; sid:36962; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer TableGridBoxBuilder UpdateColumnSize out of bounds read attempt"; flow:to_server,established; file_data; content:"document.body.cloneNode"; nocase; content:"true"; within:15; nocase; content:".appendChild"; within:100; nocase; content:".replaceChild"; within:250; nocase; content:".children"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-124; classtype:attempted-user; sid:36957; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer TableGridBoxBuilder UpdateColumnSize out of bounds read attempt"; flow:to_client,established; file_data; content:"document.body.cloneNode"; nocase; content:"true"; within:15; nocase; content:".appendChild"; within:100; nocase; content:".replaceChild"; within:250; nocase; content:".children"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-124; classtype:attempted-user; sid:36956; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer SComputedStyle destructor out of bounds read attempt"; flow:to_server,established; file_data; content:".runtimeStyle"; nocase; content:"-ms-wrap-flow"; within:25; nocase; content:".selectAllChildren"; within:100; nocase; content:"document"; within:15; nocase; content:".runtimeStyle"; within:100; nocase; content:"-ms-wrap-flow"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6140; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-125; classtype:attempted-user; sid:36951; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer SComputedStyle destructor out of bounds read attempt"; flow:to_client,established; file_data; content:".runtimeStyle"; nocase; content:"-ms-wrap-flow"; within:25; nocase; content:".selectAllChildren"; within:100; nocase; content:"document"; within:15; nocase; content:".runtimeStyle"; within:100; nocase; content:"-ms-wrap-flow"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6140; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-125; classtype:attempted-user; sid:36950; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTableCell invalid index memory corruption attempt"; flow:to_server,established; file_data; content:".appendChild"; nocase; content:".cloneNode"; within:50; nocase; content:"document.all"; within:250; nocase; content:".removeNode"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6149; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-124; classtype:attempted-user; sid:36949; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTableCell invalid index memory corruption attempt"; flow:to_client,established; file_data; content:".appendChild"; nocase; content:".cloneNode"; within:50; nocase; content:"document.all"; within:250; nocase; content:".removeNode"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6149; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-124; classtype:attempted-user; sid:36948; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSharedStyleSheet RemoveRule out of bounds read attempt"; flow:to_server,established; file_data; content:"@media"; nocase; content:"document.getElementById"; nocase; content:".sheet.addRule"; within:30; nocase; content:"document.getElementById"; within:250; nocase; content:".sheet.deleteRule"; within:30; fast_pattern; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6141; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; classtype:attempted-user; sid:36947; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSharedStyleSheet RemoveRule out of bounds read attempt"; flow:to_client,established; file_data; content:"@media"; nocase; content:"document.getElementById"; nocase; content:".sheet.addRule"; within:30; nocase; content:"document.getElementById"; within:250; nocase; content:".sheet.deleteRule"; within:30; fast_pattern; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6141; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; classtype:attempted-user; sid:36946; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos use after free attempt"; flow:to_server,established; file_data; content:"body.createTextRange"; nocase; content:"MutationObserver"; within:200; nocase; content:".observe"; within:200; nocase; content:"document"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6160; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; classtype:attempted-user; sid:36945; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos use after free attempt"; flow:to_client,established; file_data; content:"body.createTextRange"; nocase; content:"MutationObserver"; within:200; nocase; content:".observe"; within:200; nocase; content:"document"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6160; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; classtype:attempted-user; sid:36944; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer flexbox use after free attempt"; flow:to_server,established; file_data; content:".addEventListener"; nocase; content:"DOMNodeRemoved"; within:25; fast_pattern; nocase; content:".execCommand"; within:250; nocase; content:"InsertImage"; within:25; nocase; content:".replaceChild"; within:250; nocase; content:".children"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6155; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-125; classtype:attempted-user; sid:36943; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer flexbox use after free attempt"; flow:to_client,established; file_data; content:".addEventListener"; nocase; content:"DOMNodeRemoved"; within:25; fast_pattern; nocase; content:".execCommand"; within:250; nocase; content:"InsertImage"; within:25; nocase; content:".replaceChild"; within:250; nocase; content:".children"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6155; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-125; classtype:attempted-user; sid:36942; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSpliceTreeEngine RemoveSplice null pointer dereference attempt"; flow:to_server,established; file_data; content:".expand"; nocase; content:".select"; within:50; nocase; content:".getSelection"; within:100; nocase; content:".deleteFromDocument"; within:25; nocase; content:"setTimeout"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6148; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; classtype:attempted-user; sid:36941; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSpliceTreeEngine RemoveSplice null pointer dereference attempt"; flow:to_client,established; file_data; content:".expand"; nocase; content:".select"; within:50; nocase; content:".getSelection"; within:100; nocase; content:".deleteFromDocument"; within:25; nocase; content:"setTimeout"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6148; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; classtype:attempted-user; sid:36940; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer invalid table grid memory corruption attempt"; flow:to_server,established; file_data; content:"msGetUntransformedBounds"; fast_pattern:only; content:"document.createElement"; nocase; content:"table"; within:7; nocase; content:".createTFoot"; nocase; content:"table-header-group"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6153; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; classtype:attempted-user; sid:36939; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer invalid table grid memory corruption attempt"; flow:to_client,established; file_data; content:"msGetUntransformedBounds"; fast_pattern:only; content:"document.createElement"; nocase; content:"table"; within:7; nocase; content:".createTFoot"; nocase; content:"table-header-group"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6153; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; classtype:attempted-user; sid:36938; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer TextBlock out of bounds read attempt"; flow:to_server,established; file_data; content:"HGROUP:first-line"; fast_pattern:only; content:"document.createElement"; nocase; content:"HGROUP"; within:10; nocase; content:".setAttribute"; distance:0; nocase; content:"class"; within:10; nocase; content:".setAttribute"; distance:0; nocase; content:"class"; within:10; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6159; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; classtype:attempted-user; sid:36937; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer TextBlock out of bounds read attempt"; flow:to_client,established; file_data; content:"HGROUP:first-line"; fast_pattern:only; content:"document.createElement"; nocase; content:"HGROUP"; within:10; nocase; content:".setAttribute"; distance:0; nocase; content:"class"; within:10; nocase; content:".setAttribute"; distance:0; nocase; content:"class"; within:10; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6159; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; classtype:attempted-user; sid:36936; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge iframe climbing cross site scripting attempt"; flow:to_server,established; file_data; content:"<iframe"; nocase; content:"data:"; within:50; nocase; content:"<script"; within:50; nocase; content:"parent.location.replace"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6170; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-125; classtype:attempted-user; sid:36933; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge iframe climbing cross site scripting attempt"; flow:to_client,established; file_data; content:"<iframe"; nocase; content:"data:"; within:50; nocase; content:"<script"; within:50; nocase; content:"parent.location.replace"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6170; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-125; classtype:attempted-user; sid:36932; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTableLayout use after free attempt"; flow:to_server,established; file_data; content:"document.body.replaceNode"; nocase; content:"document.body"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6150; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; classtype:attempted-user; sid:36929; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTableLayout use after free attempt"; flow:to_client,established; file_data; content:"document.body.replaceNode"; nocase; content:"document.body"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6150; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; classtype:attempted-user; sid:36928; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CObjectElement type confusion attempt"; flow:to_server,established; file_data; content:".fireEvent"; fast_pattern; nocase; content:"onclick"; within:25; nocase; content:"X-UA-Compatible"; nocase; content:"IE=9"; within:50; nocase; content:"document.getElement"; nocase; content:".getAttribute"; within:100; nocase; content:"srcElement"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6156; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-124; classtype:attempted-user; sid:36927; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CObjectElement type confusion attempt"; flow:to_client,established; file_data; content:".fireEvent"; fast_pattern; nocase; content:"onclick"; within:25; nocase; content:"X-UA-Compatible"; nocase; content:"IE=9"; within:50; nocase; content:"document.getElement"; nocase; content:".getAttribute"; within:100; nocase; content:"srcElement"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6156; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-124; classtype:attempted-user; sid:36926; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt"; flow:to_server,established; file_data; content:"<script"; nocase; content:"VBScript"; within:50; nocase; content:"Public "; nocase; content:"Default "; within:15; nocase; content:"Property "; within:15; nocase; content:"Set "; nocase; content:"Nothing"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6135; reference:cve,2015-6136; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-126; classtype:attempted-user; sid:36923; rev:7;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt"; flow:to_client,established; file_data; content:"<script"; nocase; content:"VBScript"; within:50; nocase; content:"Public "; nocase; content:"Default "; within:15; nocase; content:"Property "; within:15; nocase; content:"Set "; nocase; content:"Nothing"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6135; reference:cve,2015-6136; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-126; classtype:attempted-user; sid:36922; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer invalid TableRow use after free attempt"; flow:to_server,established; file_data; content:"document.body.appendChild(document)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; classtype:attempted-user; sid:36921; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer invalid TableRow use after free attempt"; flow:to_client,established; file_data; content:"document.body.appendChild(document)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; classtype:attempted-user; sid:36920; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CElement object use after free attempt"; flow:to_server,established; file_data; content:"document.getSelection"; nocase; content:".collapseToEnd"; within:100; fast_pattern; nocase; content:".parentNode.removeChild"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6151; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-124; classtype:attempted-user; sid:36919; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CElement object use after free attempt"; flow:to_client,established; file_data; content:"document.getSelection"; nocase; content:".collapseToEnd"; within:100; fast_pattern; nocase; content:".parentNode.removeChild"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6151; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-124; classtype:attempted-user; sid:36918; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer iCalendar cross site scripting attempt"; flow:to_client,established; file_data; content:"BEGIN:VCALENDAR"; depth:15; content:"DESCRIPTION:"; distance:0; nocase; content:"<script"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6139; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-124; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-125; classtype:attempted-user; sid:36917; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt"; flow:to_server,established; file_data; content:"X-UA-Compatible"; nocase; content:"IE=8"; within:50; nocase; content:"<script"; nocase; content:"VBScript"; within:50; nocase; content:"redim"; nocase; content:"preserve"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0002; reference:cve,2017-11886; reference:cve,2018-1004; reference:cve,2018-1023; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11886; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1004; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1023; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-001; classtype:attempted-user; sid:37284; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt"; flow:to_client,established; file_data; content:"X-UA-Compatible"; nocase; content:"IE=8"; within:50; nocase; content:"<script"; nocase; content:"VBScript"; within:50; nocase; content:"redim"; nocase; content:"preserve"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0002; reference:cve,2017-11886; reference:cve,2018-1004; reference:cve,2018-1023; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11886; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1004; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1023; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-001; classtype:attempted-user; sid:37283; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge mutation event memory corruption attempt"; flow:to_server,established; file_data; content:".appendChild"; content:"new MutationObserver"; within:50; content:".observe"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0003; reference:cve,2016-0124; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-024; classtype:attempted-user; sid:37280; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge mutation event memory corruption attempt"; flow:to_client,established; file_data; content:".appendChild"; content:"new MutationObserver"; within:50; content:".observe"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0003; reference:cve,2016-0124; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-024; classtype:attempted-user; sid:37279; rev:3;)
|
|
alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"BROWSER-IE Microsoft Internet Explorer request for mapi32x.dll over SMB attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"m|00|a|00|p|00|i|00|3|00|2|00|x|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; pcre:"/(\x19\x00|\x00\x5C)\x00m\x00a\x00p\x00i\x003\x002\x00x\x00\.\x00d\x00l\x00l\x00\x00\x00/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2016-0020; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-007; classtype:attempted-user; sid:37258; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-IE Microsoft Internet Explorer mapi32x.dll dll-load exploit attempt"; flow:to_server,established; content:"/mapi32x.dll"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0020; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-007; classtype:attempted-user; sid:37257; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer corrupted HROW instance write access violation attempt"; flow:to_server,established; file_data; content:".cachesize"; fast_pattern:only; content:".recordset"; nocase; content:".move"; distance:0; nocase; pcre:"/\x2EcacheSize\s*=\s*-{0,1}0x.*?\x2EMove/si"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-1891; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-045; classtype:attempted-user; sid:37316; rev:1;)
|
|
# alert tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt"; flow:to_client,established; file_data; content:"white|2D|space|3A|normal|3B|"; fast_pattern:only; pcre:"/pre\s*\x7b\s*white\x2dspace\x3a\s*normal\s*\x3b\s*\x7d/i"; content:"span|20 2F|"; distance:0; nocase; content:"span|20 2F|"; within:14; nocase; pcre:"/(\x26lt\x3b|\x3c)pre(\x26gt\x3b|\x3e)\s*(\x26lt\x3b|\x3c)span\s\x2f(\x26gt\x3b|\x3e)(\x26lt\x3b|\x3c)span\s\x2f(\x26gt\x3b|\x3e)\s*(\x26lt\x3b|\x3c)\x2fpre(\x26gt\x3b|\x3e)/i"; metadata:policy max-detect-ips drop, service ftp-data; reference:cve,2006-1188; classtype:attempted-user; sid:37423; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CFGBitmap heap code execution attempt"; flow:to_server,established; file_data; content:"CollectGarbage"; fast_pattern:only; content:".onload"; nocase; content:"for"; content:"0x1000"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0080; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-011; classtype:attempted-user; sid:37615; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CFGBitmap heap code execution attempt"; flow:to_client,established; file_data; content:"CollectGarbage"; fast_pattern:only; content:".onload"; nocase; content:"for"; content:"0x1000"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0080; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-011; classtype:attempted-user; sid:37614; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CACPWrap object use-after-free attempt"; flow:to_server,established; file_data; content:"onpropertychange"; content:"createTextRange"; within:140; content:".execCommand"; within:60; content:"ms-beginUndoUnit"; within:20; content:"DefaultParagraphSeparator"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0062; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-011; classtype:attempted-user; sid:37613; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CACPWrap object use-after-free attempt"; flow:to_client,established; file_data; content:"onpropertychange"; content:"createTextRange"; within:140; content:".execCommand"; within:60; content:"ms-beginUndoUnit"; within:20; content:"DefaultParagraphSeparator"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0062; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-011; classtype:attempted-user; sid:37612; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt"; flow:to_server,established; file_data; content:"opener[|27 5C|u"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0061; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-011; classtype:attempted-user; sid:37611; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt"; flow:to_client,established; file_data; content:"opener[|27 5C|u"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0061; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-011; classtype:attempted-user; sid:37610; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt"; flow:to_server,established; file_data; content:"opener[|22 5C|u"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0061; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-011; classtype:attempted-user; sid:37609; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt"; flow:to_client,established; file_data; content:"opener[|22 5C|u"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0061; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-011; classtype:attempted-user; sid:37608; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer StrCmpNICW string object use after free attempt"; flow:to_server,established; file_data; content:"valueOf"; nocase; content:"location"; within:20; nocase; content:"toString"; within:20; fast_pattern; nocase; content:"location.href=|22 22|"; distance:0; nocase; content:"document.open("; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0067; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-009; classtype:attempted-user; sid:37605; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer StrCmpNICW string object use after free attempt"; flow:to_client,established; file_data; content:"valueOf"; nocase; content:"location"; within:20; nocase; content:"toString"; within:20; fast_pattern; nocase; content:"location.href=|22 22|"; distance:0; nocase; content:"document.open("; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0067; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-009; classtype:attempted-user; sid:37604; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer IFRAME object constructor cross site scripting attempt"; flow:to_server,established; file_data; content:"returnValue"; nocase; content:".constructor.constructor"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0068; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-009; classtype:web-application-attack; sid:37603; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer IFRAME object constructor cross site scripting attempt"; flow:to_client,established; file_data; content:"returnValue"; nocase; content:".constructor.constructor"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0068; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-009; classtype:web-application-attack; sid:37602; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTextBlock use-after-free attempt"; flow:to_server,established; file_data; content:".createRange"; nocase; content:".execCommand"; within:80; nocase; content:"InsertOrderedList"; within:25; fast_pattern; nocase; content:".removeAllRanges"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0071; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-009; classtype:attempted-user; sid:37597; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTextBlock use-after-free attempt"; flow:to_client,established; file_data; content:".createRange"; nocase; content:".execCommand"; within:80; nocase; content:"InsertOrderedList"; within:25; fast_pattern; nocase; content:".removeAllRanges"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0071; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-009; classtype:attempted-user; sid:37596; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge SysFreeString double free attempt"; flow:to_server,established; file_data; content:".setAttribute"; nocase; content:"nodeValue"; within:15; nocase; content:"this.toString"; nocase; content:"this.valueOf"; within:75; fast_pattern; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0060; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-009; classtype:attempted-user; sid:37582; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge SysFreeString double free attempt"; flow:to_client,established; file_data; content:".setAttribute"; nocase; content:"nodeValue"; within:15; nocase; content:"this.toString"; nocase; content:"this.valueOf"; within:75; fast_pattern; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0060; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-009; classtype:attempted-user; sid:37581; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge CTextBlock out of bounds read attempt"; flow:to_server,established; file_data; content:".createTextRange"; nocase; content:".select"; within:100; nocase; content:"getSelection"; within:200; nocase; content:".removeAllRanges"; within:25; nocase; content:".moveStart"; within:100; nocase; content:".execCommand"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0083; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-011; classtype:attempted-user; sid:37576; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge CTextBlock out of bounds read attempt"; flow:to_client,established; file_data; content:".createTextRange"; nocase; content:".select"; within:100; nocase; content:"getSelection"; within:200; nocase; content:".removeAllRanges"; within:25; nocase; content:".moveStart"; within:100; nocase; content:".execCommand"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0083; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-011; classtype:attempted-user; sid:37575; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt"; flow:to_server,established; file_data; content:"X-UA-Compatible"; nocase; content:"IE=8"; within:50; nocase; content:"document.implementation"; nocase; content:".prototype"; within:50; nocase; pcre:"/\.prototype\.(hasFeature|isPrototypeOf)/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0063; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-009; classtype:attempted-user; sid:37574; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt"; flow:to_server,established; file_data; content:"<script"; content:"DOMImplementation"; within:200; nocase; content:".prototype"; within:50; nocase; pcre:"/\.prototype\.(hasFeature|isPrototypeOf)/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0063; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-009; classtype:attempted-user; sid:37573; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt"; flow:to_client,established; file_data; content:"X-UA-Compatible"; nocase; content:"IE=8"; within:50; nocase; content:"document.implementation"; nocase; content:".prototype"; within:50; nocase; pcre:"/\.prototype\.(hasFeature|isPrototypeOf)/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0063; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-009; classtype:attempted-user; sid:37572; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt"; flow:to_client,established; file_data; content:"<script"; content:"DOMImplementation"; within:200; nocase; content:".prototype"; within:50; nocase; pcre:"/\.prototype\.(hasFeature|isPrototypeOf)/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0063; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-009; classtype:attempted-user; sid:37571; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CDATA use-after-free attempt"; flow:to_server,established; file_data; content:"<![CDATA["; fast_pattern; content:"createElementNS"; distance:0; nocase; content:"svg"; within:50; nocase; content:"CollectGarbage"; distance:0; nocase; content:"]]>"; within:500; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0072; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-009; classtype:attempted-user; sid:37554; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CDATA use-after-free attempt"; flow:to_client,established; file_data; content:"<![CDATA["; fast_pattern; content:"createElementNS"; distance:0; nocase; content:"svg"; within:50; nocase; content:"CollectGarbage"; distance:0; nocase; content:"]]>"; within:500; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0072; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-009; classtype:attempted-user; sid:37553; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt"; flow:to_server,established; file_data; content:"document.getElementById"; nocase; content:"loaded"; within:200; nocase; content:"click()"; within:200; nocase; content:"<form"; nocase; content:"text"; within:200; nocase; content:".innerHTML ="; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-2782; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-035; classtype:attempted-user; sid:37634; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt"; flow:to_client,established; file_data; content:"document.getElementById"; nocase; content:"loaded"; within:200; nocase; content:"click()"; within:200; nocase; content:"<form"; nocase; content:"text"; within:200; nocase; content:".innerHTML ="; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-2782; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-035; classtype:attempted-user; sid:37633; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer form selection reset attempt"; flow:to_server,established; file_data; content:"document.getElementById"; fast_pattern:only; content:"form"; nocase; content:"document.createElement("; distance:0; nocase; content:".inner"; distance:0; nocase; content:".reset("; distance:0; nocase; pcre:"/document.getElementById.+?(\w+\.add\(\s*document.createElement|document.createElement\(.+?\w\.add\().+?\w\.inner(HTML|Text)\s*?=[^\x3b]+?\x3b.*?\w+\.reset\(/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,49961; reference:cve,2011-1996; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-081; classtype:attempted-user; sid:37724; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer onscroll DOS attempt"; flow:to_server,established; file_data; content:"function"; nocase; content:"createElement"; distance:0; nocase; content:"onscroll"; fast_pattern:only; pcre:"/function\s*(?P<badfunction>\w+)\s*\x28\s*\x29.+?onscroll\s*=\s*[\x22\x27]+(?P=badfunction).*?[\x22\x27]/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,49947; reference:cve,2011-1993; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-081; classtype:attempted-user; sid:37716; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer onscroll DOS attempt"; flow:to_server,established; file_data; content:"function"; nocase; content:"onscroll"; fast_pattern:only; content:"createElement"; nocase; pcre:"/function\s+(?P<q2>\w).*onscroll\s*=\s*(?P<q1>\w).*function\s+(?P=q1).*?createElement\s*\x28\s*(?P<q3>\x22|\x27|)\s*table\s*(?P=q3)\s*\x29.*?onload\s*=\s*(?P=q2)/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,49947; reference:cve,2011-1993; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-081; classtype:attempted-user; sid:37715; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer vector graphics reference counting use-after-free attempt"; flow:to_server,established; file_data; content:"|3C 3F|IMPORT namespace=|22|"; nocase; content:"implementation=|22|#|3B|de|3B|f|3B|a|3B|u|3B|lt|3B|#|3B|VML|22 3E|"; within:90; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,52906; reference:cve,2012-0172; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-023; classtype:attempted-user; sid:37848; rev:1;)
|
|
# alert tcp $EXTERNAL_NET [$FILE_DATA_PORTS,666] -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer vector graphics reference counting use-after-free attempt"; flow:to_client,established; file_data; content:"|3C 3F|IMPORT namespace=|22|"; nocase; content:"implementation=|22|#|3B|de|3B|f|3B|a|3B|u|3B|lt|3B|#|3B|VML|22 3E|"; within:90; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52906; reference:cve,2012-0172; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-023; classtype:attempted-user; sid:37847; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer swapNode memory corruption attempt"; flow:to_server,established; file_data; content:".applyElement"; fast_pattern; nocase; content:"onpropertychange"; nocase; content:"execCommand"; within:500; nocase; content:"onselect"; nocase; pcre:"/\x2eappendChild\s*\x28\s*(?P<var>\w+)\s*\x29.*?(?P=var)\x2eonselect[^\x7d]+\x2eapplyElement.*?(?P=var)\x2eselect/smiO"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,62811; reference:cve,2013-3897; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-080; classtype:attempted-user; sid:37837; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer swapNode memory corruption attempt"; flow:to_client,established; file_data; content:".applyElement"; fast_pattern; nocase; content:"onpropertychange"; nocase; content:"execCommand"; within:500; nocase; content:"onselect"; nocase; pcre:"/\x2eappendChild\s*\x28\s*(?P<var>\w+)\s*\x29.*?(?P=var)\x2eonselect[^\x7d]+\x2eapplyElement.*?(?P=var)\x2eselect/smiO"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,62811; reference:cve,2013-3897; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-080; classtype:attempted-user; sid:37836; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CDisplayPointer use after free attempt"; flow:to_server,established; file_data; content:"onbeforeeditfocus"; fast_pattern:only; content:".createElement"; nocase; content:"div"; within:10; nocase; content:"className"; within:50; content:"appendChild"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3205; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-069; classtype:attempted-user; sid:37811; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CDisplayPointer use after free attempt"; flow:to_client,established; file_data; content:"onbeforeeditfocus"; fast_pattern:only; content:".createElement"; nocase; content:"div"; within:10; nocase; content:"className"; within:50; content:"appendChild"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3205; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-069; classtype:attempted-user; sid:37810; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:4; distance:4; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,13941; reference:cve,2005-1211; reference:nessus,18490; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-025; classtype:attempted-user; sid:37870; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DOM manipulation memory corruption attempt"; flow:to_server,established; file_data; content:"parseInt(|22|20012202000101010|22|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53847; reference:cve,2012-1875; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:38016; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DOM manipulation memory corruption attempt"; flow:to_client,established; file_data; content:"parseInt(|22|20012202000101010|22|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53847; reference:cve,2012-1875; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:38015; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt"; flow:to_server,established; file_data; content:"table"; nocase; content:"caption"; nocase; content:"get"; nocase; content:"ClientRect"; within:20; fast_pattern; pcre:"/table.*?caption.*?ClientRect.*?(tbodies|insertrow).*?(appenchild){0,1}/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-1880; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:38014; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt"; flow:to_client,established; file_data; content:"table"; nocase; content:"caption"; nocase; content:"get"; nocase; content:"ClientRect"; within:20; fast_pattern; pcre:"/table.*?caption.*?ClientRect.*?(tbodies|insertrow).*?(appenchild){0,1}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1880; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:38013; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer onscroll DOS attempt"; flow:to_server,established; file_data; content:"onscroll"; fast_pattern:only; content:"style"; nocase; content:"overflow"; within:10; nocase; content:"scroll"; within:10; nocase; content:"document.body.appendChild"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,49947; reference:cve,2011-1993; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-081; classtype:attempted-user; sid:37974; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer onscroll DOS attempt"; flow:to_client,established; file_data; content:"onscroll"; fast_pattern:only; content:"style"; nocase; content:"overflow"; within:10; nocase; content:"scroll"; within:10; nocase; content:"document.body.appendChild"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49947; reference:cve,2011-1993; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-081; classtype:attempted-user; sid:37973; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt"; flow:to_server,established; file_data; content:"setInt"; fast_pattern:only; content:"DataView"; content:"valueOf"; content:"postMessage"; within:150; metadata:service smtp; reference:cve,2015-1747; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:37970; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt"; flow:to_client,established; file_data; content:"setInt"; fast_pattern:only; content:"DataView"; content:"valueOf"; content:"postMessage"; within:150; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1747; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:37969; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer covered object memory corruption attempt"; flow:to_server,established; file_data; content:"font-size:"; byte_test:10,>=,1000,0,relative,string; content:"margin-right|3A 2D|"; distance:0; byte_test:10,>=,1000,0,relative,string; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-1260; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-050; classtype:attempted-user; sid:37967; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer covered object memory corruption attempt"; flow:to_client,established; file_data; content:"font-size:"; byte_test:10,>=,1000,0,relative,string; content:"margin-right|3A 2D|"; distance:0; byte_test:10,>=,1000,0,relative,string; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1260; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-050; classtype:attempted-user; sid:37966; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BROWSER-IE Microsoft Internet Explorer long URL buffer overflow attempt"; flow:to_server,established; urilen:>600; content:"AAAAAAAAAAAAAAAAAAAA"; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,19667; reference:cve,2006-3869; classtype:attempted-user; sid:37961; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer boundElements arbitrary code execution attempt"; flow:to_server,established; file_data; content:"event.boundElements"; fast_pattern:only; content:"onload"; nocase; content:"window.close"; within:40; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,42288; reference:cve,2010-2557; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-053; classtype:attempted-user; sid:37956; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer boundElements arbitrary code execution attempt"; flow:to_server,established; file_data; content:"event.boundElements"; fast_pattern:only; content:"onclick"; nocase; content:"window.close"; within:40; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,42288; reference:cve,2010-2557; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-053; classtype:attempted-user; sid:37955; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer boundElements arbitrary code execution attempt"; flow:to_client,established; file_data; content:"event.boundElements"; fast_pattern:only; content:"onclick"; nocase; content:"window.close"; within:40; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,42288; reference:cve,2010-2557; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-053; classtype:attempted-user; sid:37954; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer FTP client directory traversal attempt"; flow:to_server,established; content:"RETR|20|"; content:"..|5C|"; within:20; metadata:policy max-detect-ips drop, service ftp; reference:cve,2004-1376; classtype:misc-activity; sid:37952; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer FTP client directory traversal attempt"; flow:to_server,established; content:"RETR|20|"; content:"../"; within:20; metadata:policy max-detect-ips drop, service ftp; reference:cve,2004-1376; classtype:misc-activity; sid:37951; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer invalid object access memory corruption attempt"; flow:to_server,established; file_data; content:"createEventObject"; fast_pattern:only; content:"innerHTML"; content:"setTimeout"; within:250; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:37947; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer invalid object access memory corruption attempt"; flow:to_server,established; file_data; content:"createEventObject"; fast_pattern:only; content:"innerHTML"; content:"setInterval"; within:250; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:37946; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer deleted object access memory corruption attempt"; flow:to_server,established; file_data; content:"100 112 99 118 109 102 110 117 46 100 114 102 97 117 101 70 118 102 110 117 79 99 106 102 99 117 40 102 118 117 41 60 32 101 111 100 117 110 101 111 116 47 103 102 116 70 108 102 109 102 110 117 66 122 73 101 40 35 115 113 49 35 41 47 105 111 110 102 114 73 84 78 76 62 34 35 59 120 105 111 100 112 119 47 115 102 116 74 110 117 101 115 118 98 108"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:37945; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer invalid object access memory corruption attempt"; flow:to_client,established; file_data; content:"createEventObject"; fast_pattern:only; content:"innerHTML"; content:"setInterval"; within:250; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:37944; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer malformed table tag memory corruption attempt"; flow:to_server,established; file_data; content:"rowspan"; fast_pattern:only; content:"<script>"; nocase; pcre:"/<t(d|r|h|head|foot)[^>]+id\s*=\s*(?P<q1>\x22|\x27|)([^\x22\x27]+)(?P=q1).*?\3\.rowspan.*?<\/script>.*?<\/table>/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-2560; classtype:attempted-user; sid:37936; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer malformed table tag memory corruption attempt"; flow:to_server,established; file_data; content:"colspan"; fast_pattern:only; content:"<script>"; nocase; pcre:"/<t(d|r|h|head|foot)[^>]+id\s*=\s*(?P<q1>\x22|\x27|)([^\x22\x27]+)(?P=q1).*?\3\.colspan.*?<\/script>.*?<\/table>/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-2560; classtype:attempted-user; sid:37935; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer dynamic page reloading memory corruption attempt"; flow:to_server,established; file_data; content:"script"; nocase; content:"window.location.reload()"; within:35; nocase; content:"</script>"; within:25; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,23770; reference:cve,2007-0946; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; classtype:attempted-user; sid:37889; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer dynamic page reloading memory corruption attempt"; flow:to_client,established; file_data; content:"script"; nocase; content:"window.location.reload()"; within:35; nocase; content:"</script>"; within:25; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23770; reference:cve,2007-0946; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; classtype:attempted-user; sid:37888; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_server,established; file_data; content:".mergeAttributes|28|"; fast_pattern:only; pcre:"/(\w+)\x2emergeAttributes\x28\1\x29\x3b/"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:37881; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CInput sliderdata object use after free attempt"; flow:to_server,established; file_data; content:"showModalDialog"; fast_pattern:only; content:".attachEvent"; nocase; content:"onresize"; within:50; nocase; content:"document.createElement"; nocase; content:".appendChild"; within:100; nocase; content:".style.setAttribute"; within:100; nocase; content:"<input"; nocase; content:"range"; within:50; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0114; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-023; classtype:attempted-user; sid:38123; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CInput sliderdata object use after free attempt"; flow:to_client,established; file_data; content:"showModalDialog"; fast_pattern:only; content:".attachEvent"; nocase; content:"onresize"; within:50; nocase; content:"document.createElement"; nocase; content:".appendChild"; within:100; nocase; content:".style.setAttribute"; within:100; nocase; content:"<input"; nocase; content:"range"; within:50; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0114; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-023; classtype:attempted-user; sid:38122; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer mshtml InsertRange out of bounds write access"; flow:to_server,established; file_data; content:"createTextRange"; nocase; content:"insertAdjacentHTML"; nocase; content:"appendChild"; within:100; nocase; content:"createElement"; within:50; nocase; content:"addEventListener"; nocase; content:"DOMNodeRemoved"; within:50; fast_pattern; nocase; content:"execCommand"; within:200; nocase; content:"execCommand"; within:150; nocase; content:"Delete"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0103; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-023; classtype:attempted-user; sid:38118; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer mshtml InsertRange out of bounds write access"; flow:to_client,established; file_data; content:"createTextRange"; nocase; content:"insertAdjacentHTML"; nocase; content:"appendChild"; within:100; nocase; content:"createElement"; within:50; nocase; content:"addEventListener"; nocase; content:"DOMNodeRemoved"; within:50; fast_pattern; nocase; content:"execCommand"; within:200; nocase; content:"execCommand"; within:150; nocase; content:"Delete"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0103; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-023; classtype:attempted-user; sid:38117; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer addRow out-of-bounds read attempt"; flow:to_server,established; file_data; content:"<body"; nocase; content:"onload"; within:40; nocase; content:".removeNode"; nocase; content:".insertRow"; within:35; fast_pattern; nocase; content:"<table"; nocase; content:"<tr"; distance:0; nocase; content:"rowSpan"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0107; reference:cve,2016-3242; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-023; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-084; classtype:attempted-user; sid:38113; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer addRow out-of-bounds read attempt"; flow:to_client,established; file_data; content:"<body"; nocase; content:"onload"; within:40; nocase; content:".removeNode"; nocase; content:".insertRow"; within:35; fast_pattern; nocase; content:"<table"; nocase; content:"<tr"; distance:0; nocase; content:"rowSpan"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0107; reference:cve,2016-3242; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-023; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-084; classtype:attempted-user; sid:38112; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CGeneratedTreeNode use-after-free"; flow:to_server,established; file_data; content:"erHTML"; nocase; content:"erText"; within:200; nocase; content:"createTextRange"; within:100; nocase; content:"execCommand"; nocase; content:"insertInputRadio"; within:50; nocase; content:"text"; within:100; nocase; content:"select"; within:50; nocase; content:"CollectGarbage"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0104; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-023; classtype:attempted-user; sid:38109; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CGeneratedTreeNode use-after-free"; flow:to_client,established; file_data; content:"erHTML"; nocase; content:"erText"; within:200; nocase; content:"createTextRange"; within:100; nocase; content:"execCommand"; nocase; content:"insertInputRadio"; within:50; nocase; content:"text"; within:100; nocase; content:"select"; within:50; nocase; content:"CollectGarbage"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0104; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-023; classtype:attempted-user; sid:38108; rev:2;)
|
|
# alert tcp $HOME_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge LineBoxBuilder out-of-bound memory access attempt"; flow:to_server,established; file_data; content:"::first-line{background:}"; fast_pattern:only; content:".appendChild"; nocase; content:"document.createTextNode"; within:100; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-024; classtype:attempted-user; sid:38107; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge LineBoxBuilder out-of-bound memory access attempt "; flow:to_client,established; file_data; content:"::first-line{background:}"; fast_pattern:only; content:".appendChild"; nocase; content:"document.createTextNode"; within:100; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-024; classtype:attempted-user; sid:38106; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CEditEventSink navigate use after free attempt"; flow:to_server,established; file_data; content:"onresize"; fast_pattern; nocase; content:"location.href"; within:50; nocase; content:"#"; within:25; content:"contenteditable"; nocase; content:"false"; within:25; nocase; content:".value"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,77445; reference:cve,2015-6071; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:38103; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CEditEventSink navigate use after free attempt"; flow:to_client,established; file_data; content:"onresize"; fast_pattern; nocase; content:"location.href"; within:50; nocase; content:"#"; within:25; content:"contenteditable"; nocase; content:"false"; within:25; nocase; content:".value"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,77445; reference:cve,2015-6071; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:attempted-user; sid:38102; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer TableCellLayoutArray use-after-free attempt"; flow:to_server,established; file_data; content:"meta"; content:"Expires"; within:50; nocase; content:"break-before: column"; within:250; fast_pattern; content:"column-count"; within:250; nocase; content:"table"; within:50; nocase; content:"border-right: solid"; within:250; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0109; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-023; classtype:attempted-user; sid:38099; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer TableCellLayoutArray use-after-free attempt"; flow:to_client,established; file_data; content:"meta"; content:"Expires"; within:50; nocase; content:"break-before: column"; within:250; fast_pattern; content:"column-count"; within:250; nocase; content:"table"; within:50; nocase; content:"border-right: solid"; within:250; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0109; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-023; classtype:attempted-user; sid:38098; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer out of bound write access attempt"; flow:to_server,established; file_data; content:"column-count"; fast_pattern:only; content:"not(TH)"; nocase; content:"-ms-wrap-flow"; nocase; content:"-ms-inline-grid"; nocase; content:"createElement"; nocase; content:"title"; within:50; nocase; content:"createElement"; nocase; content:"FORM"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-023; classtype:attempted-admin; sid:38097; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer out of bound write access attempt"; flow:to_client,established; file_data; content:"column-count"; fast_pattern:only; content:"not(TH)"; nocase; content:"-ms-wrap-flow"; nocase; content:"-ms-inline-grid"; nocase; content:"createElement"; nocase; content:"title"; within:50; nocase; content:"createElement"; nocase; content:"FORM"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-023; classtype:attempted-admin; sid:38096; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos remote code execution attempt"; flow:to_server,established; file_data; content:"MutationObserver"; fast_pattern; nocase; content:"target.parentNode"; within:1500; nocase; content:"replaceChild"; within:50; nocase; content:"records.map"; within:500; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0102; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-023; classtype:attempted-user; sid:38095; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos remote code execution attempt"; flow:to_client,established; file_data; content:"MutationObserver"; fast_pattern; nocase; content:"target.parentNode"; within:1500; nocase; content:"replaceChild"; within:50; nocase; content:"records.map"; within:500; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0102; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-023; classtype:attempted-user; sid:38094; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt"; flow:to_server,established; file_data; content:"<svg"; nocase; content:"viewBox"; nocase; content:"DOMAttrModified"; nocase; content:"implementation.create"; within:100; nocase; content:"adoptNode"; within:100; nocase; content:"attributes"; within:30; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0111; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-023; classtype:attempted-user; sid:38091; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt"; flow:to_client,established; file_data; content:"<svg"; nocase; content:"viewBox"; nocase; content:"DOMAttrModified"; nocase; content:"implementation.create"; within:200; nocase; content:"adoptNode"; within:100; nocase; content:"attributes"; within:30; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0111; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-023; classtype:attempted-user; sid:38090; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer string type confusion remote code execution attempt"; flow:to_server,established; file_data; content:"884e2049-217d-11da-b2a4-000e7bbb2b09"; fast_pattern:only; content:"-ms-writing-mode:"; nocase; content:"tb-lr"; within:10; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0105; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-023; classtype:attempted-user; sid:38089; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer string type confusion remote code execution attempt"; flow:to_client,established; file_data; content:"884e2049-217d-11da-b2a4-000e7bbb2b09"; fast_pattern:only; content:"-ms-writing-mode:"; nocase; content:"tb-lr"; within:10; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0105; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-023; classtype:attempted-user; sid:38088; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt"; flow:to_server,established; file_data; content:"8856F961-340A-11D0-A96B-00C04FD705A2"; fast_pattern:only; content:".remove"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-023; classtype:attempted-user; sid:38086; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt"; flow:to_client,established; file_data; content:"8856F961-340A-11D0-A96B-00C04FD705A2"; fast_pattern:only; content:".remove"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-023; classtype:attempted-user; sid:38085; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt"; flow:to_server,established; file_data; content:"addEventListener"; nocase; content:"DOMAttrModified"; within:25; fast_pattern; nocase; content:"dataset"; within:250; nocase; content:"prevValue"; within:250; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0106; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-023; classtype:attempted-user; sid:38082; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt"; flow:to_client,established; file_data; content:"addEventListener"; nocase; content:"DOMAttrModified"; within:25; fast_pattern; nocase; content:"dataset"; within:250; nocase; content:"prevValue"; within:250; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0106; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-023; classtype:attempted-user; sid:38081; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer embedded media player use after free attempt"; flow:to_server,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6"; fast_pattern:only; content:"StatusChange"; nocase; content:"SelectAll"; nocase; content:"Delete"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0098; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-027; classtype:attempted-user; sid:38080; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer embedded media player use after free attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6"; fast_pattern:only; content:"StatusChange"; nocase; content:"SelectAll"; nocase; content:"Delete"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0098; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-027; classtype:attempted-user; sid:38079; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge CPostScriptEvaluator out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/FunctionType 4"; nocase; content:"stream"; within:100; nocase; isdataat:500,relative; content:!"endstream"; within:500; nocase; content:!"/Filter"; pcre:"/\x2fFunctionType\s4[^\x7b]*?\x7b[\r\n\s]?(\d+[\s\n]+){99}/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0117; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-028; classtype:attempted-user; sid:38078; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge CPostScriptEvaluator out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/FunctionType 4"; nocase; content:"stream"; within:100; nocase; isdataat:500,relative; content:!"endstream"; within:500; nocase; content:!"/Filter"; pcre:"/\x2fFunctionType\s4[^\x7b]*?\x7b[\r\n\s]?(\d+[\s\n]+){99}/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0117; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-028; classtype:attempted-user; sid:38077; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge CAsyncTpWorker Windows.Data.Pdf.dll object use after free attempt"; flow:to_server,established; file_data; content:"|27 4E 3F 65 D0 75 8C 06 FA 6F A0 FF 06 FA 6F A0 FF 06 FA 6F A0 FF AE 9F 6F D3 CA 8B 31 14 18 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0118; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-028; classtype:attempted-user; sid:38076; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge CAsyncTpWorker Windows.Data.Pdf.dll object use after free attempt"; flow:to_server,established; file_data; content:"|04 50 EE 22 C9 3B A0 15 3D 70 18 59 A4 05 00 E3 04 C6 25 30 A0 5B 04 2C C5 46 CD 03 11 04 33 E9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0118; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-028; classtype:attempted-user; sid:38075; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge CAsyncTpWorker Windows.Data.Pdf.dll object use after free attempt"; flow:to_client,established; file_data; content:"|27 4E 3F 65 D0 75 8C 06 FA 6F A0 FF 06 FA 6F A0 FF 06 FA 6F A0 FF AE 9F 6F D3 CA 8B 31 14 18 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0118; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-028; classtype:attempted-user; sid:38074; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge CAsyncTpWorker Windows.Data.Pdf.dll object use after free attempt"; flow:to_client,established; file_data; content:"|04 50 EE 22 C9 3B A0 15 3D 70 18 59 A4 05 00 E3 04 C6 25 30 A0 5B 04 2C C5 46 CD 03 11 04 33 E9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0118; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-028; classtype:attempted-user; sid:38073; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt"; flow:to_server,established; file_data; content:"*|3A 3A|before"; fast_pattern:only; content:"close-quote"; content:"url"; within:10; content:"?"; within:5; content:"position|3A|fixed|3B|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0108; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-023; classtype:attempted-user; sid:38070; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt"; flow:to_client,established; file_data; content:"*|3A 3A|before"; fast_pattern:only; content:"close-quote"; content:"url"; within:10; content:"?"; within:5; content:"position|3A|fixed|3B|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0108; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-023; classtype:attempted-user; sid:38069; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt"; flow:to_server,established; file_data; content:"*|3A|before"; fast_pattern:only; content:"close-quote"; content:"url"; within:10; content:"?"; within:5; content:"position|3A|fixed|3B|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0108; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-023; classtype:attempted-user; sid:38068; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt"; flow:to_client,established; file_data; content:"*|3A|before"; fast_pattern:only; content:"close-quote"; content:"url"; within:10; content:"?"; within:5; content:"position|3A|fixed|3B|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0108; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-023; classtype:attempted-user; sid:38067; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer GETDISPID invalid pointer access attempt"; flow:to_server,established; file_data; content:"DOMAttrModified"; nocase; content:"touchAction"; within:150; nocase; content:"textDecorationUnderline"; within:150; nocase; content:"toString"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0112; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-023; classtype:attempted-user; sid:38066; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer GETDISPID invalid pointer access attempt"; flow:to_client,established; file_data; content:"DOMAttrModified"; nocase; content:"touchAction"; within:150; nocase; content:"textDecorationUnderline"; within:150; nocase; content:"toString"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0112; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-023; classtype:attempted-user; sid:38065; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer text transform use after free attempt"; flow:to_server,established; file_data; content:"contenteditable"; nocase; content:"true"; within:10; nocase; content:"onmove"; distance:0; nocase; content:"javascript:document"; within:30; nocase; metadata:policy security-ips drop, service smtp; reference:bugtraq,58341; reference:cve,2013-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:38278; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer text transform use after free attempt"; flow:to_client,established; file_data; content:"contenteditable"; nocase; content:"true"; within:10; nocase; content:"onmove"; distance:0; nocase; content:"javascript:document"; within:30; nocase; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58341; reference:cve,2013-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:38277; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer text transform use after free attempt"; flow:to_server,established; file_data; content:"contenteditable"; nocase; content:"true"; within:10; nocase; content:"onresize"; distance:0; nocase; content:"javascript:document"; within:30; nocase; metadata:policy security-ips drop, service smtp; reference:bugtraq,58341; reference:cve,2013-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:38276; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt"; flow:to_server,established; file_data; content:"<script"; nocase; content:"VBScript"; within:30; nocase; content:"redim"; within:50; nocase; content:"=new Array("; within:300; content:"toString"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-001; classtype:attempted-user; sid:38309; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt"; flow:to_client,established; file_data; content:"<script"; nocase; content:"VBScript"; within:30; nocase; content:"redim"; within:50; nocase; content:"=new Array("; within:300; content:"toString"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-001; classtype:attempted-user; sid:38308; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:".firstChild[(String.fromCharCode(("; content:"|22|applyElement|22|)]("; fast_pattern:only; content:"unescape((|22|innerHTML|22|))]="; content:"(|22|innerHTML|22|)]=|22||22| }"; content:"button id"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-008; classtype:attempted-user; sid:38364; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:".firstChild[(String.fromCharCode(("; content:"|22|applyElement|22|)]("; fast_pattern:only; content:"unescape((|22|innerHTML|22|))]="; content:"(|22|innerHTML|22|)]=|22||22| }"; content:"button id="; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-008; classtype:attempted-user; sid:38363; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt"; flow:to_server,established; file_data; content:"eval"; nocase; content:"document.charset"; within:25; nocase; content:"UTF-7"; within:15; fast_pattern; nocase; content:"document.createElement"; nocase; content:".value"; nocase; content:".click"; nocase; pcre:"/(?P<btn>\w+)\s*=\s*document\.createElement\x28\s*[\x22\x27]?button.*?(?P=btn)\.value\s*=\s*[\x22\x27]{2}/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0154; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-037; classtype:attempted-user; sid:38508; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt"; flow:to_client,established; file_data; content:"eval"; nocase; content:"document.charset"; within:25; nocase; content:"UTF-7"; within:15; fast_pattern; nocase; content:"document.createElement"; nocase; content:".value"; nocase; content:".click"; nocase; pcre:"/(?P<btn>\w+)\s*=\s*document\.createElement\x28\s*[\x22\x27]?button.*?(?P=btn)\.value\s*=\s*[\x22\x27]{2}/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0154; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-037; classtype:attempted-user; sid:38507; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CChildIterator media object use-after-free attempt"; flow:to_server,established; file_data; content:".insertAdjacentElement"; fast_pattern; content:"afterbegin"; within:30; nocase; content:".createAttribute"; within:150; nocase; content:".setAttributeNode"; distance:0; nocase; content:"attributes"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0166; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-037; classtype:attempted-user; sid:38506; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CChildIterator media object use-after-free attempt"; flow:to_client,established; file_data; content:".insertAdjacentElement"; fast_pattern; content:"afterbegin"; within:30; nocase; content:".createAttribute"; within:150; nocase; content:".setAttributeNode"; distance:0; nocase; content:"attributes"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0166; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-037; classtype:attempted-user; sid:38505; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CChildIterator media object use-after-free attempt"; flow:to_server,established; file_data; content:"document.designMode"; fast_pattern; nocase; content:"on"; within:10; nocase; content:"document.body.onload"; nocase; content:!"=="; within:15; content:"null"; within:15; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0166; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-037; classtype:attempted-user; sid:38504; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CChildIterator media object use-after-free attempt"; flow:to_client,established; file_data; content:"document.designMode"; fast_pattern; nocase; content:"on"; within:10; nocase; content:"document.body.onload"; nocase; content:!"=="; within:15; content:"null"; within:15; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0166; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-037; classtype:attempted-user; sid:38503; rev:2;)
|
|
alert tcp $HOME_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge TextDataSlice type confusion attempt"; flow:to_server,established; file_data; content:"insertAdjacentText"; fast_pattern:only; content:".styleSheets"; nocase; content:"bt-rl"; nocase; content:"-ms-text-combine-horizontal"; within:120; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0155; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-038; classtype:attempted-user; sid:38486; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge TextDataSlice type confusion attempt"; flow:to_client,established; file_data; content:"insertAdjacentText"; fast_pattern:only; content:".styleSheets"; nocase; content:"bt-rl"; nocase; content:"-ms-text-combine-horizontal"; within:120; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0155; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-038; classtype:attempted-user; sid:38485; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt"; flow:to_server,established; file_data; content:"@keyframes"; fast_pattern:only; content:".styleSheets["; nocase; content:".cssRules["; within:200; nocase; content:".cssText"; within:200; nocase; content:".deleteRule"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-038; classtype:attempted-user; sid:38484; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt"; flow:to_client,established; file_data; content:"@keyframes"; fast_pattern:only; content:".styleSheets["; nocase; content:".cssRules["; within:200; nocase; content:".cssText"; within:200; nocase; content:".deleteRule"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0157; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-038; classtype:attempted-user; sid:38483; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge remove range out of bounds read attempt"; flow:to_server,established; file_data; content:".push"; nocase; content:".appendChild"; within:100; nocase; content:".push"; within:100; nocase; content:".useMap"; nocase; content:"document.createRange"; nocase; content:"window.getSelection"; within:50; nocase; content:".removeAllRanges"; within:100; fast_pattern; nocase; content:".addRange"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0156; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-038; classtype:attempted-user; sid:38480; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge remove range out of bounds read attempt"; flow:to_client,established; file_data; content:".push"; nocase; content:".appendChild"; within:100; nocase; content:".push"; within:100; nocase; content:".useMap"; nocase; content:"document.createRange"; nocase; content:"window.getSelection"; within:50; nocase; content:".removeAllRanges"; within:100; fast_pattern; nocase; content:".addRange"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0156; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-038; classtype:attempted-user; sid:38479; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt"; flow:to_server,established; file_data; content:"window.open("; fast_pattern; content:"javascript:"; within:20; content:"location.protocol"; within:500; content:"file:"; within:20; content:"<iframe"; within:500; metadata:service smtp; reference:cve,2016-0161; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-038; classtype:attempted-user; sid:38478; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt"; flow:to_client,established; file_data; content:"window.open("; fast_pattern; content:"javascript:"; within:20; content:"location.protocol"; within:500; content:"file:"; within:20; content:"<iframe"; within:500; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-0161; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-038; classtype:attempted-user; sid:38477; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge iframe cross-site scripting attempt"; flow:to_server,established; file_data; content:"iframe"; content:"Proxy("; within:500; content:".contentWindow"; within:50; content:".getPrototypeOf("; within:100; content:".constructor.constructor("; within:100; content:"setImmediate("; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-038; classtype:attempted-user; sid:38474; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge iframe cross-site scripting attempt"; flow:to_client,established; file_data; content:"iframe"; content:"Proxy("; within:500; content:".contentWindow"; within:50; content:".getPrototypeOf("; within:100; content:".constructor.constructor("; within:100; content:"setImmediate("; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-038; classtype:attempted-user; sid:38473; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 9 frameset use after free attempt"; flow:to_server,established; file_data; content:"frameset"; fast_pattern; nocase; content:".removeNode"; within:200; nocase; content:".insertRow"; within:200; content:".removeChild"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0159; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-037; classtype:attempted-user; sid:38468; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 frameset use after free attempt"; flow:to_client,established; file_data; content:"frameset"; fast_pattern; nocase; content:".removeNode"; within:200; nocase; content:".insertRow"; within:200; nocase; content:".removeChild"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0159; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-037; classtype:attempted-user; sid:38467; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer InsertSanitizedTextEx use after free attempt"; flow:to_server,established; file_data; content:"createElement"; nocase; content:"addEventListener"; within:100; nocase; content:"resize"; within:250; nocase; content:"scroll"; within:100; nocase; content:"CollectGarbage"; within:150; nocase; content:"setTimeout"; within:250; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0164; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-037; classtype:attempted-admin; sid:38466; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer InsertSanitizedTextEx use after free attempt"; flow:to_client,established; file_data; content:"createElement"; nocase; content:"addEventListener"; within:100; nocase; content:"resize"; within:250; nocase; content:"scroll"; within:100; nocase; content:"CollectGarbage"; within:150; nocase; content:"setTimeout"; within:250; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0164; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-037; classtype:attempted-admin; sid:38465; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer onpropertychange use-after-free attempt"; flow:to_server,established; file_data; content:"this.outerHTML"; nocase; content:"this.outerHTML"; within:100; nocase; content:".onpropertychange"; within:500; nocase; content:".createElement"; within:100; nocase; content:".appendChild"; within:100; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0322; classtype:attempted-user; sid:38670; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer onpropertychange use-after-free attempt"; flow:to_client,established; file_data; content:"this.outerHTML"; nocase; content:"this.outerHTML"; within:100; nocase; content:".onpropertychange"; within:500; nocase; content:".createElement"; within:100; nocase; content:".appendChild"; within:100; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0322; classtype:attempted-user; sid:38669; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt"; flow:to_server, established; file_data; content:".toString"; nocase; content:"function"; within:20; nocase; content:"<script"; nocase; content:"vbscript"; within:60; fast_pattern; nocase; content:"redim"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0189; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-051; classtype:attempted-user; sid:38842; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt"; flow:to_client, established; file_data; content:".toString"; nocase; content:"function"; within:20; nocase; content:"<script"; nocase; content:"vbscript"; within:60; fast_pattern; nocase; content:"redim"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0189; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-051; classtype:attempted-user; sid:38841; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer BooleanProtoObj objects JSONStringifyArray use-after-free attempt"; flow:to_server,established; file_data; content:"function"; nocase; content:"delete"; within:100; nocase; content:"JSON.stringify"; distance:0; nocase; pcre:"/var\s+(?P<json_var>\w+)\s?=\s?[^>]*var\s+(?P<replace>\w+)\s?=\s?function[^>]*delete\s+(?P=json_var)[^>]*JSON\.stringify\((?P=json_var),\s?(?P=replace)\)/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0187; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-051; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-053; classtype:attempted-user; sid:38829; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer BooleanProtoObj objects JSONStringifyArray use-after-free attempt"; flow:to_client,established; file_data; content:"function"; nocase; content:"delete"; within:100; nocase; content:"JSON.stringify"; distance:0; nocase; pcre:"/var\s+(?P<json_var>\w+)\s?=\s?[^>]*var\s+(?P<replace>\w+)\s?=\s?function[^>]*delete\s+(?P=json_var)[^>]*JSON\.stringify\((?P=json_var),\s?(?P=replace)\)/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0187; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-051; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-053; classtype:attempted-user; sid:38828; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt"; flow:to_server,established; file_data; content:"Array"; nocase; content:"__proto__"; within:100; fast_pattern; nocase; content:"Array"; within:100; nocase; content:".fill"; within:100; nocase; pcre:"/var\s+(?P<array>\w+)\s*=\s*new\s+(((Uint|Int)(8|16|32))|(Float(32|64))Array).*?(?P=array)\s*\.\s*__proto__\s*=\s*new\s+Array.*?(?P=array)\s*\.\s*fill/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0193; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-052; classtype:attempted-user; sid:38806; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt"; flow:to_client,established; file_data; content:"Array"; nocase; content:"__proto__"; within:100; fast_pattern; nocase; content:"Array"; within:100; nocase; content:".fill"; within:100; nocase; pcre:"/var\s+(?P<array>\w+)\s*=\s*new\s+(((Uint|Int)(8|16|32))|(Float(32|64))Array).*?(?P=array)\s*\.\s*__proto__\s*=\s*new\s+Array.*?(?P=array)\s*\.\s*fill/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0193; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-052; classtype:attempted-user; sid:38805; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge graphics subcomponent use after free attempt"; flow:to_server,established; file_data; content:".getContext"; nocase; content:"2d"; within:25; nocase; content:".createImageData"; fast_pattern; nocase; content:".getImageData"; within:200; nocase; content:".putImageData"; within:200; nocase; pcre:"/\.putImageData\s*\x28\s*[^,]+,\s*[\d\x2e]{15}/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0184; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-055; classtype:attempted-user; sid:38798; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge graphics subcomponent use after free attempt"; flow:to_client,established; file_data; content:".getContext"; nocase; content:"2d"; within:25; nocase; content:".createImageData"; fast_pattern; nocase; content:".getImageData"; within:200; nocase; content:".putImageData"; within:200; nocase; pcre:"/\.putImageData\s*\x28\s*[^,]+,\s*[\d\x2e]{15}/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0184; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-055; classtype:attempted-user; sid:38797; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt"; flow:to_server,established; file_data; content:"Proxy"; nocase; content:"Array"; within:50; nocase; content:"has"; within:50; nocase; content:"concat"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0186; reference:cve,2016-0191; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-052; classtype:attempted-user; sid:38777; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt"; flow:to_client,established; file_data; content:"Proxy"; nocase; content:"Array"; within:50; nocase; content:"has"; within:50; nocase; content:"concat"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0186; reference:cve,2016-0191; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-052; classtype:attempted-user; sid:38776; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer EMF file integer overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00|"; offset:84; content:"|04 00 00 40|"; within:4; distance:12; byte_test:4,>=,268435454,16,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0169; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-055; classtype:attempted-user; sid:38773; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer EMF file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00|"; offset:84; content:"|04 00 00 40|"; within:4; distance:12; byte_test:4,>=,268435454,16,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0169; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-055; classtype:attempted-user; sid:38772; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt"; flow:to_server,established,only_stream; flowbits:isset,file.emf; file_data; content:"|7A 00 00 00|"; content:"COSP"; within:4; distance:8; content:"|00 04 00 00|"; within:4; content:"C|3A 5C|"; within:3; distance:60; detection_filter:track by_dst, count 8, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0168; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-055; classtype:attempted-user; sid:38771; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt"; flow:to_client,established,only_stream; flowbits:isset,file.emf; file_data; content:"|7A 00 00 00|"; content:"COSP"; within:4; distance:8; content:"|00 04 00 00|"; within:4; content:"C|3A 5C|"; within:3; distance:60; detection_filter:track by_dst, count 8, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0168; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-055; classtype:attempted-user; sid:38770; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt"; flow:to_server,established,only_stream; flowbits:isset,file.emf; file_data; content:"|63 00 00 00|"; content:"COSP"; within:4; distance:8; content:"|00 04 00 00|"; within:4; content:"C|3A 5C|"; within:3; distance:60; detection_filter:track by_dst, count 8, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0168; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-055; classtype:attempted-user; sid:38769; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt"; flow:to_client,established,only_stream; flowbits:isset,file.emf; file_data; content:"|63 00 00 00|"; content:"COSP"; within:4; distance:8; content:"|00 04 00 00|"; within:4; content:"C|3A 5C|"; within:3; distance:60; detection_filter:track by_dst, count 8, seconds 5; metadata:policy max-detect-ips drop, policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0168; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-055; classtype:attempted-user; sid:38768; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer mshtml.dll null pointer dereference attempt"; flow:to_server,established; file_data; content:".insertAdjacentText"; fast_pattern:only; content:".styleSheets"; nocase; content:".insertRule"; within:25; nocase; content:"font-size"; within:50; nocase; pcre:"/font-size\s*:\s*\d{5}/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0192; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-051; classtype:attempted-user; sid:38764; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer mshtml.dll null pointer dereference attempt"; flow:to_client,established; file_data; content:".insertAdjacentText"; fast_pattern:only; content:".styleSheets"; nocase; content:".insertRule"; within:25; nocase; content:"font-size"; within:50; nocase; pcre:"/font-size\s*:\s*\d{5}/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0192; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-051; classtype:attempted-user; sid:38763; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DOM object cache management memory corruption attempt"; flow:to_server,established; file_data; content:".removeNode"; fast_pattern:only; content:"true"; pcre:"/(\w+)\x2EremoveNode\s*\x28\s*true\s*\x29.*\1\x2EremoveNode\s*\x28\s*\x29.*?\1\x2E[^r]/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-5344; classtype:attempted-user; sid:39156; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DOM object cache management memory corruption attempt"; flow:to_server,established; file_data; content:"getElementsByTagName"; nocase; content:"removeNode|28|true|29|"; distance:0; fast_pattern; nocase; pcre:"/\x2EgetElementsByTagName\x28[^\x29]+?\x2EremoveNode\x28true\x29/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26817; reference:cve,2007-5344; classtype:attempted-user; sid:39155; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer use-after-free memory corruption attempt"; flow:to_server,established; file_data; content:"<script>"; nocase; content:"function"; distance:0; nocase; content:"()"; within:30; content:"location."; fast_pattern:only; pcre:"/function\s+?\w+\s*?\x28[^\x7b]+?\x7b[^\x7d]*?location\.(protocol|href)\s*?=\s*?[\x22\x27]\s*?(mailto|http|file).*?[\x22\x27]/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,42257; reference:cve,2010-2556; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-053; classtype:attempted-dos; sid:39175; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer iframe uninitialized memory corruption attempt"; flow:to_server,established; file_data; content:"setTimeout|28 27|removeiframe|28 29 27 2C|0|29|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,42257; reference:cve,2010-2556; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-053; classtype:attempted-user; sid:39174; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt"; flow:to_server,established; file_data; content:"postMessage("; content:"setTimeout("; within:500; distance:-250; content:"array"; nocase; content:"buffer"; within:7; nocase; pcre:"/(?P<arrayName1>\w+)\s*=\s*new\s*(U?[Ii]nt|Float)(64|32|16|8)Array\s*\x28\s*[\x22\x27]?(?P<arrayName2>\w+).*?postMessage\s*\x28.*?,\s*[\x22\x27]?\s*\x5b\s*((?P=arrayName1)|(?P=arrayName2))/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3210; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39243; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt"; flow:to_client,established; file_data; content:"postMessage("; content:"setTimeout("; within:500; distance:-250; content:"array"; nocase; content:"buffer"; within:7; nocase; pcre:"/(?P<arrayName1>\w+)\s*=\s*new\s*(U?[Ii]nt|Float)(64|32|16|8)Array\s*\x28\s*[\x22\x27]?(?P<arrayName2>\w+).*?postMessage\s*\x28.*?,\s*[\x22\x27]?\s*\x5b\s*((?P=arrayName1)|(?P=arrayName2))/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3210; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39242; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge malformed PDF JPEG2000 object out of bounds memory access attempt"; flow:to_server,established; file_data; content:"|49 43 B6 EE 4D 55 0A 05 D7 D1 52 08 99 36 FF AC 1A 75 8F BA 92 4A BA 32 E2 4A 4D 72 56 6D 79 DB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3215; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-068; classtype:attempted-user; sid:39239; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge malformed PDF JPEG2000 object out of bounds memory access attempt"; flow:to_client,established; file_data; content:"|49 43 B6 EE 4D 55 0A 05 D7 D1 52 08 99 36 FF AC 1A 75 8F BA 92 4A BA 32 E2 4A 4D 72 56 6D 79 DB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3215; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-068; classtype:attempted-user; sid:39238; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer scripting engine buffer overflow attempt"; flow:to_server,established; file_data; content:"<script"; content:"vbscript"; within:200; nocase; content:"class "; within:500; nocase; content:"Private"; within:200; nocase; content:"sub"; within:15; nocase; content:"Class_Terminate"; within:30; content:"new"; within:100; nocase; content:"end sub"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3207; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-069; classtype:attempted-user; sid:39237; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer scripting engine buffer overflow attempt"; flow:to_client,established; content:"<script"; content:"vbscript"; within:200; nocase; content:"class "; within:500; nocase; content:"Private"; within:200; nocase; content:"sub"; within:15; nocase; content:"Class_Terminate"; within:30; content:"new"; within:100; nocase; content:"end sub"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-3207; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-069; classtype:attempted-user; sid:39236; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer tagged integer type confusion attempt"; flow:to_server,established; file_data; content:".createAttribute"; nocase; content:"loop"; within:25; nocase; content:".nodeValue"; nocase; content:".setAttributeNode"; nocase; content:".removeAttributeNode"; fast_pattern:only; pcre:"/var\s+(?P<attr>\w+)\s*=\s*document\.createAttribute\s*\x28\s*[\x22\x27]loop[\x22\x27].*?(?P=attr)\.nodeValue/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0199; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39235; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer tagged integer type confusion attempt"; flow:to_client,established; file_data; content:".createAttribute"; nocase; content:"loop"; within:25; nocase; content:".nodeValue"; nocase; content:".setAttributeNode"; nocase; content:".removeAttributeNode"; fast_pattern:only; pcre:"/var\s+(?P<attr>\w+)\s*=\s*document\.createAttribute\s*\x28\s*[\x22\x27]loop[\x22\x27].*?(?P=attr)\.nodeValue/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0199; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39234; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Content Security Policy bypass attempt"; flow:to_client,established; content:"function|2A 28 29 7B 7D|"; content:".constructor"; within:30; content:"().next()"; within:30; metadata:policy balanced-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3198; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-068; classtype:attempted-user; sid:39233; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Content Security Policy bypass attempt"; flow:to_server,established; file_data; content:"function|2A 28 29 7B 7D|"; content:".constructor"; within:30; content:"().next()"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3198; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-068; classtype:attempted-user; sid:39232; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSS link element use-after-free attempt"; flow:to_server,established; file_data; content:"document.styleSheets"; nocase; content:".cssText"; within:30; nocase; content:"@import url(#)"; within:50; fast_pattern; nocase; content:"document.createElement"; nocase; content:".href"; within:100; nocase; content:"#"; within:20; content:"document.body.appendChild"; nocase; content:"window.location.reload"; nocase; content:"document.styleSheets"; nocase; content:".cssText"; within:20; nocase; pcre:"/\x2EcssText\s*=\s*[\x22\x27]{2}/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0200; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39231; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSS link element use-after-free attempt"; flow:to_client,established; file_data; content:"document.styleSheets"; nocase; content:".cssText"; within:30; nocase; content:"@import url(#)"; within:50; fast_pattern; nocase; content:"document.createElement"; nocase; content:".href"; within:100; nocase; content:"#"; within:20; content:"document.body.appendChild"; nocase; content:"window.location.reload"; nocase; content:"document.styleSheets"; nocase; content:".cssText"; within:20; nocase; pcre:"/\x2EcssText\s*=\s*[\x22\x27]{2}/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0200; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39230; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge PDF Color Space out-of-bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|91 72 89 44 01 59 62 FC 08 3D FB 1C 9E D3 FF FE E7 4F BA D2 F5 BF 3F FD 27 ED 75 8D 9F 92 F3 F5|"; fast_pattern:only; metadata:service smtp; reference:cve,2016-3201; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-068; classtype:attempted-recon; sid:39229; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge PDF Color Space out-of-bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|91 72 89 44 01 59 62 FC 08 3D FB 1C 9E D3 FF FE E7 4F BA D2 F5 BF 3F FD 27 ED 75 8D 9F 92 F3 F5|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3201; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-068; classtype:attempted-recon; sid:39228; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt"; flow:to_client,established; file_data; content:"document"; content:".isEqualNode"; within:25; content:"videoTracks"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-3222; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-068; classtype:attempted-user; sid:39220; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt"; flow:to_client,established; file_data; content:"document"; content:".isEqualNode"; within:25; content:"audioTracks"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-3222; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-068; classtype:attempted-user; sid:39219; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer VBScript out of bounds memory access remote code execution attempt"; flow:to_server,established; file_data; content:"vbscript"; nocase; content:"class"; distance:0; nocase; content:"redim"; distance:0; nocase; content:"Private Sub Class_Initialize"; nocase; content:"Private Sub Class_Terminate"; fast_pattern; nocase; content:"Join"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-069; classtype:attempted-user; sid:39212; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VBScript out of bounds memory access remote code execution attempt"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"class"; distance:0; nocase; content:"redim"; distance:0; nocase; content:"Private Sub Class_Initialize"; nocase; content:"Private Sub Class_Terminate"; fast_pattern; nocase; content:"Join"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-069; classtype:attempted-user; sid:39211; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer drag and drop API remote code execution attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|FF 15 B8 31 01 10 85 C0 78 47 8B 4D F8 85 C9 74 6C 8D 55 F4 C7 45 F4 00 00 00 00 8B 01 52 68 28|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3211; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39208; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer drag and drop API remote code execution attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|FF 15 B8 31 01 10 85 C0 78 47 8B 4D F8 85 C9 74 6C 8D 55 F4 C7 45 F4 00 00 00 00 8B 01 52 68 28|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3211; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39207; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge PDF reader out of bounds memory access attempt"; flow:to_server,established; file_data; content:"/AuthEvent/DocOpen/CFM/AES"; content:"/Length "; within:10; pcre:"/\/AuthEvent\/DocOpen\/CFM\/AES\w+\/Length\s\d{5,}[>]{4}(\/\w+){2}\/Length\s\d{3}/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3203; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-068; classtype:attempted-user; sid:39206; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge PDF reader out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/AuthEvent/DocOpen/CFM/AES"; content:"/Length "; within:10; pcre:"/\/AuthEvent\/DocOpen\/CFM\/AES\w+\/Length\s\d{5,}[>]{4}(\/\w+){2}\/Length\s\d{3}/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3203; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-068; classtype:attempted-user; sid:39205; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer vbscript csession close use after free attempt"; flow:to_server,established; file_data; content:"<script"; content:"vbscript"; within:200; nocase; content:"class "; within:500; nocase; content:"private sub class_terminate"; within:200; nocase; content:"execute"; within:500; nocase; content:"redim"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3205; classtype:attempted-user; sid:39202; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer vbscript csession close use after free attempt"; flow:to_client,established; file_data; content:"<script"; content:"vbscript"; within:200; nocase; content:"class "; within:500; nocase; content:"private sub class_terminate"; within:200; nocase; content:"execute"; within:500; nocase; content:"redim"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3205; classtype:attempted-user; sid:39201; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge class object confusion attempt"; flow:to_server,established; file_data; content:"Symbol.species"; fast_pattern:only; content:"extends Uint32Array"; nocase; content:".map"; nocase; content:"function"; within:30; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3199; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-068; classtype:attempted-user; sid:39200; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge class object confusion attempt"; flow:to_client,established; file_data; content:"Symbol.species"; fast_pattern:only; content:"extends Uint32Array"; nocase; content:".map"; nocase; content:"function"; within:30; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3199; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-068; classtype:attempted-user; sid:39199; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer textTransform out-of-bounds memory access attempt"; flow:to_server,established; file_data; content:".style"; content:"textTransform"; within:20; fast_pattern; content:"cloneNode"; within:100; content:"appendChild"; within:75; content:"document.all"; within:300; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3261; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-084; classtype:attempted-user; sid:39515; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer textTransform out-of-bounds memory access attempt"; flow:to_client,established; file_data; content:".style"; content:"textTransform"; within:20; fast_pattern; content:"cloneNode"; within:100; content:"appendChild"; within:75; content:"document.all"; within:300; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3261; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-084; classtype:attempted-user; sid:39514; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer IE7 compatibility mode attempt"; flow:to_server,established; file_data; content:"meta"; nocase; content:"content"; within:20; nocase; content:"|27|IE=7|27|"; within:20; fast_pattern; metadata:service smtp; reference:cve,2016-3241; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-084; classtype:attempted-user; sid:39513; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer IE7 compatibility mode attempt"; flow:to_client,established; file_data; content:"meta"; nocase; content:"content"; within:20; nocase; content:"|27|IE=7|27|"; within:20; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3241; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-084; classtype:attempted-user; sid:39512; rev:2;)
|
|
# alert tcp $HOME_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge bypassing window.opener protection attempt"; flow:to_server,established; file_data; content:"window.opener"; nocase; content:".appendChild("; within:30; nocase; content:".createElement("; within:60; nocase; content:"window.location.replace"; within:200; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3274; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-084; classtype:attempted-user; sid:39511; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge bypassing window.opener protection attempt"; flow:to_client,established; file_data; content:"window.opener"; nocase; content:".appendChild("; within:30; nocase; content:".createElement("; within:60; nocase; content:"window.location.replace"; within:200; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3274; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-084; classtype:attempted-user; sid:39510; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge ArrayBuffer.transfer information disclosure attempt"; flow:to_server,established; file_data; content:"ArrayBuffer"; nocase; content:"ArrayBuffer.transfer"; within:250; nocase; content:".toString"; within:250; nocase; pcre:"/(?P<var>\w+)\s*=\s*new\s*(U?Int|Float)(8|16|32)Array\s*\x28.*?(?P=var)\x5b\w+\x5d\.toString/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3271; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-085; classtype:attempted-recon; sid:39507; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge ArrayBuffer.transfer information disclosure attempt"; flow:to_client,established; file_data; content:"ArrayBuffer"; nocase; content:"ArrayBuffer.transfer"; within:250; nocase; content:".toString"; within:250; nocase; pcre:"/(?P<var>\w+)\s*=\s*new\s*(U?Int|Float)(8|16|32)Array\s*\x28.*?(?P=var)\x5b\w+\x5d\.toString/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3271; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-085; classtype:attempted-recon; sid:39506; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Edge text node table-cell use after free attempt"; flow:to_client,established; content:"charset=UTF-16"; fast_pattern:only; http_header; file_data; content:".createTextNode("; content:".splitText("; within:100; content:".style.display"; within:100; content:"table-cell"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3244; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-085; classtype:attempted-user; sid:39505; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer mshtml.dll invalid resize use after free attempt"; flow:to_server,established; file_data; content:".onpropertychange"; nocase; content:".onresize"; within:300; nocase; content:".selectAllChildren"; within:100; nocase; content:".selectionStart"; within:300; nocase; content:".size"; within:300; nocase; content:".value"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3243; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-084; classtype:attempted-user; sid:39500; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer mshtml.dll invalid resize use after free attempt"; flow:to_client,established; file_data; content:".onpropertychange"; nocase; content:".onresize"; within:300; nocase; content:".selectAllChildren"; within:100; nocase; content:".selectionStart"; within:300; nocase; content:".size"; within:300; nocase; content:".value"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3243; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-084; classtype:attempted-user; sid:39499; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer header tag HTML injection remote code execution attempt"; flow:to_server,established; file_data; content:"<h1>"; nocase; isdataat:100,relative; content:!"h1"; within:100; nocase; content:"<"; within:50; nocase; content:">"; within:50; nocase; metadata:service ftp-data, service smtp; reference:cve,2016-3276; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-084; classtype:attempted-user; sid:39498; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer header tag HTML injection remote code execution attempt"; flow:to_client,established; file_data; content:"<h1>"; nocase; isdataat:100,relative; content:!"h1"; within:100; nocase; content:"<"; within:50; nocase; content:">"; within:50; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3276; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-084; classtype:attempted-user; sid:39497; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge edgehtml negative length out of bound memory copy attempt"; flow:to_server,established; file_data; content:"revealTrans("; fast_pattern:only; content:"innerText"; nocase; content:"setAttributeNode("; nocase; content:"setAttribute("; nocase; content:"dataset["; nocase; content:"columnCount"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service smtp; reference:cve,2016-3246; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-085; classtype:attempted-user; sid:39494; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge edgehtml negative length out of bound memory copy attempt"; flow:to_client,established; file_data; content:"revealTrans("; fast_pattern:only; content:"innerText"; nocase; content:"setAttributeNode("; nocase; content:"setAttribute("; nocase; content:"dataset["; nocase; content:"columnCount"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3246; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-085; classtype:attempted-user; sid:39493; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Dxtrans table element use after free attempt"; flow:to_server,established; file_data; content:"DXImageTransform.Microsoft.Blur"; nocase; content:".removeNode"; nocase; content:"DXImageTransform.Microsoft.RevealTrans"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3240; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-084; classtype:attempted-user; sid:39492; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Dxtrans table element use after free attempt"; flow:to_client,established; file_data; content:"DXImageTransform.Microsoft.Blur"; nocase; content:".removeNode"; nocase; content:"DXImageTransform.Microsoft.RevealTrans"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3240; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-084; classtype:attempted-user; sid:39491; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge chakra.dll invalid pointer access attempt"; flow:to_server,established; file_data; content:"new RegExp()"; content:"new Array("; within:40; content:".unshift("; within:40; content:"__defineGetter__("; within:40; content:".unshift("; within:40; content:".sort()"; within:40; content:".indexOf()"; within:40; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3259; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-084; classtype:attempted-user; sid:39487; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge chakra.dll invalid pointer access attempt"; flow:to_client,established; file_data; content:"new RegExp()"; content:"new Array("; within:40; content:".unshift("; within:40; content:"__defineGetter__("; within:40; content:".unshift("; within:40; content:".sort()"; within:40; content:".indexOf()"; within:40; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-3259; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-084; classtype:attempted-user; sid:39486; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge DWrite.dll out of bounds read attempt"; flow:to_server,established; content:"charset=UTF-8"; fast_pattern:only; http_header; file_data; content:"getContext"; nocase; content:"2d"; within:6; nocase; content:"strokeText"; nocase; content:"|28|"; distance:0; isdataat:100,relative; content:!"|29|"; within:100; metadata:service smtp; reference:cve,2016-3277; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-084; classtype:attempted-recon; sid:39485; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge DWrite.dll out of bounds read attempt"; flow:to_client,established; content:"charset=UTF-16"; fast_pattern:only; http_header; file_data; content:"getContext"; nocase; content:"2d"; within:6; nocase; content:"strokeText"; nocase; content:"|28|"; distance:0; isdataat:100,relative; content:!"|29|"; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3277; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-084; classtype:attempted-recon; sid:39484; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge clientInformation.geolocation.getCurrentPosition use-after-free attempt"; flow:to_server,established; file_data; content:"function"; nocase; content:"geolocation.getCurrentPosition("; distance:0; nocase; content:"function"; within:30; nocase; content:"location.replace"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-084; classtype:attempted-user; sid:39531; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge clientInformation.geolocation.getCurrentPosition use-after-free attempt"; flow:to_client,established; file_data; content:"function"; nocase; content:"geolocation.getCurrentPosition("; distance:0; nocase; content:"function"; within:30; nocase; content:"location.replace"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-084; classtype:attempted-user; sid:39530; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt"; flow:to_server, established; file_data; content:"valueOf"; nocase; content:"function"; within:20; nocase; content:"<script"; nocase; content:"vbscript"; within:60; fast_pattern; nocase; content:"redim"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0189; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-051; classtype:attempted-user; sid:39681; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt"; flow:to_client, established; file_data; content:"valueOf"; nocase; content:"function"; within:20; nocase; content:"<script"; nocase; content:"vbscript"; within:60; fast_pattern; nocase; content:"redim"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0189; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-051; classtype:attempted-user; sid:39680; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"<t:ANIMATECOLOR"; fast_pattern:only; content:"document.getElement"; nocase; content:".outerText"; within:50; nocase; content:"document.getElement"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:39764; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"<t:ANIMATECOLOR"; fast_pattern:only; content:"document.getElement"; nocase; content:".outerText"; within:50; nocase; content:"document.getElement"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:39763; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNode use after free attempt"; flow:to_server,established; file_data; content:".split(|22 22|).reverse().join(|22 22|)"; fast_pattern:only; content:"document.getElementById"; nocase; content:".attachEvent"; distance:0; nocase; content:".fireEvent"; distance:0; nocase; content:".fireEvent"; distance:0; nocase; content:".srcElement"; distance:0; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-1878; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:39751; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNode use after free attempt"; flow:to_server,established; file_data; content:"srcElement.parentNode.removeChild"; fast_pattern:only; content:"getElementById"; nocase; content:"attachEvent"; within:100; nocase; content:"getElementById"; within:200; nocase; content:"fireEvent"; within:150; nocase; content:"fireEvent"; within:150; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-1878; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:39750; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNode use after free attempt"; flow:to_client,established; file_data; content:".split(|22 22|).reverse().join(|22 22|)"; fast_pattern:only; content:"document.getElementById"; nocase; content:".attachEvent"; distance:0; nocase; content:".fireEvent"; distance:0; nocase; content:".fireEvent"; distance:0; nocase; content:".srcElement"; distance:0; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1878; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:39749; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNode use after free attempt"; flow:to_client,established; file_data; content:"srcElement.parentNode.removeChild"; fast_pattern:only; content:"getElementById"; nocase; content:"attachEvent"; within:100; nocase; content:"getElementById"; within:200; nocase; content:"fireEvent"; within:150; nocase; content:"fireEvent"; within:150; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1878; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:39748; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Windows Internet Explorer MSHTML.dll type confusion attempt"; flow:to_server,established; file_data; content:"styleSheets["; content:"ms-text-combine-horizontal"; within:150; content:"digits"; within:15; content:"ms-block-progression"; within:150; content:"insertAdjacentText"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3290; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-095; classtype:attempted-user; sid:39840; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Windows Internet Explorer MSHTML.dll type confusion attempt"; flow:to_client,established; file_data; content:"styleSheets["; content:"ms-text-combine-horizontal"; within:150; content:"digits"; within:15; content:"ms-block-progression"; within:150; content:"insertAdjacentText"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3290; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-095; classtype:attempted-user; sid:39839; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer InsertSelectDropdown use after free attempt"; flow:to_server,established; file_data; content:".insertAdjacentElement"; nocase; content:".onactivate"; nocase; content:".onresize"; nocase; content:".selectAllChildren"; nocase; content:"execCommand"; nocase; content:"InsertSelectDropdown"; within:50; fast_pattern; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3289; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-095; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-096; classtype:attempted-user; sid:39834; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer InsertSelectDropdown use after free attempt"; flow:to_client,established; file_data; content:".insertAdjacentElement"; nocase; content:".onactivate"; nocase; content:".onresize"; nocase; content:".selectAllChildren"; nocase; content:"execCommand"; nocase; content:"InsertSelectDropdown"; within:50; fast_pattern; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3289; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-095; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-096; classtype:attempted-user; sid:39833; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer mshtml.dll cached object use after free attempt"; flow:to_server,established; file_data; content:"addEventListener("; content:"DOMCharacterDataModified"; within:50; fast_pattern; content:"createElement("; within:200; content:"figure"; within:10; content:"createElement("; within:200; content:"INPUT"; within:10; content:".insertAdjacentElement("; within:200; content:"afterBegin"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3322; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-095; classtype:attempted-user; sid:39829; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer mshtml.dll cached object use after free attempt"; flow:to_client,established; file_data; content:"addEventListener("; content:"DOMCharacterDataModified"; within:50; fast_pattern; content:"createElement("; within:200; content:"figure"; within:10; content:"createElement("; within:200; content:"INPUT"; within:10; content:".insertAdjacentElement("; within:200; content:"afterBegin"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3322; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-095; classtype:attempted-user; sid:39828; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CStr internal string use-after-free attempt"; flow:to_server,established; file_data; content:"window.location.href"; nocase; content:"="; within:10; content:"window.location.href"; within:40; nocase; content:"<script"; distance:0; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3326; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-095; classtype:attempted-user; sid:39827; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CStr internal string use-after-free attempt"; flow:to_client,established; file_data; content:"window.location.href"; nocase; content:"="; within:10; content:"window.location.href"; within:40; nocase; content:"<script"; distance:0; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3326; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-095; classtype:attempted-user; sid:39826; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge edgehtml.dll invalid history state use after free attempt"; flow:to_server,established; file_data; content:".onbeforeunload"; nocase; content:".pushState"; within:300; fast_pattern; nocase; content:".location"; within:300; nocase; content:"href"; within:15; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3293; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-095; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-096; classtype:attempted-user; sid:39823; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge edgehtml.dll invalid history state use after free attempt"; flow:to_client,established; file_data; content:".onbeforeunload"; nocase; content:".pushState"; within:300; fast_pattern; nocase; content:".location"; within:300; nocase; content:"href"; within:15; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3293; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-095; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-096; classtype:attempted-user; sid:39822; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer iframe sandbox file name information disclosure attempt"; flow:to_server,established; file_data; content:"<iframe"; nocase; content:"src"; distance:0; nocase; content:"="; within:5; content:"file:///"; within:20; fast_pattern; nocase; content:"sandbox"; within:100; nocase; content:"</iframe>"; within:100; nocase; metadata:service smtp; reference:cve,2016-3321; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-095; classtype:attempted-recon; sid:39821; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer iframe sandbox file name information disclosure attempt"; flow:to_client,established; file_data; content:"<iframe"; nocase; content:"src"; within:50; nocase; content:"="; within:5; content:"file:///"; within:20; fast_pattern; nocase; content:"sandbox"; within:100; nocase; content:"</iframe>"; within:100; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3321; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-095; classtype:attempted-recon; sid:39820; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer page layout use after free attempt"; flow:to_server,established; file_data; content:"FileReader|28|"; nocase; content:"Blob|28|"; within:200; fast_pattern; nocase; content:"readAsDataURL|28|"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3288; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-095; classtype:attempted-user; sid:39813; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer page layout use after free attempt"; flow:to_client,established; file_data; content:"FileReader|28|"; nocase; content:"Blob|28|"; within:200; fast_pattern; nocase; content:"readAsDataURL|28|"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3288; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-095; classtype:attempted-user; sid:39812; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer iertutil.dll long UNC redirect out of bounds read attempt"; flow:to_server,established; file_data; content:"|5D 09 5D 0A D2 4A 0A 01 2C 17 4F 09 02 47 00 00 02 03 02 0A 0C 93 01 D0 30 57 2A D5 30 65 01 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3327; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-095; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-096; classtype:attempted-user; sid:39811; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer iertutil.dll long UNC redirect out of bounds read attempt"; flow:to_client,established; file_data; content:"|5D 09 5D 0A D2 4A 0A 01 2C 17 4F 09 02 47 00 00 02 03 02 0A 0C 93 01 D0 30 57 2A D5 30 65 01 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3327; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-095; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-096; classtype:attempted-user; sid:39810; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer MSXML IDispatch use after free attempt"; flow:to_server,established; file_data; content:"Msxml2.XSLTemplate"; fast_pattern:only; content:"Msxml2.FreeThreadedDOMDocument"; nocase; content:"vbscript"; nocase; content:".stylesheet"; nocase; content:".createProcessor"; nocase; content:".addParameter"; nocase; content:"Nothing"; nocase; pcre:"/String[\x28\s]+(\x26[oh])?[a-f0-9]{5}/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:40150; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer MSXML IDispatch use after free attempt"; flow:to_client,established; file_data; content:"Msxml2.XSLTemplate"; fast_pattern:only; content:"Msxml2.FreeThreadedDOMDocument"; nocase; content:"vbscript"; nocase; content:".stylesheet"; nocase; content:".createProcessor"; nocase; content:".addParameter"; nocase; content:"Nothing"; nocase; pcre:"/String[\x28\s]+(\x26[oh])?[a-f0-9]{5}/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:40149; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge malformed response information disclosure attempt"; flow:to_client,established; content:"HTTP/1.1 100"; depth:12; nocase; content:!"Continue"; within:10; nocase; metadata:service http; reference:cve,2016-3325; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-104; classtype:attempted-recon; sid:40146; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge PDF out-of-bounds Crypt Filter length attempt "; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/CF"; content:"/AuthEvent/DocOpen/CFM"; within:60; content:"V2"; within:10; content:"/Length"; within:20; byte_test:2,>,17,1,relative,string,dec; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-3370; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-115; classtype:attempted-user; sid:40145; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge PDF out-of-bounds Crypt Filter length attempt "; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/CF"; content:"/AuthEvent/DocOpen/CFM"; within:60; content:"V2"; within:10; content:"/Length"; within:20; byte_test:2,>,17,1,relative,string,dec; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3370; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-115; classtype:attempted-user; sid:40144; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge HTML normalize caption memory corruption attempt"; flow:to_server,established; file_data; content:".createElement"; nocase; content:"caption"; within:50; content:".outerHTML"; within:100; nocase; content:"<!DOCTYPE>"; within:100; nocase; content:".normalize()"; within:100; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3295; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-105; classtype:attempted-user; sid:40141; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge HTML normalize caption memory corruption attempt"; flow:to_server,established; file_data; content:".createElement"; nocase; content:"caption"; within:50; content:".innerHTML"; within:100; nocase; content:"<!DOCTYPE>"; within:100; nocase; content:".normalize()"; within:100; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3295; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-105; classtype:attempted-user; sid:40140; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge HTML normalize caption memory corruption attempt"; flow:to_server,established; file_data; content:"<caption"; fast_pattern:only; content:".outerHTML"; nocase; content:"<!DOCTYPE>"; within:100; nocase; content:".normalize()"; within:100; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3295; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-105; classtype:attempted-user; sid:40139; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge HTML normalize caption memory corruption attempt"; flow:to_server,established; file_data; content:"<caption"; fast_pattern:only; content:".innerHTML"; nocase; content:"<!DOCTYPE>"; within:100; nocase; content:".normalize()"; within:100; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3295; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-105; classtype:attempted-user; sid:40138; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge HTML normalize caption memory corruption attempt"; flow:to_client,established; file_data; content:".createElement"; nocase; content:"caption"; within:100; content:".outerHTML"; within:100; nocase; content:"<!DOCTYPE>"; within:100; nocase; content:".normalize()"; within:100; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3295; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-105; classtype:attempted-user; sid:40137; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge HTML normalize caption memory corruption attempt"; flow:to_client,established; file_data; content:".createElement"; nocase; content:"caption"; within:15; content:".innerHTML"; within:100; nocase; content:"<!DOCTYPE>"; within:20; nocase; content:".normalize()"; within:50; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3295; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-105; classtype:attempted-user; sid:40136; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge HTML normalize caption memory corruption attempt"; flow:to_client,established; file_data; content:"<caption"; fast_pattern:only; content:".outerHTML"; nocase; content:"<!DOCTYPE>"; within:100; nocase; content:".normalize()"; within:100; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3295; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-105; classtype:attempted-user; sid:40135; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge HTML normalize caption memory corruption attempt"; flow:to_client,established; file_data; content:"<caption"; fast_pattern:only; content:".innerHTML"; nocase; content:"<!DOCTYPE>"; within:100; nocase; content:".normalize()"; within:100; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3295; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-105; classtype:attempted-user; sid:40134; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE VBScript ADODB.Connection object use after free attempt"; flow:to_server,established; file_data; content:"ADODB.Connection"; fast_pattern:only; content:"vbscript"; nocase; content:".Open"; distance:0; nocase; content:"Property Get"; content:"Set"; within:50; content:"="; within:10; content:"Nothing"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3375; reference:cve,2017-11913; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11913; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; classtype:attempted-user; sid:40133; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE VBScript ADODB.Connection object use after free attempt"; flow:to_client,established; file_data; content:"ADODB.Connection"; fast_pattern:only; content:"vbscript"; nocase; content:".Open"; distance:0; nocase; content:"Property Get"; content:"Set"; within:50; content:"="; within:10; content:"Nothing"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3375; reference:cve,2017-11913; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11913; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; classtype:attempted-user; sid:40132; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt"; flow:to_server,established; file_data; content:"remove"; nocase; content:".insertAdjacent"; within:500; content:"normalize"; within:1000; content:"contentEditable"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3294; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-105; classtype:attempted-user; sid:40124; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt"; flow:to_client,established; file_data; content:"remove"; nocase; content:".insertAdjacent"; within:500; content:"normalize"; within:1000; content:"contentEditable"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3294; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-105; classtype:attempted-user; sid:40123; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer font element out of bounds read attempt"; flow:to_server,established; file_data; content:"<FONT"; fast_pattern:only; content:".setAttributeNode"; nocase; content:".createAttribute"; nocase; content:"lang"; within:25; nocase; content:".setAttribute"; nocase; content:"lang"; within:25; nocase; content:".nodeValue"; nocase; content:"null"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3297; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-105; classtype:attempted-recon; sid:40109; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer font element out of bounds read attempt"; flow:to_client,established; file_data; content:"<FONT"; fast_pattern:only; content:".setAttributeNode"; nocase; content:".createAttribute"; nocase; content:"lang"; within:25; nocase; content:".setAttribute"; nocase; content:"lang"; within:25; nocase; content:".nodeValue"; nocase; content:"null"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3297; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-105; classtype:attempted-recon; sid:40108; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge PDF PostScript calculator out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/FunctionType 4"; fast_pattern:only; content:"/Domain"; nocase; content:"["; within:20; isdataat:100,relative; content:!"]"; within:100; pcre:"/\x2fDomain\s*\x5b\s*([0-9\x2e\x2d]+\s+){25}/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3374; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-105; classtype:attempted-recon; sid:40101; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge PDF PostScript calculator out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/FunctionType 4"; fast_pattern:only; content:"/Domain"; nocase; content:"["; within:20; isdataat:100,relative; content:!"]"; within:100; pcre:"/\x2fDomain\s*\x5b\s*([0-9\x2e\x2d]+\s+){25}/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3374; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-105; classtype:attempted-recon; sid:40100; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge proxy object type confusion attempt"; flow:to_server,established; file_data; content:"Symbol.species"; fast_pattern:only; content:"new Proxy("; content:"Array.prototype.map.apply("; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3377; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-105; classtype:attempted-user; sid:40099; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge proxy object type confusion attempt"; flow:to_client,established; file_data; content:"Symbol.species"; fast_pattern:only; content:"new Proxy("; content:"Array.prototype.map.apply("; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3377; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-105; classtype:attempted-user; sid:40098; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer protected mode sandbox escape attempt"; flow:to_server,established; file_data; content:"4|00|8|00|7|00|1|00|A|00|8|00|7|00|A|00|-|00|B|00|F|00|D|00|D|00|-|00|4|00|1|00|0|00|6|00|-|00|8|00|1|00|5|00|3|00|-|00|F|00|F|00|D|00|E|00|2|00|B|00|A|00|C|00|2|00|9|00|6|00|7"; fast_pattern:only; content:"%|00|u|00|s|00|e|00|r|00|n|00|a|00|m|00|e|00|%"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3292; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-104; classtype:attempted-admin; sid:40078; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer protected mode sandbox escape attempt"; flow:to_client,established; file_data; content:"4|00|8|00|7|00|1|00|A|00|8|00|7|00|A|00|-|00|B|00|F|00|D|00|D|00|-|00|4|00|1|00|0|00|6|00|-|00|8|00|1|00|5|00|3|00|-|00|F|00|F|00|D|00|E|00|2|00|B|00|A|00|C|00|2|00|9|00|6|00|7"; fast_pattern:only; content:"%|00|u|00|s|00|e|00|r|00|n|00|a|00|m|00|e|00|%"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3292; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-104; classtype:attempted-admin; sid:40077; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge white-space information disclosure attempt"; flow:to_server,established; file_data; content:"white-space|3A| pre-line|3B|"; fast_pattern:only; content:">&#x"; content:"d"; within:5; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3247; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-104; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-105; classtype:attempted-user; sid:40074; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge white-space information disclosure attempt"; flow:to_client,established; file_data; content:"white-space|3A| pre-line|3B|"; fast_pattern:only; content:">&#x"; content:"d"; within:5; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-3247; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-104; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-105; classtype:attempted-recon; sid:40073; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt"; flow:to_client,established; file_data; content:"%2A%3A%3Abefore"; fast_pattern; content:"position%3A|20|fixed"; within:50; content:"counter%28"; within:50; content:"url%28"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0108; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-023; classtype:attempted-user; sid:40312; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Windows Edge function.apply use afterfree attempt"; flow:to_server,established; file_data; content:"defineProperty"; nocase; content:"get|3A|"; within:30; nocase; content:"function"; within:20; nocase; content:"fill.call"; within:75; fast_pattern; nocase; content:"__proto__"; nocase; content:"apply"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7194; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-119; classtype:attempted-user; sid:40424; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Windows Edge function.apply use afterfree attempt"; flow:to_client,established; file_data; content:"defineProperty"; nocase; content:"get|3A|"; within:30; nocase; content:"function"; within:20; nocase; content:"fill.call"; within:75; fast_pattern; nocase; content:"__proto__"; nocase; content:"apply"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7194; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-119; classtype:attempted-user; sid:40423; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer readyState property information disclosure attempt"; flow:to_server,established; file_data; content:"onreadystatechange"; nocase; content:"readyState"; nocase; content:"res://"; fast_pattern:only; content:"c:|5C|"; nocase; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3267; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-119; classtype:attempted-user; sid:40421; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer readyState property information disclosure attempt"; flow:to_client,established; file_data; content:"onreadystatechange"; nocase; content:"readyState"; nocase; content:"res://"; fast_pattern:only; content:"c:|5C|"; nocase; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3267; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-119; classtype:attempted-user; sid:40420; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer eval type confusion attempt"; flow:to_server,established; file_data; content:"eval"; content:!"."; within:1; distance:-5; content:"="; within:5; content:"eval"; within:100; pcre:"/[^\x3b\x3d\x7b\x2e\x5f]eval\s*?=.*?\seval\x28/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-3382; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-119; classtype:attempted-user; sid:40405; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer eval type confusion attempt"; flow:to_client,established; file_data; content:"eval"; content:!"."; within:1; distance:-5; content:"="; within:5; content:"eval"; within:100; pcre:"/[^\x3b\x3d\x7b\x2e\x5f]eval\s*?=.*?\seval\x28/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3382; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-119; classtype:attempted-user; sid:40404; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer vbscript variable type confusion attempt"; flow:to_server,established; file_data; content:"script"; content:"javascript"; within:100; content:".toString"; within:200; content:"script"; content:"vbscript"; within:100; fast_pattern; content:"Array"; within:300; content:"document.write"; within:300; content:"Join"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3385; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-118; classtype:attempted-user; sid:40386; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer vbscript variable type confusion attempt"; flow:to_client,established; file_data; content:"script"; content:"javascript"; within:100; content:".toString"; within:200; content:"script"; content:"vbscript"; within:100; fast_pattern; content:"Array"; within:300; content:"document.write"; within:300; content:"Join"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3385; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-118; classtype:attempted-user; sid:40385; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge array.join information disclosure attempt"; flow:to_server,established; file_data; content:"Array("; nocase; content:!")"; within:1; content:"__proto__"; within:250; nocase; content:"join"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7189; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-119; classtype:attempted-user; sid:40384; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge array.join information disclosure attempt"; flow:to_client,established; file_data; content:"Array("; nocase; content:!")"; within:1; content:"__proto__"; within:250; nocase; content:"join"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7189; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-119; classtype:attempted-user; sid:40383; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer iframe type confusion attempt"; flow:to_server,established; file_data; content:"setTimeout"; content:"<iframe"; content:".removeNode()"; content:".insertAdjacentText("; within:100; fast_pattern; content:".insertAdjacentElement("; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3383; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-118; classtype:attempted-user; sid:40379; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer iframe type confusion attempt"; flow:to_client,established; file_data; content:"setTimeout"; content:"<iframe"; content:".removeNode()"; content:".insertAdjacentText("; within:100; fast_pattern; content:".insertAdjacentElement("; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3383; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-118; classtype:attempted-user; sid:40378; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Windows Edge emodel use after free attempt"; flow:to_server,established; file_data; content:"createElement"; nocase; content:"div"; within:15; nocase; content:"CollectGarbage"; within:50; fast_pattern; nocase; content:"addEventListener"; nocase; content:"event.target"; within:400; nocase; content:"document.all"; within:30; nocase; content:"setActive"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3331; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-118; classtype:attempted-user; sid:40373; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Windows Edge emodel use after free attempt"; flow:to_client,established; file_data; content:"createElement"; nocase; content:"div"; within:15; nocase; content:"CollectGarbage"; within:50; fast_pattern; nocase; content:"addEventListener"; nocase; content:"event.target"; within:400; nocase; content:"document.all"; within:30; nocase; content:"setActive"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3331; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-118; classtype:attempted-user; sid:40372; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge spread operator memory corruption attempt"; flow:to_server,established; file_data; content:"defineProperty"; nocase; content:"Array.prototype"; within:40; nocase; content:"get:"; within:30; nocase; content:"function"; within:20; nocase; content:"length"; within:50; nocase; content:"..."; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3386; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-119; classtype:attempted-user; sid:40371; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge spread operator memory corruption attempt"; flow:to_client,established; file_data; content:"defineProperty"; nocase; content:"Array.prototype"; within:40; nocase; content:"get:"; within:30; nocase; content:"function"; within:20; nocase; content:"length"; within:50; nocase; content:"..."; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3386; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-119; classtype:attempted-user; sid:40370; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt"; flow:to_server,established; file_data; content:"Array"; nocase; content:"Symbol.species"; distance:0; nocase; content:"Proxy"; within:500; nocase; content:"map"; distance:0; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-7190; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-119; classtype:attempted-user; sid:40367; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt"; flow:to_client,established; file_data; content:"Array"; nocase; content:"Symbol.species"; distance:0; nocase; content:"Proxy"; within:500; nocase; content:"map"; distance:0; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7190; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-119; classtype:attempted-user; sid:40366; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer print preview information disclosure attempt"; flow:to_server,established; file_data; content:"<iframe"; nocase; content:"ExecWB(7,1)"; within:100; fast_pattern; content:"x-ua-compatible"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7227; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-129; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-142; classtype:attempted-recon; sid:40722; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer print preview information disclosure attempt"; flow:to_client,established; file_data; content:"<iframe"; nocase; content:"ExecWB(7,1)"; within:100; fast_pattern; content:"x-ua-compatible"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7227; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-129; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-142; classtype:attempted-recon; sid:40721; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge proxy object type confusion attempt"; flow:to_server,established; file_data; content:"Proxy(eval, {})"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-7240; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-129; classtype:attempted-user; sid:40716; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge proxy object type confusion attempt"; flow:to_client,established; file_data; content:"Proxy(eval, {})"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7240; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-129; classtype:attempted-user; sid:40715; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt"; flow:to_server,established; file_data; content:"JSON.parse("; fast_pattern:only; content:"new Array("; content:"this|5B|"; within:50; distance:10; content:"|5D|"; within:1; distance:1; pcre:"/function\s+(?P<funcName>\w+)\x28\x29.*?JSON\x2Eparse\x28[^\x29]+(?P=funcName).*?\x29/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,94055; reference:cve,2016-7241; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-142; classtype:attempted-recon; sid:40714; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt"; flow:to_client,established; file_data; content:"JSON.parse("; fast_pattern:only; content:"new Array("; content:"this|5B|"; within:50; distance:10; content:"|5D|"; within:1; distance:1; pcre:"/function\s+(?P<funcName>\w+)\x28\x29.*?JSON\x2Eparse\x28[^\x29]+(?P=funcName).*?\x29/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,94055; reference:cve,2016-7241; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-142; classtype:attempted-recon; sid:40713; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer UIAnimaation.dll use after free attempt"; flow:to_server,established; file_data; content:"transitionDuration"; nocase; content:"perspectiveOrigin"; within:200; fast_pattern; content:"|27|"; within:5; content:!"|27|"; within:6; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7205; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-132; classtype:attempted-user; sid:40704; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer UIAnimaation.dll use after free attempt"; flow:to_client,established; file_data; content:"transitionDuration"; nocase; content:"perspectiveOrigin"; within:200; fast_pattern; content:"|27|"; within:5; content:!"|27|"; within:6; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7205; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-132; classtype:attempted-user; sid:40703; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge stack variable memory access attempt"; flow:to_server,established; file_data; content:"execCommand"; nocase; content:"undo"; within:15; nocase; content:"createAttribute"; within:250; nocase; content:"execCommand"; within:250; nocase; content:"ms-beginUndoUnit"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7198; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-129; classtype:attempted-user; sid:40684; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge stack variable memory access attempt"; flow:to_client,established; file_data; content:"execCommand"; nocase; content:"undo"; within:15; nocase; content:"createAttribute"; within:250; nocase; content:"execCommand"; within:250; nocase; content:"ms-beginUndoUnit"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7198; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-129; classtype:attempted-user; sid:40683; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge video html tag buffer overflow attempt"; flow:to_server,established; file_data; content:"getContext"; content:"experimental-webgl"; within:25; fast_pattern; content:"setTimeout"; within:100; content:".reload"; within:50; content:"<video"; nocase; content:"height"; within:100; content:!"width"; within:100; distance:-100; content:"<source"; nocase; content:"src"; within:200; nocase; content:"mp4"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7217; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-132; classtype:attempted-admin; sid:40676; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge video html tag buffer overflow attempt"; flow:to_client,established; file_data; content:"getContext"; content:"experimental-webgl"; within:25; fast_pattern; content:"setTimeout"; within:100; content:".reload"; within:50; content:"<video"; nocase; content:"height"; within:100; content:!"width"; within:100; distance:-100; content:"<source"; nocase; content:"src"; within:200; nocase; content:"mp4"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7217; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-132; classtype:attempted-admin; sid:40675; rev:2;)
|
|
# alert tcp $SMTP_SERVERS any -> $HOME_NET 25 (msg:"BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt"; flow:to_server, established; file_data; content:"<object"; content:"classid"; within:100; fast_pattern; pcre:"/<object.*?classid\s*?=[\x22\x27]*?[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+?[\s\x22\x27>]/i"; metadata:service smtp; reference:cve,2016-7195; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-129; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-142; classtype:attempted-admin; sid:40670; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt"; flow:to_client, established; file_data; content:"<object"; content:"classid"; within:100; fast_pattern; pcre:"/<object.*?classid\s*?=[\x22\x27]*?[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+?[\s\x22\x27>]/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-7195; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-129; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-142; classtype:attempted-admin; sid:40669; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Array.concat type confusion attempt"; flow:to_server,established; file_data; content:"Symbol.species"; fast_pattern; content:"proto"; distance:0; content:"Array.prototype.concat"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7242; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-129; classtype:attempted-user; sid:40662; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Array.concat type confusion attempt"; flow:to_client,established; file_data; content:"Symbol.species"; fast_pattern; content:"proto"; distance:0; content:"Array.prototype.concat"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7242; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-129; classtype:attempted-user; sid:40661; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Chakra.dll Array.splice heap overflow attempt"; flow:to_server,established; file_data; content:"defineProperty"; nocase; content:"constructor"; within:50; nocase; content:"length"; within:100; nocase; content:".fill"; within:150; nocase; content:"__proto__"; fast_pattern:only; content:"splice.call"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7203; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-129; classtype:attempted-user; sid:40660; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Chakra.dll Array.splice heap overflow attempt"; flow:to_client,established; file_data; content:"defineProperty"; nocase; content:"constructor"; within:50; nocase; content:"length"; within:100; nocase; content:".fill"; within:150; nocase; content:"__proto__"; fast_pattern:only; content:"splice.call"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7203; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-129; classtype:attempted-user; sid:40659; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Chakra.dll Array.filter type confusion attempt"; flow:to_server,established; file_data; content:"class"; nocase; content:"extends"; within:50; nocase; content:"Array"; within:50; nocase; content:"Symbol.species"; within:250; fast_pattern; nocase; content:"__proto__"; nocase; content:"prototype"; within:50; nocase; content:"filter"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7200; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-129; classtype:attempted-user; sid:40656; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Chakra.dll Array.filter type confusion attempt"; flow:to_client,established; file_data; content:"class"; nocase; content:"extends"; within:50; nocase; content:"Array"; within:50; nocase; content:"Symbol.species"; within:250; fast_pattern; nocase; content:"__proto__"; nocase; content:"prototype"; within:50; nocase; content:"filter"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7200; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-129; classtype:attempted-user; sid:40655; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer msSaveBlob use after free attempt"; flow:to_server,established; file_data; content:"function"; content:".msSaveBlob"; within:250; fast_pattern; content:"try"; within:250; content:"catch"; within:50; pcre:"/function\s+?(?P<funcname>[^\s\x28]+?)\x28.*?msSaveBlob.*?try.*?(?P=funcname)\x28.*?catch/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7196; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-128; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-129; classtype:attempted-admin; sid:40654; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer msSaveBlob use after free attempt"; flow:to_client,established; file_data; content:"function"; content:".msSaveBlob"; within:250; fast_pattern; content:"try"; within:250; content:"catch"; within:50; pcre:"/function\s+?(?P<funcname>[^\s\x28]+?)\x28.*?msSaveBlob.*?try.*?(?P=funcname)\x28.*?catch/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7196; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-128; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-129; classtype:attempted-admin; sid:40653; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge webkit directory file disclosure attempt"; flow:to_server,established; file_data; content:"<input"; nocase; content:"webkitdirectory"; within:75; nocase; content:"FileReader"; nocase; metadata:service smtp; reference:cve,2016-7204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-129; classtype:attempted-user; sid:40652; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge webkit directory file disclosure attempt"; flow:to_client,established; file_data; content:"<input"; nocase; content:"webkitdirectory"; within:75; nocase; content:"FileReader"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-7204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-129; classtype:attempted-user; sid:40651; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Chakra.dll proxy object prototype return type confusion attempt"; flow:to_server,established; file_data; content:"getPrototypeOf"; fast_pattern:only; nocase; content:"Proxy"; nocase; content:"__proto__"; within:200; nocase; content:"shift"; within:100; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-7201; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-129; classtype:attempted-user; sid:40650; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Chakra.dll proxy object prototype return type confusion attempt"; flow:to_client,established; file_data; content:"getPrototypeOf"; fast_pattern:only; nocase; content:"Proxy"; nocase; content:"__proto__"; within:200; nocase; content:"shift"; within:100; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7201; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-129; classtype:attempted-user; sid:40649; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt"; flow:to_server,established; file_data; content:"Array.prototype."; content:".reverse|28 29 3B|"; within:750; fast_pattern; nocase; content:".sort|28|"; within:75; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-7202; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-129; classtype:attempted-user; sid:40648; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt"; flow:to_client,established; file_data; content:"Array.prototype."; content:".reverse|28 29 3B|"; within:750; fast_pattern; nocase; content:".sort|28|"; within:75; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7202; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-129; classtype:attempted-user; sid:40647; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CDeskBand use-after-free attempt"; flow:to_server,established; file_data; content:"object"; content:"15D633E2-AD00-465b-9EC7-F56B7CDF8E27"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-2548; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-109; classtype:attempted-user; sid:40732; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CDeskBand use-after-free attempt"; flow:to_client,established; file_data; content:"object"; content:"15D633E2-AD00-465b-9EC7-F56B7CDF8E27"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2548; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-109; classtype:attempted-user; sid:40731; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer iertutil.dll long UNC redirect out of bounds read attempt"; flow:to_server,established; file_data; content:"|5C 5C|?|5C|UNC|5C 5C 5C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3327; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-095; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-096; classtype:attempted-user; sid:40788; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer iertutil.dll long UNC redirect out of bounds read attempt"; flow:to_client,established; file_data; content:"|5C 5C|?|5C|UNC|5C 5C 5C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3327; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-095; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-096; classtype:attempted-user; sid:40787; rev:2;)
|
|
# alert tcp $SMTP_SERVERS any -> $HOME_NET 25 (msg:"BROWSER-IE Microsoft Internet Explorer information disclosure attempt"; flow:to_server,established; file_data; content:"innerText("; nocase; content:"currentNode"; fast_pattern; content:"parentNode"; within:25; nocase; content:"HTML"; within:25; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7284; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-144; classtype:attempted-recon; sid:40993; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer information disclosure attempt"; flow:to_client,established; file_data; content:"innerText("; nocase; content:"createNodeIterator"; fast_pattern:only; content:"currentNode"; nocase; content:"parentNode"; within:25; nocase; content:"HTML"; within:25; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7284; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-144; classtype:attempted-recon; sid:40992; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer out of bounds read attempt"; flow:to_client,established; file_data; content:"<bdi"; content:"style"; distance:0; content:"outline|3A|hsl"; distance:0; content:"solid"; within:25; content:">"; distance:0; content:"&#x"; distance:0; byte_test:10,>=,0x300,0,relative,string,hex; byte_test:10,<=,0x362,0,relative,string,hex; content:"&#"; distance:20; pcre:"/<bdi.*?style.*?outline\x3ahsl.*?solid.*?>([^&]+?\s+?)?\s*?�*?3[1-6]\d\x3b/is"; content:"</bdi>"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7283; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-144; classtype:attempted-user; sid:40989; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer out of bounds read attempt"; flow:to_client,established; file_data; content:"<bdi"; content:"style"; distance:0; content:"outline|3A|hsl"; distance:0; content:"solid"; within:25; content:">"; distance:0; content:"&#"; distance:0; byte_test:10,>=,768,0,relative,string,dec; byte_test:10,<=,866,0,relative,string,dec; content:"&#"; distance:20; pcre:"/<bdi.*?style.*?outline\x3ahsl.*?solid.*?>([^&]+?\s+?)?\s*?�*?(7[6-9]|8[1-6])\d\x3b/is"; content:"</bdi>"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7283; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-144; classtype:attempted-user; sid:40988; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer title integer overflow attempt"; flow:to_server,established; file_data; content:"createTextNode("; nocase; content:"getElementById("; distance:0; nocase; content:"cloneNode("; distance:0; nocase; content:"appendChild("; distance:0; nocase; content:"<script"; nocase; content:"while("; distance:0; nocase; content:".join("; distance:0; nocase; content:"<title"; nocase; content:"id"; within:10; nocase; content:"="; within:10; pcre:"/<title[^>]+id\s*=\s*[\x22\x27](?P<titlename>([^\s\x22]+?))[\x22\x27].*getElementById\(\s*[\x22\x27](?P=titlename)/isG"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7279; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-144; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-145; classtype:attempted-user; sid:40987; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer title integer overflow attempt"; flow:to_client,established; file_data; content:"createTextNode("; nocase; content:"getElementById("; distance:0; nocase; content:"cloneNode("; distance:0; nocase; content:"appendChild("; distance:0; nocase; content:"<script"; nocase; content:"while("; distance:0; nocase; content:".join("; distance:0; nocase; content:"<title"; nocase; content:"id"; within:10; nocase; content:"="; within:10; pcre:"/<title[^>]+id\s*=\s*[\x22\x27](?P<titlename>([^\s\x22]+?))[\x22\x27].*getElementById\(\s*[\x22\x27](?P=titlename)/isG"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7279; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-144; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-145; classtype:attempted-user; sid:40986; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge iframe information disclosure attempt"; flow:to_server,established; file_data; content:"<iframe"; nocase; content:"history.go("; fast_pattern:only; content:"performance.navigation.type"; nocase; content:"location"; within:100; nocase; content:"document.body"; nocase; content:"insert"; within:200; distance:-100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7282; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-144; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-145; classtype:attempted-recon; sid:40976; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge iframe information disclosure attempt"; flow:to_client,established; file_data; content:"<iframe"; nocase; content:"history.go("; nocase; content:"performance.navigation.type"; content:"location"; within:100; nocase; content:"document.body"; nocase; content:"insert"; within:200; distance:-100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7282; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-144; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-145; classtype:attempted-recon; sid:40975; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge spread operator memory corruption attempt"; flow:to_server,established; file_data; content:"new Array"; nocase; content:"__proto__.__defineGetter__"; distance:0; nocase; content:".length"; within:100; nocase; content:"__proto__.[Symbol.iterator]"; nocase; content:"delete"; within:100; nocase; content:"function"; nocase; content:"..."; within:50; content:"..."; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7296; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-145; classtype:attempted-user; sid:40974; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge spread operator memory corruption attempt"; flow:to_client,established; file_data; content:"new Array"; nocase; content:"__proto__.__defineGetter__"; distance:0; nocase; content:".length"; within:100; nocase; content:"__proto__.[Symbol.iterator]"; nocase; content:"delete"; within:100; nocase; content:"function"; nocase; content:"..."; within:50; content:"..."; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7296; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-145; classtype:attempted-user; sid:40973; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge spread operator memory corruption attempt"; flow:to_server,established; file_data; content:"var"; nocase; content:"= function|28 29|"; within:50; nocase; content:"[Symbol.species] ="; fast_pattern; nocase; content:".constructor ="; nocase; content:".concat|28|"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7297; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-145; classtype:attempted-user; sid:40972; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge spread operator memory corruption attempt"; flow:to_client,established; file_data; content:"var"; nocase; content:"= function|28 29|"; within:50; nocase; content:"[Symbol.species] ="; fast_pattern; nocase; content:".constructor ="; nocase; content:".concat|28|"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7297; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-145; classtype:attempted-user; sid:40971; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Object.defineProperty type confusion attempt"; flow:to_server,established; file_data; content:"Intl"; fast_pattern; content:"{}|3B|"; within:10; content:"Object.defineProperty("; content:"get"; content:"function"; within:15; pcre:"/Intl\.(NumberFormat|Collator|DateTimeFormat)/"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-7287; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-144; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-145; classtype:attempted-user; sid:40970; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Object.defineProperty type confusion attempt"; flow:to_client,established; file_data; content:"Intl"; fast_pattern; content:"{}|3B|"; within:10; content:"Object.defineProperty("; content:"get"; content:"function"; within:15; pcre:"/Intl\.(NumberFormat|Collator|DateTimeFormat)/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7287; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-144; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-145; classtype:attempted-user; sid:40969; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge SIMD memory corruption attempt"; flow:to_server,established; file_data; content:"SIMD."; fast_pattern:only; content:"toLocaleString.call("; pcre:"/toLocaleString\x2ecall\x28[^\x3b]*(\x28(?>[^\x28\x29]|(?1))*\x29)?\x2c[^\x3b]*(\x28(?>[^\x28\x29]|(?1))*\x29)?\x2c/Oi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-7286; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-145; classtype:attempted-user; sid:40950; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge SIMD memory corruption attempt"; flow:to_client,established; file_data; content:"SIMD."; fast_pattern:only; content:"toLocaleString.call("; pcre:"/toLocaleString\x2ecall\x28[^\x3b]*(\x28(?>[^\x28\x29]|(?1))*\x29)?\x2c[^\x3b]*(\x28(?>[^\x28\x29]|(?1))*\x29)?\x2c/Oi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7286; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-145; classtype:attempted-user; sid:40949; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge CSS browser history disclosure attempt"; flow:to_client,established; file_data; content:":visited"; content:"window.getComputedStyle"; content:".webkitTextFillColor.indexOf|28|"; within:200; metadata:service http; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-145; classtype:attempted-recon; sid:40946; rev:1;)
|
|
# alert tcp $SMTP_SERVERS any -> $HOME_NET 25 (msg:"BROWSER-IE Microsoft Internet Explorer layout object use after free attempt"; flow:to_server,established; file_data; content:"<script"; nocase; content:".rows"; distance:0; nocase; content:"null"; within:150; nocase; content:"null"; within:50; nocase; content:"CollectGarbage("; within:50; content:".item("; distance:0; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-1532; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-019; classtype:attempted-admin; sid:41107; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt"; flow:to_client, established; file_data; content:"<object"; content:"classid"; within:100; fast_pattern; content:"&#"; within:10; pcre:"/<object.*?classid\s*?=[\x22\x27]*?(&#x?(\d+?)\x3b)+?[\x27\x22\x3e]/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-7195; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-128; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-129; classtype:attempted-admin; sid:41211; rev:1;)
|
|
# alert tcp $SMTP_SERVERS any -> $HOME_NET 25 (msg:"BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt"; flow:to_server, established; file_data; content:"<object"; content:"classid"; within:100; fast_pattern; content:"&#"; within:10; pcre:"/<object.*?classid\s*?=[\x22\x27]*?(&#x?(\d+?)\x3b)+?[\x27\x22\x3e]/i"; metadata:service smtp; reference:cve,2016-7195; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-128; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-129; classtype:attempted-admin; sid:41210; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge mutation event memory corruption attempt"; flow:to_server,established; file_data; content:"DOMNodeRemoved"; fast_pattern:only; content:".createTextNode"; nocase; content:".insertBefore"; within:500; nocase; content:".appendChild"; within:500; nocase; content:".nodeValue"; distance:0; nocase; pcre:"/\x2EinsertBefore\((?P<node>\w+).*(?P=node)\.nodeValue/si"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0003; reference:cve,2016-0124; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-024; classtype:attempted-user; sid:41386; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge mutation event memory corruption attempt"; flow:to_client,established; file_data; content:"DOMNodeRemoved"; fast_pattern:only; content:".createTextNode"; nocase; content:".insertBefore"; within:500; nocase; content:".appendChild"; within:500; nocase; content:".nodeValue"; distance:0; nocase; pcre:"/\x2EinsertBefore\((?P<node>\w+).*(?P=node)\.nodeValue/si"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0003; reference:cve,2016-0124; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-024; classtype:attempted-user; sid:41385; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt"; flow:to_server,established; file_data; content:"document.getElementById"; nocase; content:".style"; within:50; nocase; content:".left"; within:100; content:"auto"; within:50; nocase; content:".posLeft"; distance:0; fast_pattern; metadata:service smtp; reference:cve,2015-0053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:41378; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementById"; nocase; content:".style"; within:50; nocase; content:".left"; within:100; content:"auto"; within:50; nocase; content:".posLeft"; distance:0; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:41377; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer object property change use after free attempt"; flow:to_server,established; file_data; content:"createElement"; content:"textarea"; within:10; nocase; content:".dataSrc"; distance:0; content:".innerHTML"; within:80; content:".onvolumechange"; within:80; fast_pattern; content:"style.setProperty("; within:100; content:"list-style"; within:20; nocase; content:"url()"; within:10; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0048; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:41406; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer object property change use after free attempt"; flow:to_client,established; file_data; content:"createElement"; content:"textarea"; within:10; nocase; content:".dataSrc"; distance:0; content:".innerHTML"; within:80; content:".onvolumechange"; within:80; fast_pattern; content:"style.setProperty("; within:100; content:"list-style"; within:20; nocase; content:"url()"; within:10; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0048; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:41405; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt"; flow:to_server,established; file_data; content:"= document.createElement(|22|base|22|)"; depth:42; offset:50; content:"[|27|attachEvent|27|](|27|onp|27| + |27|rope|27| + |27|rty|27|+ |27|change|27|, function"; within:70; content:"srcelement"; nocase; pcre:"/srcelement.*(outer|inner)(text|html)/iG"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-6366; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-080; classtype:attempted-user; sid:41475; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt"; flow:to_client,established; file_data; content:"= document.createElement(|22|base|22|)"; depth:42; offset:50; content:"[|27|attachEvent|27|](|27|onp|27| + |27|rope|27| + |27|rty|27|+ |27|change|27|, function"; within:70; content:"srcelement"; nocase; pcre:"/srcelement.*(outer|inner)(text|html)/iG"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6366; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-080; classtype:attempted-user; sid:41474; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CElement object use after free attempt"; flow:to_server,established; file_data; content:"setInterval"; nocase; content:"execCommand"; within:100; nocase; pcre:"/(execCommand[^)]+(Undo|Redo|SelectAll|Unselect|Underline).*){2}/siG"; metadata:policy security-ips drop, service smtp; reference:cve,2013-3846; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:41451; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CElement object use after free attempt"; flow:to_client,established; file_data; content:"setInterval"; nocase; content:"execCommand"; within:100; nocase; pcre:"/(execCommand[^)]+(Undo|Redo|SelectAll|Unselect|Underline).*){2}/siG"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3846; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:41450; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt"; flow:to_server,established; file_data; content:"datasrc"; nocase; content:"datafld"; fast_pattern:only; pcre:"/<(?P<t1>button|div|input[^>]+?type\s*=\s*(\x22|\x27)button(\x22|\x27)|label|legend|marquee|param|span)\s+[^>]*(datasrc\s*=\s*(?P<q1>\x22|\x27|)(?P<d1>\S+)(?P=q1)\s+[^>]*datafld\s*=\s*(?P<q2>\x22|\x27|)(?P<d2>\S+)(?P=q2)|datafld\s*=\s*(?P<q3>\x22|\x27|)(?P<d3>\S+)(?P=q3)\s+[^>]*datasrc\s*=\s*(?P<q4>\x22|\x27|)(?P<d4>\S+)(?P=q4))[^>]*>(?!.*?<\/\s*(?P=t1)\s*>.*?<(?P=t1)).*?<(?P=t1)\s+[^>]*(datasrc\s*=\s*(?P<q5>\x22|\x27|)((?P=d1)|(?P=d3))(?P=q5)\s+datafld\s*=\s*(?P<q6>\x22|\x27|)((?P=d2)|(?P=d4))(?P=q6)|(datafld\s*=\s*(?P<q7>\x22|\x27|)(?P=d1)(?P=q7)\s+datasrc\s*=\s*(?P<q8>\x22|\x27|)(?P=d2)(?P=q8)))/Osi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,32721; reference:cve,2008-4844; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-078; classtype:attempted-user; sid:41494; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer nested SPAN tag memory corruption attempt"; flow:to_server,established; file_data; content:"%3c%53%50%41%4e%20%44%41%54%41%53%52%43%3d%23%49%20%44%41%54%41%46%4c%44%3d%43%20%44%41%54%41%46%4f%52%4d%41%54%41%53%3d%48%54%4d%4c%3e"; fast_pattern:only; content:"%3c%53%50%41%4e%20%44%41%54%41%53%52%43%3d%23%49%20%44%41%54%41%46%4c%44%3d%43%20%44%41%54%41%46%4f%52%4d%41%54%41%53%3d%54%45%58%54%3e"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,32721; reference:cve,2008-4844; classtype:attempted-user; sid:41493; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CGeneratedTreeNode object use after free attempt"; flow:to_server,established; file_data; content:"contentEditable"; fast_pattern:only; content:".execCommand"; content:"delete"; within:10; content:".execCommand"; content:"fontSize"; within:15; content:"true"; within:20; content:".execCommand"; distance:0; content:"indent"; within:15; content:"true"; within:20; metadata:service smtp; reference:cve,2015-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:41523; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CGeneratedTreeNode object use after free attempt"; flow:to_client,established; file_data; content:"contentEditable"; fast_pattern:only; content:".execCommand"; content:"delete"; within:10; content:".execCommand"; content:"fontSize"; within:15; content:"true"; within:20; content:".execCommand"; distance:0; content:"indent"; within:15; content:"true"; within:20; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:41522; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CPeerHolder use after free attempt"; flow:to_server,established; file_data; content:"try |7B| var"; content:"try |7B| var"; within:150; content:"try |7B| var"; within:150; content:"try |7B| var"; within:150; content:"try |7B| var"; within:150; content:"try |7B| var"; within:150; content:"try |7B| var"; within:150; content:"try |7B| var"; within:150; content:"try |7B| var"; within:150; content:"try |7B| var"; within:150; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:41600; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CPeerHolder use after free attempt"; flow:to_client,established; file_data; content:"try |7B| var"; content:"try |7B| var"; within:150; content:"try |7B| var"; within:150; content:"try |7B| var"; within:150; content:"try |7B| var"; within:150; content:"try |7B| var"; within:150; content:"try |7B| var"; within:150; content:"try |7B| var"; within:150; content:"try |7B| var"; within:150; content:"try |7B| var"; within:150; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:41599; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer use asm memory corruption attempt"; flow:to_server,established; file_data; content:"function"; content:"use asm"; within:30; fast_pattern; content:"return {}"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0010; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-004; classtype:attempted-user; sid:41556; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer use asm memory corruption attempt"; flow:to_client,established; file_data; content:"function"; content:"use asm"; within:30; fast_pattern; content:"return {}"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0010; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-004; classtype:attempted-user; sid:41555; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt"; flow:to_client,established; file_data; content:"|49 00 00 00 6E 00 00 00 74 00 00 00 65 00 00 00 72 00 00 00 6E 00 00 00 65 00 00 00 74 00 00 00 20 00 00 00 45 00 00 00 78 00 00 00 70 00 00 00 6C 00 00 00 6F 00 00 00 69 00 00 00 74 00 00 00 65 00 00 00 72|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11515; reference:cve,2004-1050; classtype:attempted-user; sid:41720; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt"; flow:to_client,established; file_data; content:"|49 00 6E 00 74 00 65 00 72 00 6E 00 65 00 74 00 20 00 45 00 78 00 70 00 6C 00 6F 00 69 00 74 00 65 00 72|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11515; reference:cve,2004-1050; classtype:attempted-user; sid:41719; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt"; flow:to_client,established; file_data; content:"|49 6E 74 65 72 6E 65 74 20 45 78 70 6C 6F 69 74 65 72|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11515; reference:cve,2004-1050; classtype:attempted-user; sid:41718; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt"; flow:to_client,established; file_data; content:"11111111-1111-1111-1111-111111111111"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:41716; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Health and Support Center iframe injection attempt"; flow:to_client,established; file_data; content:"iframe"; nocase; content:"src"; within:50; nocase; content:"hcp:"; within:50; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:41715; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge HandleColumnBreakOnColumnSpanningElement type confusion attempt"; flow:to_server,established; file_data; content:"column-span:"; fast_pattern; content:"all"; within:10; nocase; content:"column-count:"; within:100; distance:-50; nocase; content:"columns:"; within:200; distance:-100; nocase; content:"float:"; within:300; distance:-150; nocase; content:".align"; nocase; content:"<table"; nocase; content:"colspan="; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0037; classtype:attempted-admin; sid:41764; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge HandleColumnBreakOnColumnSpanningElement type confusion attempt"; flow:to_client,established; file_data; content:"column-span:"; fast_pattern; content:"all"; within:10; nocase; content:"column-count:"; within:100; distance:-50; nocase; content:"columns:"; within:200; distance:-100; nocase; content:"float:"; within:300; distance:-150; nocase; content:".align"; nocase; content:"<table"; nocase; content:"colspan="; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0037; classtype:attempted-admin; sid:41763; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt"; flow:to_server,established; file_data; content:"document.getElementById"; nocase; content:".style"; within:50; nocase; content:".top"; within:100; content:"auto"; within:50; nocase; content:".posTop"; distance:0; fast_pattern; metadata:service smtp; reference:cve,2015-0053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:41777; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt"; flow:to_server,established; file_data; content:"document.getElementById"; nocase; content:".style"; within:50; nocase; content:".right"; within:100; content:"auto"; within:50; nocase; content:".posRight"; distance:0; fast_pattern; metadata:service smtp; reference:cve,2015-0053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:41776; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt"; flow:to_server,established; file_data; content:"document.getElementById"; nocase; content:".style"; within:50; nocase; content:".bottom"; within:100; content:"auto"; within:50; nocase; content:".posBottom"; distance:0; fast_pattern; metadata:service smtp; reference:cve,2015-0053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:41775; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementById"; nocase; content:".style"; within:50; nocase; content:".bottom"; within:100; content:"auto"; within:50; nocase; content:".posBottom"; distance:0; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:41774; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementById"; nocase; content:".style"; within:50; nocase; content:".top"; within:100; content:"auto"; within:50; nocase; content:".posTop"; distance:0; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:41773; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementById"; nocase; content:".style"; within:50; nocase; content:".right"; within:100; content:"auto"; within:50; nocase; content:".posRight"; distance:0; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-009; classtype:attempted-user; sid:41772; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt"; flow:to_server,established; file_data; content:"mhtml|3A|file|3A 2F|"; fast_pattern; nocase; content:"loadXML"; nocase; content:"parseError.errorCode"; within:200; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3298; reference:cve,2017-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-126; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-014; classtype:attempted-user; sid:41798; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt"; flow:to_client,established; file_data; content:"mhtml|3A|file|3A 2F|"; fast_pattern; nocase; content:"loadXML"; nocase; content:"parseError.errorCode"; within:200; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3298; reference:cve,2017-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-126; reference:url,technet.microsoft.com/en-us/security/bulletin/ms17-014; classtype:attempted-user; sid:41797; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer frameset null pointer dereference attempt"; flow:to_server,established; file_data; content:"createElement"; nocase; content:"frameset"; within:100; fast_pattern; nocase; content:"contentEditable"; within:150; nocase; content:"getElementById"; within:100; nocase; content:"appendChild"; within:150; nocase; metadata:service smtp; reference:url,dev.ixiacom.com/strikes/denial/browser/bps_2015_0001_ms_ie_frameset_dos.xml; classtype:attempted-user; sid:41896; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer frameset null pointer dereference attempt"; flow:to_client,established; file_data; content:"createElement"; nocase; content:"frameset"; within:100; fast_pattern; nocase; content:"contentEditable"; within:150; nocase; content:"getElementById"; within:100; nocase; content:"appendChild"; within:150; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,dev.ixiacom.com/strikes/denial/browser/bps_2015_0001_ms_ie_frameset_dos.xml; classtype:attempted-user; sid:41895; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge object mutation memory corruption attempt"; flow:to_server,established; file_data; content:"document.createElement("; content:"appendChild("; within:83; content:"new"; within:52; content:"MutationObserver"; within:35; content:"function"; within:27; content:"observe("; within:41; content:"insertAdjacentElement("; distance:0; content:"nextSibling.nodeValue"; within:154; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-002; classtype:attempted-user; sid:41840; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge object mutation memory corruption attempt"; flow:to_client,established; file_data; content:"document.createElement("; content:"appendChild("; within:83; content:"new"; within:52; content:"MutationObserver"; within:35; content:"function"; within:27; content:"observe("; within:41; content:"insertAdjacentElement("; distance:0; content:"nextSibling.nodeValue"; within:154; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-002; classtype:attempted-user; sid:41839; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Chakra.dll proxy object prototype return type confusion attempt"; flow:to_server,established; file_data; content:"Array"; nocase; content:"setPrototypeOf"; nocase; content:"Proxy"; within:200; nocase; content:"getPrototypeOf"; within:100; nocase; content:"length"; within:150; nocase; content:"setTimeout"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1747; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:41912; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Chakra.dll proxy object prototype return type confusion attempt"; flow:to_client,established; file_data; content:"Array"; nocase; content:"setPrototypeOf"; nocase; content:"Proxy"; within:200; nocase; content:"getPrototypeOf"; within:100; nocase; content:"length"; within:150; nocase; content:"setTimeout"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1747; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:41911; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt"; flow:to_server,established; file_data; content:"mhtml|3A|file|3A 2F|"; fast_pattern; nocase; content:"ActiveXObject"; nocase; content:"loadXML"; within:200; nocase; content:"parseError.errorCode"; within:200; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3298; reference:cve,2017-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-022; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-118; classtype:attempted-user; sid:40365; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt"; flow:to_client,established; file_data; content:"mhtml|3A|file|3A 2F|"; fast_pattern; nocase; content:"ActiveXObject"; nocase; content:"loadXML"; within:200; nocase; content:"parseError.errorCode"; within:200; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3298; reference:cve,2017-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-022; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-118; classtype:attempted-user; sid:40364; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 Windows Media Player information disclosure attempt"; flow:to_client,established; file_data; content:"WMPlayer.ocx.7"; content:"URL"; within:50; nocase; content:"file:"; within:25; nocase; metadata:service http; reference:cve,2017-0042; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-021; classtype:attempted-recon; sid:41634; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 Windows Media Player information disclosure attempt"; flow:to_client,established; file_data; content:"CLSID:6BF52A52-394A-11d3-B153-00C04F79FAA6"; content:"URL"; within:50; nocase; content:"file:"; within:25; nocase; metadata:service http; reference:cve,2017-0042; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-021; classtype:attempted-recon; sid:41633; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge HandleColumnBreakOnColumnSpanningElement type confusion attempt"; flow:to_server,established; file_data; content:"column-span:"; fast_pattern; content:"all"; within:10; nocase; content:"column-count:"; within:100; distance:-50; nocase; content:"columns:"; within:200; distance:-100; nocase; content:"float:"; within:300; distance:-150; nocase; content:".align"; nocase; content:"<table"; nocase; content:"colspan="; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-006; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-admin; sid:41626; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge HandleColumnBreakOnColumnSpanningElement type confusion attempt"; flow:to_client,established; file_data; content:"column-span:"; fast_pattern; content:"all"; within:10; nocase; content:"column-count:"; within:100; distance:-50; nocase; content:"columns:"; within:200; distance:-100; nocase; content:"float:"; within:300; distance:-150; nocase; content:".align"; nocase; content:"<table"; nocase; content:"colspan="; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-006; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-admin; sid:41625; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge AsmJs memory corruption attempt"; flow:to_server,established; file_data; content:"Number("; nocase; content:"-0"; within:5; content:"Number("; nocase; content:"Number."; within:10; nocase; content:"function"; nocase; content:"use asm"; within:50; fast_pattern; content:"function"; within:50; nocase; content:"function"; distance:0; nocase; content:"use asm"; within:50; nocase; content:"function"; within:50; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:denial-of-service; sid:41606; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge AsmJs memory corruption attempt"; flow:to_client,established; file_data; content:"Number("; nocase; content:"-0"; within:5; content:"Number("; nocase; content:"Number."; within:10; nocase; content:"function"; nocase; content:"use asm"; within:50; fast_pattern; content:"function"; within:50; nocase; content:"function"; distance:0; nocase; content:"use asm"; within:50; nocase; content:"function"; within:50; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:denial-of-service; sid:41605; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Data URI same origin policy bypass attempt"; flow:to_server,established; file_data; content:"<iframe"; nocase; content:"data|3A|"; within:100; nocase; content:"document.domain"; within:100; nocase; metadata:service smtp; reference:cve,2017-0017; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41594; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Data URI same origin policy bypass attempt"; flow:to_client,established; file_data; content:"<iframe"; nocase; content:"data|3A|"; within:100; nocase; content:"document.domain"; within:100; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-0017; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41593; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CHtmlTab use after free attempt"; flow:to_server,established; file_data; content:"onpropertychange"; fast_pattern:only; content:".removeNode("; nocase; content:".write("; within:500; nocase; content:"<div"; within:20; nocase; content:"<div"; within:20; nocase; content:".write("; within:500; nocase; content:"<div"; within:20; nocase; content:"<div"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0018; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-006; classtype:attempted-user; sid:41590; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CHtmlTab use after free attempt"; flow:to_client,established; file_data; content:"onpropertychange"; fast_pattern:only; content:".removeNode("; nocase; content:".write("; within:500; nocase; content:"<div"; within:20; nocase; content:"<div"; within:20; nocase; content:".write("; within:500; nocase; content:"<div"; within:20; nocase; content:"<div"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0018; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-006; classtype:attempted-user; sid:41589; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Array out of bounds memory corruption"; flow:to_server,established; file_data; content:"Float64Array"; fast_pattern:only; content:"Array.prototype"; nocase; content:"unshift"; nocase; content:"shift"; nocase; content:"uneval"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-006; classtype:attempted-user; sid:41588; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Array out of bounds memory corruption"; flow:to_client,established; file_data; content:"Float64Array"; fast_pattern:only; content:"Array.prototype"; nocase; content:"unshift"; nocase; content:"shift"; nocase; content:"uneval"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-006; classtype:attempted-user; sid:41587; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer mutated scope with generator memory corruption attempt"; flow:to_server,established; file_data; content:"try"; content:"function|20|"; within:10; content:"return|20 28|yield|20 28|"; within:30; content:"with|28|"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0049; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-006; classtype:attempted-user; sid:41586; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer mutated scope with generator memory corruption attempt"; flow:to_client,established; file_data; content:"try"; content:"function|20|"; within:10; content:"return|20 28|yield|20 28|"; within:30; content:"with|28|"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0049; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-006; classtype:attempted-user; sid:41585; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DOMAttrModified event use after free attempt"; flow:to_server,established; file_data; content:"DOMAttrModified"; fast_pattern:only; content:".createElement"; nocase; content:".appendChild"; within:160; nocase; content:".tabIndex"; within:160; nocase; content:".focus"; within:120; nocase; content:".click"; within:80; nocase; content:".reload"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0009; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41584; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DOMAttrModified event use after free attempt"; flow:to_client,established; file_data; content:"DOMAttrModified"; fast_pattern:only; content:".createElement"; nocase; content:".appendChild"; within:160; nocase; content:".tabIndex"; within:160; nocase; content:".focus"; within:120; nocase; content:".click"; within:80; nocase; content:".reload"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0009; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41583; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer mhtml and res protocol information disclosure attempt"; flow:to_server,established; file_data; content:"mhtml:res://"; fast_pattern:only; metadata:service smtp; reference:cve,2017-0008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-006; classtype:attempted-user; sid:41576; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer mhtml and res protocol information disclosure attempt"; flow:to_client,established; file_data; content:"mhtml:res://"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-0008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-006; classtype:attempted-user; sid:41575; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge CSS animation style information disclosure attempt"; flow:to_server,established; file_data; content:"@keyframes"; nocase; content:"filter"; within:50; nocase; content:"style"; nocase; content:"animation"; within:25; nocase; pcre:"/style\s*?=((animation\s*?\x3a.*?\d+?[ms]+)*[^\x3e]+)+/iG"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-recon; sid:41574; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge CSS animation style information disclosure attempt"; flow:to_client,established; file_data; content:"@keyframes"; nocase; content:"filter"; within:50; nocase; content:"style"; nocase; content:"animation"; within:25; nocase; pcre:"/style\s*?=((animation\s*?\x3a.*?\d+?[ms]+)*[^\x3e]+)+/iG"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-recon; sid:41573; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer array proto chain manipulation memory corruption attempt"; flow:to_server,established; file_data; content:"__proto__"; content:"__defineGetter__"; within:25; content:"__proto__"; distance:0; content:"Symbol.iterator"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0010; reference:cve,2017-0015; reference:cve,2017-0032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-004; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41562; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer array proto chain manipulation memory corruption attempt"; flow:to_client,established; file_data; content:"__proto__"; content:"__defineGetter__"; within:25; content:"__proto__"; distance:0; content:"Symbol.iterator"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0010; reference:cve,2017-0015; reference:cve,2017-0032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-004; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41561; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Array out of bounds memory corruption attempt"; flow:to_server,established; file_data; content:"Array.from.apply"; content:"[[]]"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41560; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Array out of bounds memory corruption attempt"; flow:to_server,established; file_data; content:"Array.from.call"; content:"[]"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41559; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Array out of bounds memory corruption attempt"; flow:to_client,established; file_data; content:"Array.from.apply"; content:"[[]]"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41558; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Array out of bounds memory corruption attempt"; flow:to_client,established; file_data; content:"Array.from.call"; content:"[]"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41557; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge url forgery attempt"; flow:to_server,established; file_data; content:"window.open("; content:"ms-appx-web"; within:20; nocase; content:"microsoftedge"; within:40; nocase; content:"errorpages"; within:30; nocase; content:"BlockSite"; within:20; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0033; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41554; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge url forgery attempt"; flow:to_client,established; file_data; content:"window.open("; content:"ms-appx-web"; within:20; nocase; content:"microsoftedge"; within:40; nocase; content:"errorpages"; within:30; nocase; content:"BlockSite"; within:20; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0033; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41553; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge web address spoofing attempt"; flow:to_server,established; file_data; content:"window.open("; fast_pattern:only; content:"location.replace("; content:"#"; content:"#"; within:250; pcre:"/#([^\x22\x27])\1{100}/"; metadata:service smtp; reference:cve,2017-0069; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-admin; sid:41988; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge web address spoofing attempt"; flow:to_client,established; file_data; content:"window.open("; fast_pattern:only; content:".location.replace("; content:"#"; content:"#"; within:250; pcre:"/#([^\x22\x27])\1{100}/"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-0069; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-admin; sid:41987; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge JavascriptProxy SetPropertyTrap type confusion attempt"; flow:to_server,established; file_data; content:"object"; nocase; content:".create("; within:25; content:"proxy"; within:50; nocase; content:"symbol.species"; nocase; metadata:service smtp; reference:cve,2017-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-admin; sid:41969; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge JavascriptProxy SetPropertyTrap type confusion attempt"; flow:to_client,established; file_data; content:"object"; nocase; content:".create("; within:25; content:"proxy"; within:50; nocase; content:"symbol.species"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-admin; sid:41968; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge malformed UTF-8 decode arbitrary read attempt"; flow:to_server,established; file_data; content:"/iiptiptc|7C|ci/ig|FF 7F 74 FF DE D2 DE 8C 8C 1F 02 8C 8C 75 8A DE DE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0131; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41959; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge malformed UTF-8 decode arbitrary read attempt"; flow:to_client,established; file_data; content:"/iiptiptc|7C|ci/ig|FF 7F 74 FF DE D2 DE 8C 8C 1F 02 8C 8C 75 8A DE DE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0131; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41958; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt"; flow:to_server,established; file_data; content:"arguments.callee.caller.arguments"; fast_pattern:only; content:"Array.prototype.join.call"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0130; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-006; classtype:attempted-user; sid:41957; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt"; flow:to_client,established; file_data; content:"arguments.callee.caller.arguments"; fast_pattern:only; content:"Array.prototype.join.call"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0130; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-006; classtype:attempted-user; sid:41956; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer textarea type confusion attempt"; flow:to_server,established; file_data; content:"<textArea"; fast_pattern:only; content:"eventhandler"; content:"reset|28|"; content:".defaultValue"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0059; reference:cve,2017-8652; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-006; classtype:attempted-user; sid:41955; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer textarea type confusion attempt"; flow:to_client,established; file_data; content:"<textArea"; fast_pattern:only; content:"eventhandler"; content:"reset|28|"; content:".defaultValue"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0059; reference:cve,2017-8652; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-006; classtype:attempted-user; sid:41954; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge local file read information leak attempt"; flow:to_server,established; file_data; content:"read:"; fast_pattern; content:"|2C|"; within:5; content:"c:|5C 5C|"; within:10; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41953; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge local file read information leak attempt"; flow:to_client,established; file_data; content:"read:"; fast_pattern; content:"|2C|"; within:5; content:"c:|5C 5C|"; within:10; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41952; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge WebAssembly memory corruption attempt"; flow:to_server,established; file_data; content:"use asm"; fast_pattern:only; content:"{Math:Math"; content:"new ArrayBuffer"; within:500; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0067; reference:cve,2017-0133; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41951; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge WebAssembly memory corruption attempt"; flow:to_client,established; file_data; content:"use asm"; fast_pattern:only; content:"{Math:Math"; content:"new ArrayBuffer"; within:500; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0067; reference:cve,2017-0133; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41950; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge fetch API same origin policy bypass attempt"; flow:to_server,established; file_data; content:"HTTP/1.1|5C|r|5C|nHost: localhost"; nocase; content:"fetch|28|"; within:100; metadata:service smtp; reference:cve,2017-0140; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-recon; sid:41949; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge fetch API same origin policy bypass attempt"; flow:to_client,established; file_data; content:"HTTP/1.1|5C|r|5C|nHost: localhost"; nocase; content:"fetch|28|"; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-0140; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-recon; sid:41948; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge scripting engine security bypass css attempt"; flow:to_server,established; file_data; content:"window.open("; content:"setTimeout("; distance:0; content:"function("; within:20; content:".frames"; within:100; content:"location.replace"; within:50; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0066; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41945; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge scripting engine security bypass css attempt"; flow:to_client,established; file_data; content:"window.open("; content:"setTimeout("; distance:0; content:"function("; within:20; content:".frames"; within:100; content:"location.replace"; within:50; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0066; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41944; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge EntrySimpleSlotGetter use after free attempt"; flow:to_server,established; file_data; content:"get"; nocase; content:".call"; within:50; content:".contentWindow"; within:30; content:".constructor.constructor"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0070; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41943; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge EntrySimpleSlotGetter use after free attempt"; flow:to_client,established; file_data; content:"get"; nocase; content:".call"; within:50; content:".contentWindow"; within:50; content:".constructor.constructor"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0070; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41942; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt"; flow:to_server,established; file_data; content:"Object.defineProperty"; content:"get:"; within:25; content:"function"; within:25; content:"__proto__"; distance:0; content:".reverse.call"; distance:0; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0139; reference:cve,2017-0141; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41939; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt"; flow:to_client,established; file_data; content:"Object.defineProperty"; content:"get:"; within:25; content:"function"; within:25; content:"__proto__"; distance:0; content:".reverse.call"; distance:0; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0139; reference:cve,2017-0141; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41938; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge TypedArray setter arbitrary write attempt"; flow:to_server,established; file_data; content:"valueOf: |28 29| =>"; content:"valueOf: |28 29| =>"; distance:0; content:"DataView.prototype.getUint32"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0071; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41937; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge TypedArray setter arbitrary write attempt"; flow:to_client,established; file_data; content:"valueOf: |28 29| =>"; content:"valueOf: |28 29| =>"; distance:0; content:"DataView.prototype.getUint32"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0071; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-007; classtype:attempted-user; sid:41936; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge proxy object type confusion attempt"; flow:to_server,established; file_data; content:"eval"; content:"Proxy("; within:80; content:"{})"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7240; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-129; classtype:attempted-user; sid:42041; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge proxy object type confusion attempt"; flow:to_client,established; file_data; content:"eval"; content:"Proxy("; within:80; content:"{})"; within:20; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7240; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-129; classtype:attempted-user; sid:42040; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt"; flow:to_server,established; file_data; content:"setFloat"; fast_pattern:only; content:"DataView"; content:"valueOf"; content:"postMessage"; within:150; metadata:service smtp; reference:cve,2015-1747; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:42039; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt"; flow:to_client,established; file_data; content:"setFloat"; fast_pattern:only; content:"DataView"; content:"valueOf"; content:"postMessage"; within:150; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1747; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:42038; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt"; flow:to_server,established; file_data; content:"getFloat"; fast_pattern:only; content:"DataView"; content:"valueOf"; content:"postMessage"; within:150; metadata:service smtp; reference:cve,2015-1747; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:42037; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt"; flow:to_client,established; file_data; content:"getFloat"; fast_pattern:only; content:"DataView"; content:"valueOf"; content:"postMessage"; within:150; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1747; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:42036; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt"; flow:to_server,established; file_data; content:"getUint"; fast_pattern:only; content:"DataView"; content:"valueOf"; content:"postMessage"; within:150; metadata:service smtp; reference:cve,2015-1747; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:42035; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt"; flow:to_server,established; file_data; content:"setUint"; fast_pattern:only; content:"DataView"; content:"valueOf"; content:"postMessage"; within:150; metadata:service smtp; reference:cve,2015-1747; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:42034; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt"; flow:to_client,established; file_data; content:"setUint"; fast_pattern:only; content:"DataView"; content:"valueOf"; content:"postMessage"; within:150; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1747; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:42033; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt"; flow:to_client,established; file_data; content:"getUint"; fast_pattern:only; content:"DataView"; content:"valueOf"; content:"postMessage"; within:150; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1747; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:42032; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt"; flow:to_server,established; file_data; content:"postMessage("; fast_pattern:only; content:"ArrayBuffer("; content:".sort"; pcre:"/(?P<typedArrayName>\w+)\s*=\s*new\s*(U?[Ii]nt|Float)(64|32|16|8)Array\s*\x28\s*[\x22\x27]?(?P<arrayBufferName>\w+).*?postMessage\s*\x28.*?(?P=arrayBufferName).*?(?P=typedArrayName)\s*\.\s*sort/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-7288; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-145; classtype:attempted-user; sid:42118; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt"; flow:to_client,established; file_data; content:"postMessage("; fast_pattern:only; content:"ArrayBuffer("; content:".sort"; pcre:"/(?P<typedArrayName>\w+)\s*=\s*new\s*(U?[Ii]nt|Float)(64|32|16|8)Array\s*\x28\s*[\x22\x27]?(?P<arrayBufferName>\w+).*?postMessage\s*\x28.*?(?P=arrayBufferName).*?(?P=typedArrayName)\s*\.\s*sort/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7288; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-145; classtype:attempted-user; sid:42117; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge xlink type confusion memory corruption attempt"; flow:to_server,established; file_data; content:"<g id=|22|i5|22|></g>|0D 0A|<use xlink|3A|href=|22|#i5|22|></use>"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0200; classtype:attempted-user; sid:42211; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge xlink type confusion memory corruption attempt"; flow:to_client,established; file_data; content:"<g id=|22|i5|22|></g>|0D 0A|<use xlink|3A|href=|22|#i5|22|></use>"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0200; classtype:attempted-user; sid:42210; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer htmlFile ActiveX control universal XSS attempt"; flow:to_server,established; file_data; content:"<iframe"; content:".ActiveXObject"; distance:0; content:"new "; within:500; content:"htmlFile"; within:100; content:".setTimeout("; within:100; content:"document.open()"; distance:0; content:"new "; within:500; content:"htmlFile"; within:100; content:"parentWindow.setTimeout("; within:500; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0210; classtype:attempted-user; sid:42205; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer htmlFile ActiveX control universal XSS attempt"; flow:to_client,established; file_data; content:"<iframe"; content:".ActiveXObject"; distance:0; content:"new "; within:500; content:"htmlFile"; within:100; content:".setTimeout("; within:100; content:"document.open()"; distance:0; content:"new "; within:500; content:"htmlFile"; within:100; content:"parentWindow.setTimeout("; within:500; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0210; classtype:attempted-user; sid:42204; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt"; flow:to_server,established; file_data; content:"%2A%3A%3Abefore"; fast_pattern; content:"position%3A|20|fixed"; within:50; content:"counter%28"; within:50; content:"url%28"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0108; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-023; classtype:attempted-user; sid:42201; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge format rendering type confusion attempt"; flow:to_server,established; file_data; content:"#x|3A|after{|0D 0A| content|3A| counter|28|counter"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0205; classtype:attempted-user; sid:42184; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge format rendering type confusion attempt"; flow:to_client,established; file_data; content:"#x|3A|after{|0D 0A| content|3A| counter|28|counter"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0205; classtype:attempted-user; sid:42183; rev:2;)
|
|
# alert tcp $SMTP_SERVERS any -> $HOME_NET 25 (msg:"BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt"; flow:to_server, established; file_data; content:"setAttribute("; nocase; content:"classid"; within:100; fast_pattern; pcre:"/setAttribute\x28[^\x29]*?classid[^\x29]*?[\x22\x27](\x5cx(((0[0-8bcef])|(1[0-8a-f])|(7f)))|(\x5cu\x7b{0,1}\d+?\x7d{0,1}))/i"; metadata:service smtp; reference:cve,2016-7195; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-128; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-129; classtype:attempted-admin; sid:42170; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt"; flow:to_client, established; file_data; content:"setAttribute("; nocase; content:"classid"; within:100; fast_pattern; pcre:"/setAttribute\x28[^\x29]*?classid[^\x29]*?[\x22\x27](\x5cx(((0[0-8bcef])|(1[0-8a-f])|(7f)))|(\x5cu\x7b{0,1}\d+?\x7d{0,1}))/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-7195; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-128; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-129; classtype:attempted-admin; sid:42169; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer type confusion vulnerability attempt"; flow:to_server,established; file_data; content:".fgColor"; content:"<details"; content:"<summary"; within:200; content:"style"; within:50; content:"transform"; within:50; content:"scale"; within:50; content:"<marquee"; fast_pattern; content:"bgcolor"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0202; classtype:attempted-user; sid:42166; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer type confusion vulnerability attempt"; flow:to_client,established; file_data; content:".fgColor"; content:"<details"; content:"<summary"; within:200; content:"style"; within:50; content:"transform"; within:50; content:"scale"; within:50; content:"<marquee"; fast_pattern; content:"bgcolor"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0202; classtype:attempted-user; sid:42165; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer recordset use after free attempt"; flow:to_server,established; file_data; content:"DefaultGetter"; fast_pattern:only; content:"vbscript"; nocase; content:"getElementById"; distance:0; nocase; content:"recordset"; within:50; nocase; content:"MoveFirst"; within:75; nocase; content:"AddNew"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0158; classtype:attempted-user; sid:42157; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer recordset use after free attempt"; flow:to_client,established; file_data; content:"DefaultGetter"; fast_pattern:only; content:"vbscript"; nocase; content:"getElementById"; distance:0; nocase; content:"recordset"; within:50; nocase; content:"MoveFirst"; within:75; nocase; content:"AddNew"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0158; classtype:attempted-user; sid:42156; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge JavaScript string object type confusion attempt"; flow:to_server,established; file_data; content:"StringifyMemberObject|28|propertyName, id, value, result, indentString"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0201; classtype:attempted-user; sid:42153; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge JavaScript string object type confusion attempt"; flow:to_client,established; file_data; content:"StringifyMemberObject|28|propertyName, id, value, result, indentString"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0201; classtype:attempted-user; sid:42152; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer uninitialized or deleted object access attempt"; flow:to_server,established; file_data; content:"createEventObject"; fast_pattern:only; pcre:"/(\w+)\s*\x3D\s*\w+\x2EcreateEventObject.*\1\x2E(Type|PropertyName|Qualifier|SrcUrn|origin).*\x2EcreateEventObject\s*\x28\s*\1\s*\x29/smi"; metadata:service smtp; reference:cve,2009-2530; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:misc-activity; sid:42389; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer IE8 mode menu tag out-of-bounds access attempt"; flow:to_server,established; file_data; content:".execCommand"; nocase; content:"SelectAll"; within:50; nocase; content:".execCommand"; within:200; nocase; content:"AutoDetect"; within:50; fast_pattern; content:"://"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1752; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:42417; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer IE11 memory corruption attempt"; flow:to_client,established; file_data; content:".execCommand"; nocase; content:"SelectAll"; within:50; nocase; content:".execCommand"; within:200; nocase; content:"AutoDetect"; within:50; fast_pattern; content:"://"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1752; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-056; classtype:attempted-user; sid:42416; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer deleted object access memory corruption attempt"; flow:to_server,established; file_data; content:"DOMParser"; fast_pattern:only; content:"createCDATASection"; nocase; content:"|2E|cloneNode"; nocase; content:"adoptNode"; distance:0; nocase; content:"CollectGarbage()"; nocase; metadata:service smtp; reference:cve,2013-0020; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:42450; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer deleted object access memory corruption attempt"; flow:to_server,established; file_data; content:"createDocument"; nocase; content:"adoptNode"; within:100; nocase; content:"CollectGarbage"; nocase; content:"cloneNode"; content:".write"; nocase; content:"delete"; nocase; content:"CollectGarbage"; within:100; nocase; metadata:service smtp; reference:cve,2013-0020; classtype:attempted-user; sid:42449; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"createDocument"; nocase; content:"adoptNode"; within:100; nocase; content:"CollectGarbage"; nocase; content:"cloneNode"; content:".write"; nocase; content:"delete"; nocase; content:"CollectGarbage"; within:100; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-0020; classtype:attempted-user; sid:42448; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Chakra Engine use-after-free attempt"; flow:to_client,established; file_data; content:".reverse"; nocase; content:".splice"; within:100; nocase; pcre:"/\.splice\s*?\x28.*?,/i"; byte_test:10, >=, 55000, 0, string, relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0228; classtype:attempted-user; sid:42812; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Chakra Engine use-after-free attempt"; flow:to_server,established; file_data; content:".reverse"; nocase; content:".splice"; within:100; nocase; pcre:"/\.splice\s*?\x28.*?,/i"; byte_test:10, >=, 55000, 0, string, relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0228; classtype:attempted-user; sid:42811; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge out of bounds read attempt"; flow:to_server,established; file_data; content:"execCommand"; content:"insertHorizontalRule"; within:100; content:"execCommand"; content:"insertOrderedList"; within:100; content:"parentNode"; content:"parentNode"; within:50; content:"replaceChild"; within:50; content:"parentNode"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0221; classtype:attempted-admin; sid:42799; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge out of bounds read attempt"; flow:to_client,established; file_data; content:"execCommand"; content:"insertHorizontalRule"; within:100; content:"execCommand"; content:"insertOrderedList"; within:100; content:"parentNode"; content:"parentNode"; within:50; content:"replaceChild"; within:50; content:"parentNode"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0221; classtype:attempted-admin; sid:42798; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BROWSER-IE Microsoft Windows Edge AudioContext use after free attempt"; flow:to_server,established; file_data; content:"AudioContext"; fast_pattern:only; nocase; content:"CollectGarbage"; nocase; content:"CreateBuffer"; distance:0; nocase; content:"valueOf"; within:300; nocase; content:"function"; within:30; nocase; content:"copyFromChannel"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0240; classtype:attempted-user; sid:42782; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Windows Edge AudioContext use after free attempt"; flow:to_client,established; file_data; content:"AudioContext"; fast_pattern:only; nocase; content:"CollectGarbage"; nocase; content:"CreateBuffer"; distance:0; nocase; content:"valueOf"; within:300; nocase; content:"function"; within:30; nocase; content:"copyFromChannel"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0240; classtype:attempted-user; sid:42781; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge CSS writing mode type confusion attempt"; flow:to_server,established; file_data; content:"-ms-text-combine-horizontal"; fast_pattern:only; content:"getClientRects"; content:"transition-duration"; content:"textContent"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0227; classtype:attempted-user; sid:42780; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge CSS writing mode type confusion attempt"; flow:to_client,established; file_data; content:"-ms-text-combine-horizontal"; fast_pattern:only; content:"getClientRects"; content:"transition-duration"; content:"textContent"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0227; classtype:attempted-user; sid:42779; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge scripting engine security bypass css attempt"; flow:to_server,established; file_data; content:"window.chrome"; content:"navigator.msLaunchUri"; within:31; fast_pattern; content:"escape("; distance:0; content:"url"; within:13; content:"location"; distance:0; content:"url"; within:13; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-006; classtype:attempted-user; sid:42778; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge scripting engine security bypass css attempt"; flow:to_client,established; file_data; content:"window.chrome"; content:"navigator.msLaunchUri"; within:31; fast_pattern; content:"escape("; distance:0; content:"url"; within:13; content:"location"; distance:0; content:"url"; within:13; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-006; classtype:attempted-user; sid:42777; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Chakra JIT memory corruption attempt"; flow:to_server,established; file_data; content:"arr_arr_arr[0x909090/2] = 0x03EB|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0234; classtype:attempted-user; sid:42776; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Chakra JIT memory corruption attempt"; flow:to_client,established; file_data; content:"arr_arr_arr[0x909090/2] = 0x03EB|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0234; classtype:attempted-user; sid:42775; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Chakra array unshift heap overflow attempt"; flow:to_server,established; file_data; content:".unshift.apply("; content:".slice("; within:25; content:"0x"; within:10; nocase; content:".unshift.apply("; within:50; content:".slice("; content:"0x"; within:10; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0238; classtype:attempted-user; sid:42762; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Chakra array unshift heap overflow attempt"; flow:to_client,established; file_data; content:".unshift.apply("; content:".slice("; within:25; content:"0x"; within:10; nocase; content:".unshift.apply("; within:50; content:".slice("; content:"0x"; within:10; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0238; classtype:attempted-user; sid:42761; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Chakra Core type confusion attempt"; flow:to_server,established; file_data; content:"new"; content:"DataView"; within:20; content:"new"; within:10; content:"ArrayBuffer"; within:20; content:"setUint32.call("; distance:0; content:"setUint32.call("; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0266; reference:cve,2017-8605; classtype:attempted-user; sid:42754; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Chakra Core type confusion attempt"; flow:to_client,established; file_data; content:"new"; content:"DataView("; within:20; content:"new"; within:10; content:"ArrayBuffer("; within:20; content:".setUint32.call("; distance:0; content:".setUint32.call("; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0266; reference:cve,2017-8605; classtype:attempted-user; sid:42753; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt"; flow:to_server,established; file_data; content:" ArrayBuffer("; content:" Array("; content:" Worker("; content:".postMessage("; within:200; fast_pattern; content:".terminate()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0236; reference:cve,2017-11889; reference:cve,2017-8753; reference:cve,2018-0872; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11889; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0872; classtype:attempted-user; sid:42750; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt"; flow:to_client,established; file_data; content:" ArrayBuffer("; content:" Array("; content:" Worker("; content:".postMessage("; within:200; fast_pattern; content:".terminate()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0236; reference:cve,2017-11889; reference:cve,2017-8753; reference:cve,2018-0872; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11889; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0872; classtype:attempted-user; sid:42749; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt"; flow:to_server,established; file_data; content:"Shell.Explorer.2"; fast_pattern:only; content:".remove"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-023; classtype:attempted-user; sid:43759; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt"; flow:to_client,established; file_data; content:"Shell.Explorer.2"; fast_pattern:only; content:".remove"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-023; classtype:attempted-user; sid:43758; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 CMarkup GetMarkupTitle use-after-free attempt"; flow:to_server,established; file_data; content:"removeNode"; nocase; content:"applyElement"; nocase; content:"createRange"; within:150; nocase; content:"insertNode"; within:70; nocase; pcre:"/var\s(?P<uaf_func>\w+)[^>]*?(?P=uaf_func)[^>]*?(?P=uaf_func)/i"; metadata:service smtp; reference:cve,2014-4130; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-056; classtype:attempted-user; sid:43665; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 CMarkup GetMarkupTitle use-after-free attempt"; flow:to_client,established; file_data; content:"removeNode"; nocase; content:"applyElement"; nocase; content:"createRange"; within:150; nocase; content:"insertNode"; within:70; nocase; pcre:"/var\s(?P<uaf_func>\w+)[^>]*?(?P=uaf_func)[^>]*?(?P=uaf_func)/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-4130; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-056; classtype:attempted-user; sid:43664; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt"; flow:to_server,established; file_data; content:"Array.prototype.reverse.call|28|"; fast_pattern; content:".reverse|28 29 3B|"; within:200; distance:-100; nocase; content:"Array.prototype.sort.call|28|"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-7202; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-129; classtype:attempted-user; sid:43659; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt"; flow:to_server,established; file_data; content:".__proto__"; content:".reverse.call|28|"; within:100; fast_pattern; content:".push|28|"; within:100; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-7202; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-129; classtype:attempted-user; sid:43658; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt"; flow:to_client,established; file_data; content:"Array.prototype.reverse.call|28|"; fast_pattern; content:".reverse|28 29 3B|"; within:200; distance:-100; nocase; content:"Array.prototype.sort.call|28|"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7202; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-129; classtype:attempted-user; sid:43657; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt"; flow:to_client,established; file_data; content:".__proto__"; content:".reverse.call|28|"; within:100; fast_pattern; content:".push|28|"; within:100; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7202; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-129; classtype:attempted-user; sid:43656; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CDocument use after free attempt"; flow:to_server,established; file_data; content:"CollectGarbage()"; fast_pattern:only; content:".createElement"; nocase; content:".createElement"; within:150; nocase; content:".createAttribute"; nocase; content:".setAttributeNode"; within:200; nocase; metadata:service smtp; reference:cve,2013-3114; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:43648; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt"; flow:to_server,established; file_data; content:"Content-Type"; content:"charset=euc-jp"; within:64; nocase; isdataat:4094; content:"|8F|"; depth:1; offset:4094; content:"//"; within:100; metadata:service smtp; reference:cve,2013-3192; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-059; classtype:attempted-user; sid:43636; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt"; flow:to_client,established; file_data; content:"Content-Type"; content:"charset=euc-jp"; within:64; nocase; isdataat:4094; content:"|8F|"; depth:1; offset:4094; content:"//"; within:512; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-3192; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-059; classtype:attempted-user; sid:43635; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer GDI VML gradient size heap overflow attempt"; flow:to_client,established; file_data; content:"url(#default#VML)"; fast_pattern; content:":rect"; within:200; nocase; content:":fill"; within:200; nocase; content:"gradient"; within:100; nocase; content:".fill.focussize"; distance:0; nocase; pcre:"/var\s+(?<var>\w+)\s*=\s*\x22[\d\s\x2c\x2e]*[\x2d]+[\d\s\x2c\x2d\x2e]*\x22.*?\x2efill\x2efocussize\s*=\s*[\w\s\x2b]+(?P=var)/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-5348; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-052; classtype:attempted-user; sid:43622; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt"; flow:to_server,established; file_data; content:"id="; content:"data-"; within:50; content:".__proto__ = "; distance:0; content:"datas"; distance:0; pcre:"/\x2e__proto__\x20=\x20.+?(\x2edataset|\x5b\s*\x22datas\x22\x20\x2b\x20\x22et\x22\x5d)\x3b/si"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2014-6347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-065; classtype:attempted-user; sid:43599; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt"; flow:to_client,established; file_data; content:"id="; content:"data-"; within:50; content:".__proto__ = "; distance:0; content:"datas"; distance:0; pcre:"/\x2e__proto__\x20=\x20.+?(\x2edataset|\x5b\s*\x22datas\x22\x20\x2b\x20\x22et\x22\x5d)\x3b/si"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-065; classtype:attempted-user; sid:43598; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer type confusion attempt"; flow:to_server,established; file_data; content:"type=|22|text|2F|vbscript|22|"; fast_pattern:only; content:"Public Default Property Get"; pcre:"/Set\s+(?P<class>[a-z0-9]+)\s+\x3D\s+New\s+[a-z0-9].*?on(mouse(move|up|down|over|out)|click)\s*\x3D\s*\x22\s*(?P=class)\x28\x29/smi"; metadata:service smtp; reference:cve,2014-0271; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-006; classtype:attempted-user; sid:43580; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer type confusion attempt"; flow:to_client,established; file_data; content:"type=|22|text|2F|vbscript|22|"; fast_pattern:only; content:"Public Default Property Get"; pcre:"/Set\s+(?P<class>[a-z0-9]+)\s+\x3D\s+New\s+[a-z0-9].*?on(mouse(move|up|down|over|out)|click)\s*\x3D\s*\x22\s*(?P=class)\x28\x29/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-0271; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-006; classtype:attempted-user; sid:43579; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt"; flow:to_client,established; file_data; content:"<html>|20 20|<fieldset>|20 20 20 20|<h4>|0D 0A|<pre><td>|0D 0A|<menu>|0D 0A|<legend>|0D 0A|<a>|0D 0A|<u"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-1188; classtype:attempted-user; sid:43551; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt"; flow:to_client,established; file_data; content:"<bdo>|0D 0A|<|2F|span>|0D 0A|<pre>|0D 0A 0D 0A|<param>|0D 0A|<form>|0D 0A|<colgroup>|0D 0A|<small>|0D 0A 0D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-1188; classtype:attempted-user; sid:43550; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 type confusion vulnerability attempt"; flow:to_server,established; file_data; content:"<svg"; content:"<use"; within:100; content:"<feComposite"; within:150; content:"<foreignObject"; content:"xmlns"; within:100; content:"<output"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8594; classtype:attempted-user; sid:43522; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 type confusion vulnerability attempt"; flow:to_client,established; file_data; content:"<svg"; content:"<use"; within:100; content:"<feComposite"; within:150; content:"<foreignObject"; content:"xmlns"; within:100; content:"<output"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8594; classtype:attempted-user; sid:43521; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer cross-domain violation via cached object attempt"; flow:to_client,established; file_data; content:"script"; nocase; content:"open|28|"; within:100; nocase; content:".location.href"; within:200; nocase; content:"setTimeout|28|function |28 29| {"; within:100; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2002-1254; classtype:attempted-user; sid:43515; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer EPM brokercreatefile file access bypass attempt"; flow:to_server,established; file_data; content:"|55 8B EC 56 8B 75 0C 57 8B FA 85 F6 75 06 5F 33 C0 5E 5D C3 85 C9 75 19 E8 8B 41 00 00 C7 00 16|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3080; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-21.html; classtype:policy-violation; sid:43498; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer EPM brokercreatefile file access bypass attempt"; flow:to_client,established; file_data; content:"|55 8B EC 56 8B 75 0C 57 8B FA 85 F6 75 06 5F 33 C0 5E 5D C3 85 C9 75 19 E8 8B 41 00 00 C7 00 16|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3080; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-21.html; classtype:policy-violation; sid:43497; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BROWSER-IE Microsoft Windows Edge array out of bounds write"; flow:to_server,established; file_data; content:"Float64Array"; fast_pattern:only; content:"push"; nocase; content:"ArrayBuffer"; within:50; nocase; content:"Math.floor"; within:300; nocase; content:"slice"; distance:0; nocase; content:"length"; within:30; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8619; classtype:attempted-user; sid:43493; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Windows Edge array out of bounds write"; flow:to_client,established; file_data; content:"Float64Array"; fast_pattern:only; content:"push"; nocase; content:"ArrayBuffer"; within:50; nocase; content:"Math.floor"; within:300; nocase; content:"slice"; distance:0; nocase; content:"length"; within:30; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8619; classtype:attempted-user; sid:43492; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge VBScript VarType out of bounds read attempt"; flow:to_server,established; file_data; content:"text/vbscript"; content:"Public Default Property Get "; fast_pattern:only; content:"= CLng|28|"; content:"VarType|28|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8618; classtype:attempted-user; sid:43472; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge VBScript VarType out of bounds read attempt"; flow:to_client,established; file_data; content:"text/vbscript"; content:"Public Default Property Get "; fast_pattern:only; content:"= CLng|28|"; content:"VarType|28|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8618; classtype:attempted-user; sid:43471; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge uninitialized memory attempt"; flow:to_server,established; file_data; content:"class"; content:"extends"; within:10; content:"Object"; within:10; content:"constructor"; within:25; content:"super"; within:30; content:"null"; within:10; content:"=>"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8598; classtype:attempted-user; sid:43470; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge uninitialized memory attempt"; flow:to_client,established; file_data; content:"class"; content:"extends"; within:10; content:"Object"; within:10; content:"constructor"; within:25; content:"super"; within:30; content:"null"; within:10; content:"=>"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8598; classtype:attempted-user; sid:43469; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge scripting engine memory corruption attempt"; flow:to_server,established; file_data; content:"Uint8ClampedArray("; content:"Float64Array("; content:"DataView.prototype.setUint32"; fast_pattern:only; content:"DataView.prototype.getUint32"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8601; classtype:attempted-admin; sid:43466; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge scripting engine memory corruption attempt"; flow:to_client,established; file_data; content:"Uint8ClampedArray("; content:"Float64Array("; content:"DataView.prototype.setUint32"; fast_pattern:only; content:"DataView.prototype.getUint32"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8601; classtype:attempted-admin; sid:43465; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge use-after-free attempt"; flow:to_server,established; content:"iframe"; nocase; content:".contentDocument."; distance:0; nocase; content:".insertAdjacentElement("; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8617; classtype:attempted-user; sid:43463; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge use-after-free attempt"; flow:to_server,established; content:".contentDocument."; nocase; content:".insertAdjacentElement("; distance:0; nocase; content:"iframe"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8617; classtype:attempted-user; sid:43462; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge use-after-free attempt"; flow:to_client,established; content:"iframe"; nocase; content:".contentDocument."; distance:0; nocase; content:".insertAdjacentElement("; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8617; classtype:attempted-user; sid:43461; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge use-after-free attempt"; flow:to_client,established; content:".contentDocument."; nocase; content:".insertAdjacentElement("; distance:0; nocase; content:"iframe"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8617; classtype:attempted-user; sid:43460; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer clone object memory corruption attempt"; flow:to_server,established; file_data; content:"document.createElement"; nocase; content:".attributes["; within:100; fast_pattern; content:"CollectGarbage("; within:100; content:".cloneNode("; within:100; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26816; reference:cve,2007-3903; classtype:attempted-user; sid:43398; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSS property method handling memory corruption attempt"; flow:to_server,established; file_data; content:".cols=0x41414141|3B|"; content:".mergeAttributes("; within:50; content:".src="; within:50; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,23769; reference:cve,2007-0945; classtype:attempted-user; sid:43358; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"<t:ANIMATECOLOR"; fast_pattern:only; content:"document.getElement"; nocase; content:"document.getElement"; within:50; nocase; content:".outerText"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:43338; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"<t:ANIMATECOLOR"; fast_pattern:only; content:"document.getElement"; nocase; content:"document.getElement"; within:50; nocase; content:".outerText"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:43337; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge textContent use after free attempt"; flow:to_server,established; file_data; content:"KMBKBCII.textContent = unescape(|22|%uf"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8497; classtype:attempted-user; sid:43170; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge textContent use after free attempt"; flow:to_client,established; file_data; content:"KMBKBCII.textContent = unescape(|22|%uf"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8497; classtype:attempted-user; sid:43169; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge cssText use after free attempt"; flow:to_server,established; file_data; content:"CBENHJDM.style.cssText+=|22|clip-path|22 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8496; classtype:attempted-user; sid:43166; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge cssText use after free attempt"; flow:to_client,established; file_data; content:"CBENHJDM.style.cssText+=|22|clip-path|22 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8496; classtype:attempted-user; sid:43165; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge object property type confusion attempt"; flow:to_server,established; file_data; content:"__defineSetter__"; fast_pattern:only; content:"let "; content:".defineProperty"; distance:0; pcre:"/__defineSetter__\s*\x28[\x22\x27](?P<prop>\w+)[\x22\x27].*let\s*(?P=prop).*\.defineProperty\s*\x28[^\x29\x2C]+?\x2C\s*[\x22\x27]\s*(?P=prop)[\x22\x27]\s*\x2C/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8524; classtype:attempted-user; sid:43164; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge object property type confusion attempt"; flow:to_client,established; file_data; content:"__defineSetter__"; fast_pattern:only; content:"let "; content:".defineProperty"; distance:0; pcre:"/__defineSetter__\s*\x28[\x22\x27](?P<prop>\w+)[\x22\x27].*let\s*(?P=prop).*\.defineProperty\s*\x28[^\x29\x2C]+?\x2C\s*[\x22\x27]\s*(?P=prop)[\x22\x27]\s*\x2C/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8524; classtype:attempted-user; sid:43163; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer memory corruption attempt"; flow:to_server,established; file_data; content:"substring"; content:".length"; within:50; content:"insertRow"; content:"0x"; within:10; content:"CollectGarbage"; content:"createElement"; within:100; content:"CollectGarbage"; within:100; content:"createElement"; within:100; content:"CollectGarbage"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8547; classtype:attempted-user; sid:43156; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer memory corruption attempt"; flow:to_client,established; file_data; content:"substring"; content:".length"; within:50; content:"insertRow"; content:"0x"; within:10; content:"CollectGarbage"; content:"createElement"; within:100; content:"CollectGarbage"; within:100; content:"createElement"; within:100; content:"CollectGarbage"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8547; classtype:attempted-user; sid:43155; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt"; flow:to_server,established; file_data; content:"document.styleSheets"; fast_pattern:only; content:".rules.item|28|"; nocase; content:"|29|.style"; within:40; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,43705; reference:cve,2010-3328; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:43134; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge proxy object type confusion attempt"; flow:to_server,established; file_data; content:"Proxy("; content:"{})"; within:30; content:"eval"; within:150; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-7240; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-129; classtype:attempted-user; sid:43111; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge proxy object type confusion attempt"; flow:to_client,established; file_data; content:"Proxy("; content:"{})"; within:30; content:"eval"; within:150; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7240; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-129; classtype:attempted-user; sid:43110; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt"; flow:to_server,established; file_data; content:"<script"; nocase; content:"vbscript"; within:30; nocase; content:"|5C 22 0D|"; fast_pattern:only; content:"regexp"; nocase; content:".test"; within:500; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-1686; reference:cve,2015-6052; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-106; classtype:attempted-recon; sid:43072; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt"; flow:to_server,established; file_data; content:"<script"; nocase; content:"vbscript"; within:30; nocase; content:"|5C 22 0A|"; fast_pattern:only; content:"regexp"; nocase; content:".test"; within:500; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-1686; reference:cve,2015-6052; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-106; classtype:attempted-recon; sid:43071; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt"; flow:to_client,established; file_data; content:"<script"; nocase; content:"vbscript"; within:30; nocase; content:"|5C 22 0D|"; fast_pattern:only; content:"regexp"; nocase; content:".test"; within:500; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1686; reference:cve,2015-6052; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-106; classtype:attempted-recon; sid:43070; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt"; flow:to_client,established; file_data; content:"<script"; nocase; content:"vbscript"; within:30; nocase; content:"|5C 22 0A|"; fast_pattern:only; content:"regexp"; nocase; content:".test"; within:500; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1686; reference:cve,2015-6052; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-106; classtype:attempted-recon; sid:43069; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer JSON strigify double free attempt"; flow:to_server,established; file_data; content:"JSON.stringify"; content:"ArrayBuffer"; within:250; content:"Uint32Array"; within:250; fast_pattern; content:"Array"; distance:0; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-2419; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:43043; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer JSON strigify double free attempt"; flow:to_client,established; file_data; content:"JSON.stringify"; content:"ArrayBuffer"; within:250; content:"Uint32Array"; within:250; fast_pattern; content:"Array"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2419; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-user; sid:43042; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt"; flow:to_server,established; file_data; content:"table"; nocase; content:"quotes"; within:50; nocase; content:"td"; within:50; nocase; content:"quotes"; within:25; nocase; content:"X-UA-Compatible"; content:"IE=9"; within:15; fast_pattern; metadata:service smtp; reference:cve,2014-6351; classtype:attempted-admin; sid:43833; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt"; flow:to_client,established; file_data; content:"table"; nocase; content:"quotes"; within:50; nocase; content:"td"; within:50; nocase; content:"quotes"; within:25; nocase; content:"X-UA-Compatible"; content:"IE=9"; within:15; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-6351; classtype:attempted-admin; sid:43832; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTableLayout memory corruption attempt"; flow:to_server,established; file_data; content:"ANIMATEMOTION"; fast_pattern:only; content:"document.createElement"; nocase; content:".innerHTML"; within:180; content:"onpropertychange"; nocase; content:"<table"; nocase; content:"<col"; within:25; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,37891; reference:cve,2010-0244; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:43831; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTableLayout memory corruption attempt"; flow:to_client,established; file_data; content:"ANIMATEMOTION"; fast_pattern:only; content:"document.createElement"; nocase; content:".innerHTML"; within:180; content:"onpropertychange"; nocase; content:"<table"; nocase; content:"<col"; within:25; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,37891; reference:cve,2010-0244; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:43830; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer onBeforeUnload address bar spoofing attempt"; flow:to_server,established; file_data; content:"onbeforeunload="; nocase; content:".document.body."; content:".document.open("; content:"<body"; nocase; content:" onBeforeUnload="; within:25; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,24911; reference:cve,2007-3826; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:misc-activity; sid:44081; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer span frontier parsing memory corruption attempt"; flow:to_server,established; file_data; content:"<span"; nocase; content:"id="; within:25; nocase; content:"document.write("; within:50; content:"<div>a"; within:10; fast_pattern; nocase; content:".innerHTML"; within:100; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-2254; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-045; classtype:attempted-user; sid:44188; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer information disclosure attempt"; flow:to_server,established; file_data; content:"href="; nocase; content:"%2f@"; within:100; fast_pattern; nocase; pcre:"/href=[\x22\x27][^\x22\x27]*?%2f@/i"; metadata:service smtp; reference:cve,2002-1186; classtype:attempted-recon; sid:44185; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer information disclosure attempt"; flow:to_client,established; file_data; content:"href="; nocase; content:"%2f@"; within:100; fast_pattern; nocase; pcre:"/href=[\x22\x27][^\x22\x27]*?%2f@/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2002-1186; classtype:attempted-recon; sid:44184; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer frameBorder denial of service attempt"; flow:to_server,established; file_data; content:"document.createElement('frame')|3B|"; nocase; content:"frameBorder"; within:50; nocase; pcre:"/frameBorder.{0,50}?\d{8}/mi"; metadata:service smtp; reference:bugtraq,41990; classtype:attempted-admin; sid:44154; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer frameBorder denial of service attempt"; flow:to_client,established; file_data; content:"document.createElement('frame')|3B|"; content:" = 'frameBorder'|3B|"; within:50; fast_pattern; pcre:"/frameBorder.{0,50}?\d{8}/mi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,41990; classtype:attempted-admin; sid:44153; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer malformed loop denial of service attempt"; flow:to_server,established; file_data; content:"for|28|var key in data|29 3B|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,22408; reference:cve,2007-0811; classtype:denial-of-service; sid:44149; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer malformed loop denial of service attempt"; flow:to_client,established; file_data; content:"for|28|var key in data|29 3B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,22408; reference:cve,2007-0811; classtype:denial-of-service; sid:44148; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet print table of links cross site scripting attempt"; flow:to_server,established; file_data; content:"WScript.Shell"; content:"Run"; within:100; content:"window.print"; within:100; metadata:service smtp; reference:url,support.ixiacom.com/strikes/exploits/browser/ie_print_table_of_links_xss_local_zone.xml; classtype:attempted-admin; sid:44200; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet print table of links cross site scripting attempt"; flow:to_client,established; file_data; content:"WScript.Shell"; content:"Run"; within:100; content:"window.print"; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:url,support.ixiacom.com/strikes/exploits/browser/ie_print_table_of_links_xss_local_zone.xml; classtype:attempted-admin; sid:44199; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Internet Explorer CCaret memory corruption attempt"; flow:to_server,established; file_data; content:"document.write"; content:"removeChild"; content:"<abbr"; fast_pattern; content:"<ruby"; within:100; metadata:service smtp; reference:cve,2013-0090; classtype:attempted-user; sid:44198; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Internet Explorer CCaret memory corruption attempt"; flow:to_server,established; file_data; content:"document.write"; content:"<object"; content:"<dir"; within:50; fast_pattern; content:"<object"; within:50; metadata:service smtp; reference:cve,2013-0090; classtype:attempted-user; sid:44197; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Internet Explorer CCaret memory corruption attempt"; flow:to_client,established; file_data; content:"document.write"; content:"removeChild"; content:"<abbr"; fast_pattern; content:"<ruby"; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-0090; classtype:attempted-user; sid:44196; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Internet Explorer CCaret memory corruption attempt"; flow:to_client,established; file_data; content:"document.write"; content:"<object"; content:"<dir"; within:50; fast_pattern; content:"<object"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-0090; classtype:attempted-user; sid:44195; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer frameBorder denial of service attempt"; flow:to_server,established; file_data; content:"document.createElement('frame')|3B|"; nocase; content:"frameBorder"; within:50; nocase; metadata:service smtp; reference:bugtraq,41990; classtype:attempted-admin; sid:44193; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer frameBorder denial of service attempt"; flow:to_client,established; file_data; content:"document.createElement('frame')|3B|"; content:" = 'frameBorder'|3B|"; within:50; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,41990; classtype:attempted-admin; sid:44192; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"BD96"; nocase; content:"C556"; within:10; nocase; content:"-65A3-"; within:15; nocase; content:"11D0-983A"; within:15; nocase; content:"-00C04FC2"; within:15; nocase; content:"9E36"; within:10; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-014; classtype:attempted-user; sid:44284; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"BD96"; nocase; content:"C556"; within:10; nocase; content:"-65A3-"; within:15; nocase; content:"11D0-983A"; within:15; nocase; content:"-00C04FC2"; within:15; nocase; content:"9E36"; within:10; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-014; classtype:attempted-user; sid:44283; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt"; flow:to_server,established; file_data; content:"RDS.DataSpace.2.81"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-014; classtype:attempted-user; sid:44282; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"RDS.DataSpace.2.81"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-014; classtype:attempted-user; sid:44281; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CSS padding property memory corruption attempt"; flow:to_server,established; file_data; content:"letter-spacing"; nocase; content:"unicode-bidi"; fast_pattern:only; content:"padding-"; nocase; content:"position"; nocase; pcre:"/padding-(left|right|bottom|top)\x3A\s*?\d{4}/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8747; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8747; classtype:attempted-user; sid:44357; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CSS padding property memory corruption attempt"; flow:to_client,established; file_data; content:"letter-spacing"; nocase; content:"unicode-bidi"; fast_pattern:only; content:"padding-"; nocase; content:"position"; nocase; pcre:"/padding-(left|right|bottom|top)\x3A\s*?\d{4}/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8747; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8747; classtype:attempted-user; sid:44356; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer object use after free attempt"; flow:to_server,established; file_data; content:"Collator"; content:"RegExp"; content:"URIError"; content:"__lookupGetter__"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8749; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8749; classtype:attempted-user; sid:44350; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer object use after free attempt"; flow:to_client,established; file_data; content:"Collator"; content:"RegExp"; content:"URIError"; content:"__lookupGetter__"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8749; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8749; classtype:attempted-user; sid:44349; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Internet Explorer WeakMap Freeze memory corruption attempt"; flow:to_server,established; file_data; content:"WeakMap|28 29|"; fast_pattern:only; content:".set"; nocase; content:"window"; within:20; content:!"."; within:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8750; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8750; classtype:attempted-user; sid:44343; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Internet Explorer WeakMap Freeze memory corruption attempt"; flow:to_client,established; file_data; content:"WeakMap|28 29|"; fast_pattern:only; content:".set"; nocase; content:"window"; within:20; content:!"."; within:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8750; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8750; classtype:attempted-user; sid:44342; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt"; flow:to_server,established; file_data; content:"optgroup"; content:".setSelectionRange|28|"; within:250; content:".setSelectionRange|28|"; within:250; content:"insertOrderedList"; within:250; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8734; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8734; classtype:attempted-user; sid:44341; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt"; flow:to_client,established; file_data; content:"optgroup"; content:".setSelectionRange|28|"; within:250; content:".setSelectionRange|28|"; within:250; content:"insertOrderedList"; within:250; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8734; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8734; classtype:attempted-user; sid:44340; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge denial of service attempt"; flow:to_server,established; file_data; content:"APPLET"; nocase; content:"toString"; within:100; content:"Proxy"; within:100; content:"__proto__"; within:100; content:"__defineGetter__"; within:100; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8757; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8757; classtype:attempted-dos; sid:44339; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge denial of service attempt"; flow:to_client,established; file_data; content:"APPLET"; nocase; content:"toString"; within:100; content:"Proxy"; within:100; content:"__proto__"; within:100; content:"__defineGetter__"; within:100; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8757; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8757; classtype:attempted-dos; sid:44338; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Chakra Core type confusion attempt"; flow:to_server,established; file_data; content:"ArrayBuffer("; content:"Uint32Array("; within:200; content:"Math.floor"; within:200; content:!"Float32Array("; within:200; content:"Float64Array("; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11800; reference:cve,2017-8738; classtype:attempted-user; sid:44334; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Chakra Core type confusion attempt"; flow:to_client,established; file_data; content:"ArrayBuffer("; content:"Uint32Array("; within:200; content:"Math.floor"; within:200; content:!"Float32Array("; within:200; content:"Float64Array("; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11800; reference:cve,2017-8738; classtype:attempted-user; sid:44333; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Windows Edge memory corruption attempt"; flow:to_server,established; file_data; content:"execCommand"; content:"selectAll"; within:30; nocase; content:"execCommand"; within:500; content:"insertUnorderedList"; within:45; fast_pattern; nocase; content:"onload="; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8731; reference:cve,2018-15991; classtype:attempted-user; sid:44332; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Windows Edge memory corruption attempt"; flow:to_client,established; file_data; content:"execCommand"; content:"selectAll"; within:30; nocase; content:"execCommand"; within:500; content:"insertUnorderedList"; within:45; fast_pattern; nocase; content:"onload="; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8731; reference:cve,2018-15991; classtype:attempted-user; sid:44331; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer XMLDOM double free corruption attempt "; flow:to_server,established; file_data; content:"push"; content:".createNode"; within:20; content:"new ActiveXObject"; content:"Microsoft.XMLDOM"; within:20; content:".loadXML"; content:"<!ELEMENT "; content:"EMPTY"; within:25; content:"<!ATTLIST "; content:"ref IDREF"; within:25; content:"|5C|u9090"; fast_pattern:only; content:".charCodeAt"; content:"0x10000"; distance:10; content:".charCodeAt(0)"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset limited, service smtp; classtype:attempted-user; sid:35867; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer XMLDOM double free corruption attempt "; flow:to_client,established; file_data; content:"push"; content:".createNode"; within:20; content:"new ActiveXObject"; content:"Microsoft.XMLDOM"; within:20; content:".loadXML"; content:"<!ELEMENT "; content:"EMPTY"; within:25; content:"<!ATTLIST "; content:"ref IDREF"; within:25; content:"|5C|u9090"; fast_pattern:only; content:".charCodeAt"; content:"0x10000"; distance:10; content:".charCodeAt(0)"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset limited, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:35866; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Internet Explorer DataSource recordset remote code execution attempt "; flow:to_client,established; file_data; content:".DataSource"; fast_pattern:only; content:"recordset"; nocase; content:"classid"; nocase; content:"recordNumber"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset limited, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:35865; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge getOwnPropertyDescriptor memory corruption attempt"; flow:to_server,established; file_data; content:"SIMD"; content:"Int32x4"; fast_pattern:only; content:"Int32Array"; content:"byteLength"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11798; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11798; classtype:attempted-user; sid:44533; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge getOwnPropertyDescriptor memory corruption attempt"; flow:to_client,established; file_data; content:"SIMD"; content:"Int32x4"; fast_pattern:only; content:"Int32Array"; content:"byteLength"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11798; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11798; classtype:attempted-user; sid:44532; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer memory corruption attempt"; flow:to_server,established; file_data; content:"EmulateIE8"; fast_pattern:only; content:"button"; nocase; content:"className"; within:200; content:"mark"; nocase; content:"swapNode"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-8727; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8727; classtype:attempted-user; sid:44527; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer memory corruption attempt"; flow:to_client,established; file_data; content:"EmulateIE8"; fast_pattern:only; content:"button"; nocase; content:"className"; within:200; content:"mark"; nocase; content:"swapNode"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8727; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8727; classtype:attempted-user; sid:44526; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer memory corruption attempt"; flow:to_server,established; file_data; content:"contentEditable"; content:"true"; within:20; content:"replaceNode"; content:"createTextRange"; content:".select"; within:20; content:"innerHTML"; content:"applyElement"; content:"onbeforeeditfocus"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service smtp; reference:cve,2017-11822; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11822; classtype:attempted-user; sid:44513; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer memory corruption attempt"; flow:to_client,established; file_data; content:"contentEditable"; content:"true"; within:20; content:"replaceNode"; content:"createTextRange"; content:".select"; within:20; content:"innerHTML"; content:"applyElement"; content:"onbeforeeditfocus"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11822; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11822; classtype:attempted-user; sid:44512; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt"; flow:to_server,established; file_data; content:"Error"; nocase; content:"toString|3A|function|28 29|"; within:100; nocase; content:"CollectGarbage"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11810; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11810; classtype:attempted-user; sid:44511; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt"; flow:to_client,established; file_data; content:"Error"; nocase; content:"toString|3A|function|28 29|"; within:100; nocase; content:"CollectGarbage"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11810; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11810; classtype:attempted-user; sid:44510; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE scripting engine memory corruption vulnerability attempt"; flow:to_server,established; file_data; content:"return"; content:"new"; within:7; content:"RangeError"; within:13; content:"stringify"; fast_pattern:only; content:"href"; content:"href"; within:20; content:"<script"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11793; classtype:attempted-admin; sid:44509; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE scripting engine memory corruption vulnerability attempt"; flow:to_client,established; file_data; content:"return"; content:"new"; within:7; content:"RangeError"; within:15; content:"stringify"; fast_pattern:only; content:"href"; content:"href"; within:20; content:"<script"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11793; classtype:attempted-admin; sid:44508; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt"; flow:to_server,established; file_data; content:"window.open("; fast_pattern; content:"javascript:"; within:20; content:"location.href"; within:500; content:"file://"; within:20; metadata:service smtp; reference:cve,2016-0161; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-038; classtype:attempted-user; sid:44549; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt"; flow:to_client,established; file_data; content:"window.open("; fast_pattern; content:"javascript:"; within:20; content:"location.href"; within:500; content:"file://"; within:20; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-0161; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-038; classtype:attempted-user; sid:44548; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt"; flow:to_server,established; file_data; content:".dataset.someAttr"; fast_pattern; nocase; content:".dataset.someAttr"; distance:0; nocase; content:".dataset.someAttr"; distance:0; nocase; content:"String.fromCharCode("; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-0106; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-023; classtype:attempted-user; sid:44603; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt"; flow:to_client,established; file_data; content:".dataset.someAttr"; fast_pattern; nocase; content:".dataset.someAttr"; distance:0; nocase; content:".dataset.someAttr"; distance:0; nocase; content:"String.fromCharCode("; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0106; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-023; classtype:attempted-user; sid:44602; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge sandbox escape attempt"; flow:to_server,established; file_data; content:"|8B 45 FC 8B 40 0C 8B 40 14 8B F8 89 45 EC 8B CF E8 D2 FF FF FF 8B 3F 8B 70 18 85 F6 74 4F 8B 46|"; fast_pattern:only; metadata:service smtp; reference:url,github.com/sandboxescaper; classtype:attempted-admin; sid:44636; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge sandbox escape attempt"; flow:to_client,established; file_data; content:"|8B 45 FC 8B 40 0C 8B 40 14 8B F8 89 45 EC 8B CF E8 D2 FF FF FF 8B 3F 8B 70 18 85 F6 74 4F 8B 46|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,github.com/sandboxescaper; classtype:attempted-admin; sid:44635; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:".msGetInputContext("; fast_pattern:only; content:".createRange("; content:".setStart("; content:".setEnd("; metadata:service smtp; reference:cve,2014-1772; classtype:attempted-admin; sid:44752; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:".msGetInputContext("; fast_pattern:only; content:".createRange("; content:".setStart("; content:".setEnd("; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-1772; classtype:attempted-admin; sid:44751; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_server,established; file_data; content:"<meta"; nocase; content:"name="; nocase; content:"save"; within:15; nocase; content:"content="; nocase; content:"history"; within:20; content:"behavior:"; nocase; content:"url"; within:10; nocase; content:"#default#savehistory"; within:50; nocase; content:!"</html"; within:200; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2013-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-dos; sid:44737; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_client, established; file_data; content:"<meta"; nocase; content:"name="; nocase; content:"save"; within:15; nocase; content:"content="; nocase; content:"history"; within:20; content:"behavior:"; nocase; content:"url"; within:10; nocase; content:"#default#savehistory"; within:50; nocase; content:!"</html"; within:150; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-dos; sid:44736; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer script action handler buffer overflow attempt"; flow:to_server,established; file_data; content:"|27|,i=0|3B|i<8|7C 7C|(document.write(s+|27|>|27|))|3B|i++)s+=s|3B|</script>"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-1245; classtype:attempted-admin; sid:44730; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer script action handler buffer overflow attempt"; flow:to_client,established; file_data; content:"|27|,i=0|3B|i<8|7C 7C|(document.write(s+|27|>|27|))|3B|i++)s+=s|3B|</script>"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-1245; classtype:attempted-admin; sid:44729; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"behavior"; nocase; content:"<body onreadystatechange="; within:200; nocase; metadata:service smtp; reference:cve,2014-1775; classtype:attempted-admin; sid:44755; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"behavior"; nocase; content:"<body onreadystatechange="; within:200; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-1775; classtype:attempted-admin; sid:44754; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge heap overflow attempt"; flow:to_server,established; file_data; content:"aaa[aaa.length + 0x30000000] = 0|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11846; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11846; classtype:attempted-user; sid:44846; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge heap overflow attempt"; flow:to_client,established; file_data; content:"aaa[aaa.length + 0x30000000] = 0|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11846; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11846; classtype:attempted-user; sid:44845; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Uint8Array memory corruption attempt"; flow:to_server,established; file_data; content:"new"; content:"Array"; within:15; content:"Uint"; content:"valueOf: () => {"; fast_pattern:only; metadata:service smtp; reference:cve,2017-11873; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11873; classtype:attempted-admin; sid:44844; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Uint8Array memory corruption attempt"; flow:to_client,established; file_data; content:"new"; content:"Array"; within:15; content:"Uint"; content:"valueOf: () => {"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-11873; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11873; classtype:attempted-admin; sid:44843; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge memory corruption exploitation attempt"; flow:to_server,established; file_data; content:"new"; content:"TypeError("; within:16; fast_pattern; content:".splice"; within:60; content:".charCodeAt"; within:60; content:".slice"; within:60; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11855; classtype:attempted-admin; sid:44832; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge memory corruption exploitation attempt"; flow:to_client,established; file_data; content:"new"; content:"TypeError("; within:16; fast_pattern; content:".splice"; within:60; content:".charCodeAt"; within:60; content:".slice"; within:60; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11855; classtype:attempted-admin; sid:44831; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer array memory corruption attempt"; flow:to_server,established; file_data; content:"length"; content:"0x"; within:10; content:"msSetImmediate"; fast_pattern:only; content:"try"; content:"splice"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11856; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11856; classtype:attempted-user; sid:44830; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer array memory corruption attempt"; flow:to_client, established; file_data; content:"length"; content:"0x"; within:10; content:"msSetImmediate"; fast_pattern:only; content:"try"; content:"splice"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11856; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11856; classtype:attempted-user; sid:44829; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge scripting engine memory corruption attempt"; flow:to_server,established; file_data; content:".repeat("; fast_pattern:only; content:"RegExp("; pcre:"/\x2Erepeat\x28(\d{9}|0x[0-9a-f]{8})/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11858; classtype:attempted-admin; sid:44828; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge scripting engine memory corruption attempt"; flow:to_client,established; file_data; content:".repeat("; fast_pattern:only; content:"RegExp("; pcre:"/\x2Erepeat\x28(\d{9}|0x[0-9a-f]{8})/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11858; classtype:attempted-admin; sid:44827; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer VBScript Join out of bounds memory access attempt"; flow:to_server,established; file_data; content:"while |28|s.length < 0x40000000|29|"; fast_pattern:only; content:"text/vbscript"; nocase; content:"Join|28|"; distance:0; metadata:service smtp; reference:cve,2017-11869; classtype:attempted-user; sid:44824; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VBScript Join out of bounds memory access attempt"; flow:to_client,established; file_data; content:"while |28|s.length < 0x40000000|29|"; fast_pattern:only; content:"text/vbscript"; nocase; content:"Join|28|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-11869; classtype:attempted-user; sid:44823; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge array use after free attempt"; flow:to_server,established; file_data; content:"Set.prototype.forEach.bind("; content:"Int16Array.prototype.toString.apply("; distance:0; fast_pattern; content:"callee.caller.arguments"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11791; classtype:attempted-user; sid:44820; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge array use after free attempt"; flow:to_client,established; file_data; content:"Set.prototype.forEach.bind("; content:"Int16Array.prototype.toString.apply("; distance:0; fast_pattern; content:"callee.caller.arguments"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11791; classtype:attempted-user; sid:44819; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge custom property memory corruption attempt"; flow:to_server,established; file_data; content:"widow-orphan"; fast_pattern:only; content:"transition-property"; pcre:"/<style>.*?(?P<uniq>\x2D\x2D[a-z0-9_]+)\x3A\s+widow-orphan.*?transition-property\x3A\s+var\x28(?P=uniq)/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11845; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11845; classtype:attempted-user; sid:44818; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge custom property memory corruption attempt"; flow:to_client,established; file_data; content:"widow-orphan"; fast_pattern:only; content:"transition-property"; pcre:"/<style>.*?(?P<uniq>\x2D\x2D[a-z0-9_]+)\x3A\s+widow-orphan.*?transition-property\x3A\s+var\x28(?P=uniq)/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11845; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11845; classtype:attempted-user; sid:44817; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge use after free attempt"; flow:to_server,established; file_data; content:"Proxy"; content:"getOwnPropertyDescriptor"; within:30; content:"getOwnPropertyDescriptor"; distance:0; content:"ArrayBuffer"; content:"Uint32Array"; content:"eval"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11843; classtype:attempted-admin; sid:44816; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge use after free attempt"; flow:to_client,established; file_data; content:"Proxy"; content:"getOwnPropertyDescriptor"; within:30; content:"getOwnPropertyDescriptor"; distance:0; content:"ArrayBuffer"; content:"Uint32Array"; content:"eval"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11843; classtype:attempted-admin; sid:44815; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Chakra Closure use after free attempt"; flow:to_server,established; file_data; content:"let"; content:"call({})"; within:100; fast_pattern; content:"let"; content:"function"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11841; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11841; classtype:attempted-user; sid:44814; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Chakra Closure use after free attempt"; flow:to_client,established; file_data; content:"let"; content:"call({})"; within:100; fast_pattern; content:"let"; content:"function"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11841; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11841; classtype:attempted-user; sid:44813; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge scripting engine type confusion attempt"; flow:to_server,established; content:"let obj = |5B|2.3023e-320|5D 3B|"; fast_pattern:only; content:"for |28|let i = 0|3B| i < 1|3B| i++|29|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11840; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11840; classtype:attempted-user; sid:44812; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge scripting engine type confusion attempt"; flow:to_client,established; content:"let obj = |5B|2.3023e-320|5D 3B|"; fast_pattern:only; content:"for |28|let i = 0|3B| i < 1|3B| i++|29|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11840; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11840; classtype:attempted-user; sid:44811; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge postMessage use after free attempt"; flow:to_server,established; file_data; content:"Array.prototype.slice.call|28 5B 5D 29|"; fast_pattern:only; content:"Worker|28|"; content:".onmessage"; within:50; content:".postMessage"; within:50; content:".terminate"; within:50; content:"null"; within:50; content:"Date.now|28 29|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11837; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11837; classtype:attempted-user; sid:44810; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge postMessage use after free attempt"; flow:to_client,established; file_data; content:"Array.prototype.slice.call([])"; fast_pattern:only; content:"Worker|28|"; content:".onmessage"; within:50; content:".postMessage"; within:50; content:".terminate"; within:50; content:"null"; within:50; content:"Date.now|28 29|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11837; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11837; classtype:attempted-user; sid:44809; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge array type confusion attempt"; flow:to_server,established; file_data; content:"let arr = [1.1, 2.2, 3.3]|3B 0D 0A| let re = /a/|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11916; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11916; classtype:attempted-user; sid:45170; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge array type confusion attempt"; flow:to_client,established; file_data; content:"let arr = [1.1, 2.2, 3.3]|3B 0D 0A| let re = /a/|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11916; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11916; classtype:attempted-user; sid:45169; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_server,established; file_data; content:"var a=|27|1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,|27|.repeat(0x2000001)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11930; classtype:attempted-admin; sid:45168; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_client,established; file_data; content:"var a=|27|1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,|27|.repeat(0x2000001)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11930; classtype:attempted-admin; sid:45167; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_server,established; file_data; content:"Math.max.apply(Math, arr2)|3B 0D 0A| arr[0] = 2.3023e-320"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11893; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11893; classtype:attempted-user; sid:45163; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_client,established; file_data; content:"Math.max.apply(Math, arr2)|3B 0D 0A| arr[0] = 2.3023e-320"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11893; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11893; classtype:attempted-user; sid:45162; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge null pointer dereference attempt"; flow:to_server,established; file_data; content:"return tmp[0]|3B|"; fast_pattern:only; content:"let tmp = []"; content:"tmp[0] = tmp"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11918; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11918; classtype:attempted-user; sid:45161; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge null pointer dereference attempt"; flow:to_client,established; file_data; content:"return tmp[0]|3B|"; fast_pattern:only; content:"let tmp = []"; content:"tmp[0] = tmp"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11918; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11918; classtype:attempted-user; sid:45160; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer out of bounds read attempt"; flow:to_server,established; file_data; content:"use asm"; content:"|27|use asm|27 3B 0D 0A 20 20 20 20|const a = 1.0|3B 0D 0A 20 20 20 20|function f|28 29 20 7B 0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11911; reference:url,url; classtype:attempted-user; sid:45156; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer out of bounds read attempt"; flow:to_client,established; file_data; content:"|27|use asm|27 3B 0D 0A 20 20 20 20|const a = 1.0|3B 0D 0A 20 20 20 20|function f|28 29 20 7B 0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11911; reference:url,reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11911; classtype:attempted-user; sid:45155; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer dynamic style update memory corruption attempt"; flow:to_client,established; file_data; content:"<textarea"; fast_pattern; nocase; content:"</textarea"; within:15; nocase; content:".getElementByID"; distance:0; nocase; content:".className"; within:75; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-0075; reference:cve,2009-0076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:45154; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge JsSetCurrentContext out of bounds read attempt"; flow:to_server,established; file_data; content:"let"; content:"Uint32Array"; within:50; content:"let"; within:100; content:"Uint32Array"; within:50; content:"print"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11909; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11909; classtype:attempted-user; sid:45151; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge JsSetCurrentContext out of bounds read attempt"; flow:to_client,established; file_data; content:"let"; content:"Uint32Array"; within:50; content:"let"; within:100; content:"Uint32Array"; within:50; content:"print"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11909; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11909; classtype:attempted-user; sid:45150; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Array out of bounds write attempt"; flow:to_server,established; file_data; content:"function go() { arr[0] = o|3B| array.prototype.sort.call(arr)|3B| }"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11907; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11907; classtype:attempted-user; sid:45149; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Array out of bounds write attempt"; flow:to_client,established; file_data; content:"function go() { arr[0] = o|3B| array.prototype.sort.call(arr)|3B| }"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11907; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11907; classtype:attempted-user; sid:45148; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt"; flow:to_server,established; file_data; content:"CollectGarbage"; content:"return {}"; within:100; content:"Array.prototype.join.call"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11903; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11903; classtype:misc-activity; sid:45147; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt"; flow:to_client,established; file_data; content:"CollectGarbage"; content:"return {}"; within:100; content:"Array.prototype.join.call"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11903; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11903; classtype:misc-activity; sid:45146; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt"; flow:to_server,established; file_data; content:"ArrayBuffer"; content:"Uint32Array"; within:50; content:"Float64Array"; within:150; fast_pattern; content:"valueOf"; content:"function"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11901; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11901; classtype:attempted-user; sid:45145; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt"; flow:to_client,established; file_data; content:"ArrayBuffer"; content:"Uint32Array"; within:50; content:"Float64Array"; within:150; fast_pattern; content:"valueOf"; content:"function"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11901; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11901; classtype:attempted-user; sid:45144; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge type confusion attempt"; flow:to_server,established; file_data; content:"[1] = 6.17651672645e-312|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11895; reference:cve,2018-8456; reference:cve,2018-8542; reference:cve,2018-8557; reference:cve,2018-8588; reference:cve,2018-8617; reference:cve,2019-0769; classtype:attempted-user; sid:45143; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge type confusion attempt"; flow:to_client,established; file_data; content:"[1] = 6.17651672645e-312|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11895; reference:cve,2018-8456; reference:cve,2018-8542; reference:cve,2018-8557; reference:cve,2018-8588; reference:cve,2018-8617; reference:cve,2019-0769; classtype:attempted-user; sid:45142; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Chakra RegExp engine memory corruption attempt"; flow:to_server,established; file_data; content:"RegExp"; content:"0xfffc"; within:50; fast_pattern; content:"replace"; within:100; content:"arguments"; content:"return"; distance:-30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11894; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11894; classtype:attempted-user; sid:45141; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Chakra RegExp engine memory corruption attempt"; flow:to_client,established; file_data; content:"RegExp"; content:"0xfffc"; within:50; fast_pattern; content:"replace"; within:100; content:"arguments"; content:"return"; distance:-30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11894; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11894; classtype:attempted-user; sid:45140; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt"; flow:to_server,established; file_data; content:"jscript.encode"; nocase; content:"for"; within:100; nocase; content:"RegExp"; within:150; content:"compile"; within:100; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11890; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11890; classtype:attempted-user; sid:45139; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt"; flow:to_client,established; file_data; content:"jscript.encode"; nocase; content:"for"; within:100; nocase; content:"RegExp"; within:150; content:"compile"; within:100; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11890; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11890; classtype:attempted-user; sid:45138; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge defineGetter type confusion attempt"; flow:to_client,established; file_data; content:".__defineGetter__('length', function () {"; fast_pattern; content:".call(0x"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11914; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11914; classtype:attempted-user; sid:45129; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge defineGetter type confusion attempt"; flow:to_server,established; file_data; content:".__defineGetter__('length', function () {"; fast_pattern; content:".call(0x"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11914; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11914; classtype:attempted-user; sid:45128; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"data:audio/mp3"; content:"uQxAAAVHoO86Ch/wKrQh+UIz/YShKDZqEIAAE3kQFg+NSyUDm5f/yB+D/GP8hjmzG6Jy7lvFu8Iif7i7vApIeVfN/DkGIKGInCaJxNu9wifzeiTfJlaJX/Np//9wKClWWDcG4vBiIYwcB4NHigohguDcBcIxSiAaB4JAgT6jf2YDkQi5/mmabkya6nTRBy5uRyKB48TiFogeguDih66JwykEQBKzjbzTdl3FjUCgfnYZFWM01W3"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11888; reference:cve,2018-8123; reference:cve,2018-8297; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11888; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8123; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8297; classtype:attempted-user; sid:45122; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"data:audio/mp3"; content:"uQxAAAVHoO86Ch/wKrQh+UIz/YShKDZqEIAAE3kQFg+NSyUDm5f/yB+D/GP8hjmzG6Jy7lvFu8Iif7i7vApIeVfN/DkGIKGInCaJxNu9wifzeiTfJlaJX/Np//9wKClWWDcG4vBiIYwcB4NHigohguDcBcIxSiAaB4JAgT6jf2YDkQi5/mmabkya6nTRBy5uRyKB48TiFogeguDih66JwykEQBKzjbzTdl3FjUCgfnYZFWM01W3"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11888; reference:cve,2018-8123; reference:cve,2018-8297; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11888; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8123; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8297; classtype:attempted-user; sid:45121; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer out of bounds read attempt"; flow:to_server,established; file_data; content:"<bdi"; content:"style"; distance:0; content:"outline|3A|hsl"; distance:0; content:"solid"; within:25; content:">"; distance:0; content:"&#x"; distance:0; byte_test:10,>=,0x300,0,relative,string,hex; byte_test:10,<=,0x362,0,relative,string,hex; content:"&#"; distance:20; pcre:"/<bdi.*?style.*?outline\x3ahsl.*?solid.*?>([^&]+?\s+?)?\s*?�*?3[1-6]\d\x3b/is"; content:"</bdi>"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7283; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-144; classtype:attempted-user; sid:45213; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer out of bounds read attempt"; flow:to_server,established; file_data; content:"<bdi"; content:"style"; distance:0; content:"outline|3A|hsl"; distance:0; content:"solid"; within:25; content:">"; distance:0; content:"&#"; distance:0; byte_test:10,>=,768,0,relative,string,dec; byte_test:10,<=,866,0,relative,string,dec; content:"&#"; distance:20; pcre:"/<bdi.*?style.*?outline\x3ahsl.*?solid.*?>([^&]+?\s+?)?\s*?�*?(7[6-9]|8[1-6])\d\x3b/is"; content:"</bdi>"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7283; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-144; classtype:attempted-user; sid:45212; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer out of bounds read attempt"; flow:to_server,established; file_data; content:"<bdi"; nocase; content:"outline-style:"; within:25; nocase; content:"outline"; within:25; nocase; content:"&#"; within:50; content:"|3B|&#"; within:10; content:"|3B|&#"; within:10; content:"|3B|&#"; within:10; content:"|3B|&#"; within:10; content:"|3B|&#"; within:10; content:"|3B|&#"; within:10; content:"|3B|&#"; within:10; content:"|3B|&#"; within:10; metadata:service smtp; reference:cve,2016-7283; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-144; classtype:attempted-user; sid:45211; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer out of bounds read attempt"; flow:to_client,established; file_data; content:"<bdi"; nocase; content:"outline-style:"; within:25; nocase; content:"outline"; within:25; nocase; content:"&#"; within:50; content:"|3B|&#"; within:10; content:"|3B|&#"; within:10; content:"|3B|&#"; within:10; content:"|3B|&#"; within:10; content:"|3B|&#"; within:10; content:"|3B|&#"; within:10; content:"|3B|&#"; within:10; content:"|3B|&#"; within:10; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-7283; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-144; classtype:attempted-user; sid:45210; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge scripting engine toString use after free attempt"; flow:to_server,established; file_data; content:"|74 6F 53 74 72 69 6E 67 3D 28 29 3D 3E 7B 63 6F 6E 73 6F 6C 65 2E 6C 6F 67 28 22 69 6E 20 74 6F|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0773; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0773; classtype:attempted-user; sid:45396; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge scripting engine toString use after free attempt"; flow:to_client,established; file_data; content:"|74 6F 53 74 72 69 6E 67 3D 28 29 3D 3E 7B 63 6F 6E 73 6F 6C 65 2E 6C 6F 67 28 22 69 6E 20 74 6F|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0773; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0773; classtype:attempted-user; sid:45395; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge scripting engine type confusion attempt"; flow:to_server,established; file_data; content:"eval"; content:"function"; within:100; content:"with ({}) {"; within:100; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0775; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0775; classtype:attempted-user; sid:45392; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge scripting engine type confusion attempt"; flow:to_client,established; file_data; content:"eval"; content:"function"; within:100; content:"with ({}) {"; within:100; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0775; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0775; classtype:attempted-user; sid:45391; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft IE array type confusion attempt"; flow:to_server,established; file_data; content:"__defineGetter__"; content:"function()"; within:100; content:"Array.prototype.reverse.apply("; fast_pattern; content:"[])"; within:50; content:".unshift("; within:100; content:"Object.defineProperty("; content:"value:"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0762; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0762; classtype:attempted-user; sid:45390; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft IE array type confusion attempt"; flow:to_client,established; file_data; content:"__defineGetter__"; content:"function()"; within:100; content:"Array.prototype.reverse.apply("; fast_pattern; content:"[])"; within:50; content:".unshift("; within:100; content:"Object.defineProperty("; content:"value:"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0762; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0762; classtype:attempted-user; sid:45389; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge anonymous function type confusion attempt"; flow:to_server,established; file_data; content:"|28|function"; content:"}|28 29 29| {"; within:100; fast_pattern; content:"}|29 28 29 3B|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0774; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0774; classtype:attempted-user; sid:45388; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge anonymous function type confusion attempt"; flow:to_client,established; file_data; content:"|28|function"; content:"}|28 29 29| {"; within:100; fast_pattern; content:"}|29 28 29 3B|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0774; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0774; classtype:attempted-user; sid:45387; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge scripting engine integer overflow attempt"; flow:to_server,established; file_data; content:"for(var i=0|3B|i<(0xCFE7F80-offsetnumber)/0x20|3B|i++)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0758; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0758; classtype:attempted-user; sid:45384; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge scripting engine integer overflow attempt"; flow:to_client,established; file_data; content:"for(var i=0|3B|i<(0xCFE7F80-offsetnumber)/0x20|3B|i++)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0758; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0758; classtype:attempted-user; sid:45383; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge type confusion attempt"; flow:to_server,established; file_data; content:"stack_arr[10000] = 2.3023e-320"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0776; reference:cve,2018-0933; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0776; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0933; classtype:attempted-user; sid:45379; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge type confusion attempt"; flow:to_client,established; file_data; content:"stack_arr[10000] = 2.3023e-320"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0776; reference:cve,2018-0933; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0776; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0933; classtype:attempted-user; sid:45378; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge scripting engine memory corruption attempt"; flow:to_server,established; file_data; content:"0x100000|3B 0D 0A| j + 0x7ffffff"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0769; reference:url,reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0769; classtype:attempted-user; sid:45377; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge scripting engine memory corruption attempt"; flow:to_client,established; file_data; content:"0x100000|3B 0D 0A| j + 0x7ffffff"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0769; reference:url,reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0769; classtype:attempted-user; sid:45376; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge out of bounds write attempt"; flow:to_server,established; file_data; content:"opt(arr, 0, 3)|3B 0D 0A 0D 0A 20 20 20 20|opt(arr, 0,"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0777; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0777; classtype:attempted-admin; sid:45375; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge out of bounds write attempt"; flow:to_client,established; file_data; content:"opt(arr, 0, 3)|3B 0D 0A 0D 0A 20 20 20 20|opt(arr, 0,"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0777; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0777; classtype:attempted-admin; sid:45374; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge scripting engine ArrayBuffer memory corruption attempt"; flow:to_server,established; file_data; content:"Uint32Array"; content:"ArrayBuffer"; content:"valueOf"; content:" Worker("; within:60; content:".postMessage("; fast_pattern:only; content:".terminate()"; content:"null"; within:50; content:"Date.now"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11812; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11812; classtype:attempted-user; sid:45446; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge scripting engine ArrayBuffer memory corruption attempt"; flow:to_client,established; file_data; content:"Uint32Array"; content:"ArrayBuffer"; content:"valueOf"; content:" Worker("; within:60; content:".postMessage("; fast_pattern:only; content:".terminate()"; content:"null"; within:50; content:"Date.now"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11812; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11812; classtype:attempted-user; sid:45445; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt"; flow:to_client,established; file_data; content:"|66 75 6E 63 74 69 6F 6E 20 74 72 69 67 67 65 72 28 29 20 7B 0D 0A 20 20 20 20 6C 65 74 20 61 2C 20 62 2C 20 63|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-11809; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11809; classtype:attempted-user; sid:45475; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt"; flow:to_server,established; file_data; content:"|66 75 6E 63 74 69 6F 6E 20 74 72 69 67 67 65 72 28 29 20 7B 0D 0A 20 20 20 20 6C 65 74 20 61 2C 20 62 2C 20 63|"; fast_pattern:only; metadata:service smtp; reference:cve,2017-11809; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11809; classtype:attempted-user; sid:45474; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BROWSER-IE Microsoft ChakraCore scripting engine memory corruption attempt"; flow:to_server,established; file_data; content:"|73 75 70 65 72 2E 61 72 72 20 3D 20 5B 31 5D 3B 0A 20 20 20 20 20 20 20 20 09 09 74 68 69 73 2E|"; fast_pattern:only; metadata:service smtp; reference:cve,2017-11799; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11799; classtype:attempted-user; sid:45463; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft ChakraCore scripting engine memory corruption attempt"; flow:to_client,established; file_data; content:"|73 75 70 65 72 2E 61 72 72 20 3D 20 5B 31 5D 3B 0A 20 20 20 20 20 20 20 20 09 09 74 68 69 73 2E|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-11799; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11799; classtype:attempted-user; sid:45462; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt"; flow:to_server,established; file_data; content:"arr[1] = 2.3023e-320 + parseInt('a'.replace('a', f))"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11802; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11802; classtype:attempted-user; sid:45517; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt"; flow:to_client,established; file_data; content:"arr[1] = 2.3023e-320 + parseInt('a'.replace('a', f))"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11802; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11802; classtype:attempted-user; sid:45516; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE toStaticHTML CSS import XSS exploit attempt"; flow:to_client,established; file_data; content:"body {background: expression|28|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3324; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-072; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:45514; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt"; flow:to_server,established; file_data; content:"function opt() { for (let i = 0|3B| i < 100|3B| i++) { let j = i - 2|3B| switch (i) { case 2"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11811; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11811; classtype:attempted-user; sid:45509; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt"; flow:to_client,established; file_data; content:"function opt() { for (let i = 0|3B| i < 100|3B| i++) { let j = i - 2|3B| switch (i) { case 2"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11811; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11811; classtype:attempted-user; sid:45508; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge scripting engine memory corruption attempt"; flow:to_server,established; content:".splice(0x41414141,0x41414142, 1"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0858; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0858; classtype:attempted-admin; sid:45660; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge scripting engine memory corruption attempt"; flow:to_client,established; content:".splice(0x41414141,0x41414142, 1"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0858; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0858; classtype:attempted-admin; sid:45659; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge scripting engine type confusion attempt"; flow:to_client,established; file_data; content:"Array.prototype.__defineGetter__('"; content:"', Object.prototype.valueOf)|3B| print(opt())|3B|"; within:50; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0860; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0860; classtype:attempted-user; sid:45637; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge scripting engine type confusion attempt"; flow:to_server,established; file_data; content:"Array.prototype.__defineGetter__('"; content:"', Object.prototype.valueOf)|3B| print(opt())|3B|"; within:50; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0860; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0860; classtype:attempted-user; sid:45636; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge scripting engine memory corruption attempt"; flow:to_server,established; file_data; content:"<script"; content:"function opt("; distance:0; content:"for (let i = 0|3B| i < "; distance:0; content:"000|3B| i++)"; within:15; fast_pattern; content:"opt"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11841; reference:cve,2017-11873; reference:cve,2017-11909; reference:cve,2017-11916; reference:cve,2017-11918; reference:cve,2018-0769; reference:cve,2018-0776; reference:cve,2018-0834; reference:cve,2018-0835; reference:cve,2018-0837; reference:cve,2018-0838; reference:cve,2018-0840; reference:cve,2018-0860; reference:cve,2018-0933; reference:cve,2018-0934; reference:cve,2018-0951; reference:cve,2018-0953; reference:cve,2018-0954; reference:cve,2018-0980; reference:cve,2018-8133; reference:cve,2018-8288; reference:cve,2018-8296; reference:cve,2018-8466; classtype:attempted-user; sid:45629; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge scripting engine memory corruption attempt"; flow:to_client,established; file_data; content:"<script"; content:"function opt("; distance:0; content:"for (let i = 0|3B| i < "; distance:0; content:"000|3B| i++)"; within:15; fast_pattern; content:"opt"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11841; reference:cve,2017-11873; reference:cve,2017-11909; reference:cve,2017-11916; reference:cve,2017-11918; reference:cve,2018-0769; reference:cve,2018-0776; reference:cve,2018-0834; reference:cve,2018-0835; reference:cve,2018-0837; reference:cve,2018-0838; reference:cve,2018-0840; reference:cve,2018-0860; reference:cve,2018-0933; reference:cve,2018-0934; reference:cve,2018-0951; reference:cve,2018-0953; reference:cve,2018-0954; reference:cve,2018-0980; reference:cve,2018-8133; reference:cve,2018-8236; reference:cve,2018-8288; reference:cve,2018-8296; reference:cve,2018-8466; classtype:attempted-user; sid:45628; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt"; flow:to_server,established; file_data; content:"lettmp={__proto__:proto}|3B|arr[0]=2.3023e-320|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0834; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0834; classtype:attempted-user; sid:45627; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt"; flow:to_client,established; file_data; content:"lettmp={__proto__:proto}|3B|arr[0]=2.3023e-320|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0834; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0834; classtype:attempted-user; sid:45626; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer localeCompare use after free attempt"; flow:to_server,established; file_data; content:"String.prototype.substr.call"; content:"String.prototype.localeCompare.call"; within:200; fast_pattern; content:"CollectGarbage"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0866; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0866; classtype:attempted-user; sid:45674; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer localeCompare use after free attempt"; flow:to_client,established; file_data; content:"String.prototype.substr.call"; content:"String.prototype.localeCompare.call"; within:200; fast_pattern; content:"CollectGarbage"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0866; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0866; classtype:attempted-user; sid:45673; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge scripting engine memory corruption attempt"; flow:to_server,established; file_data; content:"__lookupGetter__"; content:".call("; within:100; content:"0x"; within:25; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0893; classtype:attempted-user; sid:45899; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge scripting engine memory corruption attempt"; flow:to_client,established; file_data; content:"__lookupGetter__"; content:".call("; within:100; content:"0x"; within:25; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0893; classtype:attempted-user; sid:45898; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Chakra Core type confusion attempt"; flow:to_client,established; file_data; content:"e1.style.setProperty(|22|border-top-left-radius|22|, |22|var(--v)|22|)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0930; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0930; classtype:attempted-user; sid:45890; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Chakra Core type confusion attempt"; flow:to_server,established; file_data; content:"e1.style.setProperty(|22|border-top-left-radius|22|, |22|var(--v)|22|)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0930; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0930; classtype:attempted-user; sid:45889; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt"; flow:to_server,established; file_data; content:"<meta"; content:"IE=10"; within:200; content:"<script"; content:"vbscript"; within:100; content:"dim"; content:"Set"; within:100; content:"Join"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0889; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0889; classtype:misc-activity; sid:45888; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt"; flow:to_client,established; file_data; content:"<meta"; content:"IE=10"; within:200; content:"<script"; content:"vbscript"; within:100; content:"dim"; content:"Set"; within:100; content:"Join"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0889; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0889; classtype:misc-activity; sid:45887; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt"; flow:to_server,established; file_data; content:"jscript.encode"; fast_pattern:only; content:"content=|22|IE=8|22|"; nocase; content:"length"; content:"CollectGarbage"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0935; reference:cve,2018-8353; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0935; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8353; classtype:attempted-user; sid:45878; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt"; flow:to_client,established; file_data; content:"jscript.encode"; fast_pattern:only; content:"content=|22|IE=8|22|"; nocase; content:"length"; content:"CollectGarbage"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0935; reference:cve,2018-8353; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0935; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8353; classtype:attempted-user; sid:45877; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge uninitialized memory use attempt"; flow:to_server,established; file_data; content:"Array.prototype.includes.apply"; fast_pattern:only; content:"Function.prototype.toString"; content:"sort"; content:"undefined"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0874; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0874; classtype:attempted-user; sid:45876; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge uninitialized memory use attempt"; flow:to_client,established; file_data; content:"Array.prototype.includes.apply"; fast_pattern:only; content:"Function.prototype.toString"; content:"sort"; content:"undefined"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0874; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0874; classtype:attempted-user; sid:45875; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt"; flow:to_server,established; file_data; content:"swfobject.embedSWF|28 27|http"; content:"#"; within:100; content:"swfobject.js"; pcre:"/swfobject\x2EembedSWF\x28\x27https?:\x2F\x2F[^\x27]+?\x23/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0870; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0870; classtype:attempted-user; sid:46246; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt"; flow:to_server,established; file_data; content:"swfobject.embedSWF|28 22|http"; content:"#"; within:100; content:"swfobject.js"; pcre:"/swfobject\x2EembedSWF\x28\x22https?:\x2F\x2F[^\x22]+?\x23/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0870; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0870; classtype:attempted-user; sid:46245; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt"; flow:to_client,established; file_data; content:"swfobject.embedSWF|28 27|http"; content:"#"; within:100; content:"swfobject.js"; pcre:"/swfobject\x2EembedSWF\x28\x27https?:\x2F\x2F[^\x27]+?\x23/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0870; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0870; classtype:attempted-user; sid:46244; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt"; flow:to_client,established; file_data; content:"swfobject.embedSWF|28 22|http"; content:"#"; within:100; content:"swfobject.js"; pcre:"/swfobject\x2EembedSWF\x28\x22https?:\x2F\x2F[^\x22]+?\x23/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0870; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0870; classtype:attempted-user; sid:46243; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer JavaScript memory corruption attempt"; flow:to_server,established; file_data; content:"e.pp = s + s.substr(0, 0x1fffffed)|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-1001; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1001; classtype:attempted-user; sid:46229; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer javascript memory corruption attempt"; flow:to_client,established; file_data; content:"e.pp = s + s.substr(0, 0x1fffffed)|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1001; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1001; classtype:attempted-user; sid:46228; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer object use after free attempt"; flow:to_server,established; file_data; content:"a[0] = {}|3B 0D 0A|a[0x40] = 1|3B 0D 0A|a.reverse()"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0994; reference:cve,2018-0997; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0994; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0997; classtype:attempted-user; sid:46221; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer object use after free attempt"; flow:to_client,established; file_data; content:"a[0] = {}|3B 0D 0A|a[0x40] = 1|3B 0D 0A|a.reverse()"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0994; reference:cve,2018-0997; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0994; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0997; classtype:attempted-user; sid:46220; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge out of bounds write attempt"; flow:to_server,established; file_data; content:"o = div1.innerHTML|3B 0D 0A 09|o.link(o)|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0996; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0996; classtype:attempted-admin; sid:46219; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge out of bounds write attempt"; flow:to_client,established; file_data; content:"o = div1.innerHTML|3B 0D 0A 09|o.link(o)|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0996; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0996; classtype:attempted-admin; sid:46218; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge scripting engine memory corruption attempt"; flow:to_server,established; file_data; content:"<script"; content:"function opt("; distance:0; content:"for (var i = 0|3B| i < "; distance:0; content:"000|3B| i++)"; within:15; fast_pattern; content:"opt"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0993; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0993; classtype:attempted-user; sid:46213; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge scripting engine memory corruption attempt"; flow:to_client,established; file_data; content:"<script"; content:"function opt("; distance:0; content:"for (var i = 0|3B| i < "; distance:0; content:"000|3B| i++)"; within:15; fast_pattern; content:"opt"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0993; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0993; classtype:attempted-user; sid:46212; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Windows Edge use-after-free attempt"; flow:to_server,established; file_data; content:"super.value"; fast_pattern:only; content:"Object.defineProperty"; content:"set:"; within:45; content:"Object.defineProperty"; within:100; content:"value:"; within:45; content:".__proto__"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0991; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0991; classtype:attempted-user; sid:46207; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Windows Edge use-after-free attempt"; flow:to_client,established; file_data; content:"super.value"; fast_pattern:only; content:"Object.defineProperty"; content:"set:"; within:45; content:"Object.defineProperty"; within:100; content:"value:"; within:45; content:".__proto__"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0991; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0991; classtype:attempted-user; sid:46206; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer array use after free attempt"; flow:to_server,established; file_data; content:" = new Array("; content:".fill(0x7fffffff)|3B|"; within:200; content:"[0] = {}|3B|"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-1018; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1018; classtype:attempted-user; sid:46205; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer array use after free attempt"; flow:to_client,established; file_data; content:" = new Array("; content:".fill(0x7fffffff)|3B|"; within:200; content:"[0] = {}|3B|"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1018; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1018; classtype:attempted-user; sid:46204; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Vbscript String out of bounds write"; flow:to_server,established; file_data; content:"String(&h"; content:"chrw(&h"; within:50; content:"InStr"; content:"&h"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0988; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0988; classtype:attempted-user; sid:46199; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Vbscript String out of bounds write"; flow:to_client,established; file_data; content:"String(&h"; content:"chrw(&h"; within:50; content:"InStr"; content:"&h"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0988; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0988; classtype:attempted-user; sid:46198; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Chakra use after free attempt"; flow:to_server,established; file_data; content:"super.value=0x111|3B|"; content:"super.value=0x7fffffff"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0990; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0990; classtype:attempted-user; sid:46195; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Chakra use after free attempt"; flow:to_client,established; file_data; content:"super.value=0x111|3B|"; content:"super.value=0x7fffffff"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0990; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0990; classtype:attempted-user; sid:46194; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Chakra use after free attempt"; flow:to_server,established; file_data; content:"[0] = {}|3B 0D 0A|array4[0] = 0x7fffff"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0995; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0955; classtype:attempted-admin; sid:46177; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Chakra use after free attempt"; flow:to_client,established; file_data; content:"[0] = {}|3B 0D 0A|array4[0] = 0x7fffff"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0995; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0955; classtype:attempted-admin; sid:46176; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Internet Explorer URL file remote code execution attempt detected"; flow:to_server,established; file_data; content:"000214A0-0000-0000-C000-000000000046"; fast_pattern:only; content:"URL="; nocase; content:"file://"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3353; reference:url,technet.microsoft.com/en-us/library/security/ms16-104.aspx; classtype:attempted-user; sid:46385; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Internet Explorer URL file remote code execution attempt detected"; flow:to_client,established; file_data; content:"000214A0-0000-0000-C000-000000000046"; fast_pattern:only; content:"URL="; nocase; content:"file://"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3353; reference:url,technet.microsoft.com/en-us/library/security/ms16-104.aspx; classtype:attempted-user; sid:46384; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge AsmJsInterpreter method use after free attempt"; flow:to_server,established; content:"use asm"; nocase; content:".fill("; within:150; content:".map("; within:25; content:".join("; within:100; metadata:service smtp; reference:cve,2017-8603; classtype:attempted-user; sid:46442; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge AsmJsInterpreter method use after free attempt"; flow:to_client,established; content:"use asm"; nocase; content:".fill("; within:150; content:".map("; within:25; content:".join("; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-8603; classtype:attempted-user; sid:46441; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt"; flow:to_server,established; file_data; content:"body.parentNode("; content:"eval("; within:100; content:".innerHTML"; within:25; content:"setTimeout"; within:50; metadata:service smtp; reference:cve,2017-11764; classtype:attempted-admin; sid:46427; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt"; flow:to_server,established; file_data; content:"} catch ({e = eval('dd')}) {|0A 20 20 20|"; fast_pattern:only; metadata:service smtp; reference:cve,2017-11764; classtype:attempted-admin; sid:46426; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt"; flow:to_client,established; file_data; content:"body.parentNode("; content:"eval("; within:100; content:".innerHTML"; within:25; content:"setTimeout"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-11764; classtype:attempted-admin; sid:46425; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt"; flow:to_client,established; file_data; content:"} catch ({e = eval('dd')}) {|0A 20 20 20|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-11764; classtype:attempted-admin; sid:46424; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge eval heap overflow attempt"; flow:to_server,established; file_data; content:"repeat(0x55555600)"; fast_pattern:only; content:"eval("; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2017-8641; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8641; classtype:attempted-user; sid:46508; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge eval heap overflow attempt"; flow:to_server,established; file_data; isdataat:!250; content:"{(function(){eval("; fast_pattern:only; pcre:"/(array|repeat)\x28(0x)*\d{8,}\x29/i"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2017-8641; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8641; classtype:attempted-user; sid:46507; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge eval heap overflow attempt"; flow:to_client,established; file_data; content:"repeat(0x55555600)"; fast_pattern:only; content:"eval("; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8641; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8641; classtype:attempted-user; sid:46506; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge eval heap overflow attempt"; flow:to_client,established; file_data; isdataat:!250; content:"{(function(){eval("; fast_pattern:only; pcre:"/(array|repeat)\x28[^\x29]*?(0x)*\d{8,}\x29/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8641; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8641; classtype:attempted-user; sid:46505; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Chakra code execution attempt"; flow:to_server,established; file_data; content:"([arguments])"; content:"arguments.x|3B|"; within:50; metadata:service smtp; reference:cve,2017-8670; classtype:attempted-admin; sid:46472; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Chakra code execution attempt"; flow:to_client,established; file_data; content:"([arguments])"; content:"arguments.x|3B|"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-8670; classtype:attempted-admin; sid:46471; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer prototype type confusion attempt"; flow:to_server,established; file_data; content:"for (var i = 0|3B| i < 0x10000|3B| i++)"; fast_pattern:only; content:"a[1] = 2.3023e-320"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8122; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8122; classtype:attempted-admin; sid:46595; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer prototype type confusion attempt"; flow:to_client,established; file_data; content:"for (var i = 0|3B| i < 0x10000|3B| i++)"; fast_pattern:only; content:"a[1] = 2.3023e-320"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8122; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8122; classtype:attempted-admin; sid:46594; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt"; flow:to_server,established; file_data; content:"JSON.parse("; fast_pattern; content:"function"; within:1250; content:"if(!"; within:50; content:"this|5B|"; within:1250; content:"new Number("; within:1250; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,94055; reference:cve,2016-7241; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-142; classtype:attempted-recon; sid:46593; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt"; flow:to_client,established; file_data; content:"JSON.parse("; fast_pattern; content:"function"; within:1250; content:"if(!"; within:50; content:"this|5B|"; within:1250; content:"new Number("; within:1250; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,94055; reference:cve,2016-7241; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-142; classtype:attempted-recon; sid:46592; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Regexp use after free attempt"; flow:to_server,established; file_data; content:"strNewString = objRegEx.Replace(block, repl)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0955; reference:cve,2019-0666; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0955; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0666; classtype:attempted-user; sid:46555; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Regexp use after free attempt"; flow:to_client,established; file_data; content:"strNewString = objRegEx.Replace(block, repl)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0955; reference:cve,2019-0666; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0955; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0666; classtype:attempted-user; sid:46554; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt"; flow:to_server,established; file_data; content:"class"; nocase; content:"Class_Terminate"; within:50; content:"Dim"; nocase; content:"Set"; within:150; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8174; reference:cve,2018-8242; reference:cve,2018-8371; reference:cve,2018-8625; reference:cve,2019-0793; reference:cve,2019-0794; classtype:attempted-admin; sid:46549; rev:8;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt"; flow:to_client,established; file_data; content:"class"; nocase; content:"Class_Terminate"; within:50; content:"Dim"; nocase; content:"Set"; within:150; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8174; reference:cve,2018-8242; reference:cve,2018-8371; reference:cve,2018-8625; reference:cve,2019-0793; reference:cve,2019-0794; classtype:attempted-admin; sid:46548; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge scripting engine use after free attempt"; flow:to_server,established; file_data; content:"contentWindow.eval("; content:"new DataView(new ArrayBuffer("; within:250; content:"DataView.prototype.__lookupGetter__("; within:100; content:"buffer"; within:7; content:"onload = () => {"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0946; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0946; classtype:attempted-user; sid:46545; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge scripting engine use after free attempt"; flow:to_client,established; file_data; content:"contentWindow.eval("; content:"new DataView(new ArrayBuffer("; within:250; content:"DataView.prototype.__lookupGetter__("; within:100; content:"buffer"; within:7; content:"onload = () => {"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0946; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0946; classtype:attempted-user; sid:46544; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge out-of-bounds memory access attempt"; flow:to_server,established; file_data; content:"let arr = new Array(100)|3B 0D 0A|arr.fill(1.1)|3B 0D 0A|for(i=0|3B|i<0x100000|3B|i++)"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8137; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8137; classtype:attempted-user; sid:46607; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge out-of-bounds memory access attempt"; flow:to_client,established; file_data; content:"let arr = new Array(100)|3B 0D 0A|arr.fill(1.1)|3B 0D 0A|for(i=0|3B|i<0x100000|3B|i++)"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8137; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8137; classtype:attempted-user; sid:46606; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge out of bounds write attempt"; flow:to_server,established; file_data; content:"RTCIceTransport("; content:"new Array("; within:130; content:".__defineGetter__("; content:"new Uint32Array("; content:".setRemoteCandidates("; fast_pattern:only; metadata:service smtp; reference:cve,2018-8179; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8179; classtype:attempted-admin; sid:46714; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge out of bounds write attempt"; flow:to_client,established; file_data; content:"RTCIceTransport("; content:"new Array("; within:130; content:".__defineGetter__("; content:"new Uint32Array("; content:".setRemoteCandidates("; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-8179; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8179; classtype:attempted-admin; sid:46713; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt"; flow:to_server,established; file_data; content:"VirtualProtect"; content:"msvcrt.dll"; content:"NtContinue"; content:"kernelbase.dll"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-admin; sid:46746; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt"; flow:to_client,established; file_data; content:"VirtualProtect"; content:"msvcrt.dll"; content:"NtContinue"; content:"kernelbase.dll"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-admin; sid:46745; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge proxy object type confusion attempt"; flow:to_server,established; file_data; content:"Proxy("; content:"eval,"; within:30; content:"{})"; within:50; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-7240; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-129; classtype:attempted-user; sid:46764; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge proxy object type confusion attempt"; flow:to_client,established; file_data; content:"Proxy("; content:"eval,"; within:30; content:"{})"; within:50; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7240; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-129; classtype:attempted-user; sid:46763; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 JScript use-after-free attempt"; flow:to_server,established; file_data; content:"Array(0x"; fast_pattern; content:"toString"; within:50; content:"CollectGarbage()"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8267; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8267; classtype:attempted-user; sid:46952; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 JScript use-after-free attempt"; flow:to_client,established; file_data; content:"Array(0x"; fast_pattern; content:"toString"; within:50; content:"CollectGarbage()"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8267; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8267; classtype:attempted-user; sid:46951; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt"; flow:to_server,established; file_data; content:"audio1.currentTime = 0.632825920831"; fast_pattern:only; content:"profile=|22|7I`4|3B 7C|wVKmB5|5C|3|22|"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-8251; reference:url,reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8251; classtype:attempted-user; sid:46948; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt"; flow:to_client,established; file_data; content:"audio1.currentTime = 0.632825920831"; fast_pattern:only; content:"profile=|22|7I`4|3B 7C|wVKmB5|5C|3|22|"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8251; reference:url,reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8251; classtype:attempted-user; sid:46947; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer memory corruption attempt"; flow:to_server, established; file_data; content:"<radialGradient"; content:"<textPath"; within:200; content:"execCommand"; content:"insert"; within:20; nocase; content:"execCommand"; within:500; distance:-200; content:"undo"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8249; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8249; classtype:attempted-user; sid:46945; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer memory corruption attempt"; flow:to_client, established; file_data; content:"<radialGradient"; content:"<textPath"; within:200; content:"execCommand"; content:"insert"; within:20; nocase; content:"execCommand"; within:500; distance:-200; content:"undo"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8249; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8249; classtype:attempted-user; sid:46944; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt"; flow:to_client,established; file_data; content:".charCodeAt(|27|"; fast_pattern; content:"setTimeout("; within:500; content:"location.reload"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8229; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8229; classtype:attempted-user; sid:46934; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt"; flow:to_server,established; file_data; content:".charCodeAt(|27|"; fast_pattern; content:"setTimeout("; within:500; content:"location.reload"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8229; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8229; classtype:attempted-user; sid:46933; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge type confusion memory corruption attempt"; flow:to_server,established; file_data; content:"selectedIndex"; content:"appendChild"; within:100; content:"<select"; content:"padding-left"; within:100; content:"-webkit-transform-style"; fast_pattern; content:"preserve-3d"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8111; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8111; classtype:attempted-user; sid:46930; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge type confusion memory corruption attempt"; flow:to_client,established; file_data; content:"selectedIndex"; content:"appendChild"; within:100; content:"<select"; content:"padding-left"; within:100; content:"-webkit-transform-style"; fast_pattern; content:"preserve-3d"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8111; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8111; classtype:attempted-user; sid:46929; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt"; flow:to_server,established; file_data; content:"try { svgvar00044.setAttribute(|22|x-height|22|, |22|4141414141|22|)|3B| }"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8110; classtype:attempted-user; sid:46928; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt"; flow:to_client,established; file_data; content:"try { svgvar00044.setAttribute(|22|x-height|22|, |22|4141414141|22|)|3B| }"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8110; reference:url,url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8110; classtype:attempted-user; sid:46927; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt"; flow:to_server,established; file_data; content:"document"; content:".isEqualNode"; within:25; content:"textTracks"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3222; classtype:attempted-user; sid:47058; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt"; flow:to_client,established; file_data; content:"document"; content:".isEqualNode"; within:25; content:"textTracks"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3222; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-068; classtype:attempted-user; sid:47057; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt"; flow:to_server,established; file_data; content:"has: function(){return true|3B|}"; content:"new Proxy("; within:50; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-0186; reference:cve,2016-0191; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-052; classtype:attempted-user; sid:47054; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt"; flow:to_client,established; file_data; content:"has: function(){return true|3B|}"; content:"new Proxy("; within:50; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0186; reference:cve,2016-0191; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-052; classtype:attempted-user; sid:47053; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge proxy object type confusion attempt"; flow:to_server,established; file_data; content:"eval"; content:"new Proxy("; within:60; content:"{"; within:50; content:"})"; within:30; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-7240; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-129; classtype:attempted-user; sid:47083; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge proxy object type confusion attempt"; flow:to_client,established; file_data; content:"eval"; content:"new Proxy("; within:60; content:"{"; within:50; content:"})"; within:30; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7240; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-129; classtype:attempted-user; sid:47082; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Cross Origin Request Sharing information leak attempt"; flow:to_server,established; content:"document.querySelector("; content:"audio"; within:10; content:".getChannelData("; content:".connect("; content:".from("; content:".map("; content:".fromCharCode("; metadata:service smtp; reference:cve,2018-8235; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8235; classtype:attempted-recon; sid:47072; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Cross Origin Request Sharing information leak attempt"; flow:to_client,established; content:"document.querySelector("; content:"audio"; within:10; content:".getChannelData("; content:".connect("; content:".from("; content:".map("; content:".fromCharCode("; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-8235; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8235; classtype:attempted-recon; sid:47071; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge array.join information disclosure attempt"; flow:to_server,established; file_data; content:"Object.defineProperty(Array.prototype"; content:"get: function() {"; within:50; fast_pattern; content:".join"; within:150; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-7189; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-119; classtype:attempted-user; sid:47066; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge array.join information disclosure attempt"; flow:to_client,established; file_data; content:"Object.defineProperty(Array.prototype"; content:"get: function() {"; within:50; fast_pattern; content:".join"; within:150; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7189; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-119; classtype:attempted-user; sid:47065; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge sandbox escape attempt"; flow:to_server,established; file_data; content:"window.external.LaunchIE("; content:"file://"; within:7; distance:1; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8463; reference:cve,2018-8469; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8469; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8463; classtype:attempted-user; sid:48133; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge sandbox escape attempt"; flow:to_client,established; file_data; content:"window.external.LaunchIE("; content:"file://"; within:7; distance:1; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8463; reference:cve,2018-8469; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8469; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8463; classtype:attempted-user; sid:48132; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge sandbox escape attempt"; flow:to_server,established; file_data; content:"res://"; content:"/edgehtml.dll/flags.htm"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8463; reference:cve,2018-8469; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8469; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8463; classtype:attempted-user; sid:48131; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge sandbox escape attempt"; flow:to_client,established; file_data; content:"res://"; content:"/edgehtml.dll/flags.htm"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8463; reference:cve,2018-8469; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8469; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8463; classtype:attempted-user; sid:48130; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge App-v vbs command attempt"; flow:to_server,established; file_data; content:"SyncAppvPublishingServer.vbs"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8495; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8495; classtype:attempted-user; sid:48054; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge App-v vbs command attempt"; flow:to_client,established; file_data; content:"SyncAppvPublishingServer.vbs"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8495; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8495; classtype:attempted-user; sid:48053; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge OP_Memset type confusion attempt"; flow:to_client,established; file_data; content:"let i = 0|3B|i < 0x10000|3B|i++"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8505; reference:cve,2019-0771; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8505; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0771; classtype:attempted-user; sid:48052; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge OP_Memset type confusion attempt"; flow:to_server,established; file_data; content:"let i = 0|3B|i < 0x10000|3B|i++"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8505; reference:cve,2019-0771; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8505; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0771; classtype:attempted-user; sid:48051; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer import key use-after-free attempt"; flow:to_client,established; file_data; content:"leakedData = new Uint8Array(leakedDataBuffer)"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8491; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8491; classtype:attempted-user; sid:48050; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer import key use-after-free attempt"; flow:to_server,established; file_data; content:"leakedData = new Uint8Array(leakedDataBuffer)"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8491; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8491; classtype:attempted-user; sid:48049; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge DomAttrModified use after free attempt"; flow:to_server,established; file_data; content:"elm.addEventListener(|27|DOMAttrModified|27|, func, true) |0A|elm.className"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8460; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8460; classtype:attempted-user; sid:48046; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge DomAttrModified use after free attempt"; flow:to_client,established; file_data; content:"elm.addEventListener(|27|DOMAttrModified|27|, func, true) |0A|elm.className"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8460; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8460; classtype:attempted-user; sid:48045; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer iframe open redirect attempt"; flow:to_client,established; file_data; content:"<iframe"; depth:100; nocase; content:"src="; within:50; nocase; content:"url=|5C 5C|"; within:50; nocase; pcre:"/<iframe[^>]*?src=[\x22\x27]http:\x2f\x2f(?P<host>[^\x2f\x22\x27]+)\x2f[^\x22\x27]*?[\x3f\x26]url=\x5c\x5c((?!(?P=host))[^\x5c])+\x5c/i"; metadata:service http; reference:cve,2018-8470; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8470; classtype:attempted-recon; sid:47761; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer MSXML use after free attempt"; flow:to_client,established; file_data; content:"Msxml2.XMLHTTP.6.0"; fast_pattern:only; content:".onreadystatechange"; nocase; content:"new"; within:20; nocase; content:".onreadystatechange"; nocase; content:"Nothing"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8420; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8420; classtype:attempted-user; sid:47748; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer MSXML use after free attempt"; flow:to_server,established; file_data; content:"Msxml2.XMLHTTP.6.0"; fast_pattern:only; content:".onreadystatechange"; nocase; content:"new"; within:20; nocase; content:".onreadystatechange"; nocase; content:"Nothing"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8420; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8420; classtype:attempted-user; sid:47747; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge type confusion code execution attempt"; flow:to_server,established; file_data; content:"arr2.method|28|arr2[0] = {}|29 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8467; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8467; classtype:attempted-user; sid:47743; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge type confusion code execution attempt"; flow:to_client,established; file_data; content:"arr2.method|28|arr2[0] = {}|29 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8467; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8467; classtype:attempted-user; sid:47742; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer memory corruption attempt"; flow:to_server,established; file_data; content:"|27 3B 20 0A 09|oDiv1.onresize = function(e"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8461; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8461; classtype:attempted-user; sid:47739; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer memory corruption attempt"; flow:to_client,established; file_data; content:"|27 3B 20 0A 09|oDiv1.onresize = function(e"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8461; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8461; classtype:attempted-user; sid:47738; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge type confusion memory corruption attempt"; flow:to_server,established; file_data; content:"let value = jit(arr, offset, offset+1, 1)|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8391; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8391; classtype:attempted-user; sid:47737; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge type confusion memory corruption attempt"; flow:to_client,established; file_data; content:"let value = jit(arr, offset, offset+1, 1)|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8391; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8391; classtype:attempted-user; sid:47736; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Chakra engine use after free exploit attempt"; flow:to_server,established; file_data; content:"{}|3B 0D 0A|let evil = obj_arr[1333].splice(0, obj_arr[1333].length)|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8367; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8367; classtype:attempted-user; sid:47735; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Chakra engine use after free exploit attempt"; flow:to_client,established; file_data; content:"{}|3B 0D 0A|let evil = obj_arr[1333].splice(0, obj_arr[1333].length)|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8367; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8367; classtype:attempted-user; sid:47734; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge empty prototype use-after-free attempt"; flow:to_server,established; file_data; content:"Object.defineProperty(o2, 'hahaha', { set: function(){} })"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8459; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8459; classtype:attempted-user; sid:47733; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge empty prototype use-after-free attempt"; flow:to_client,established; file_data; content:"Object.defineProperty(o2, 'hahaha', { set: function(){} })"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8459; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8459; classtype:attempted-user; sid:47732; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer memory corruption attempt"; flow:to_server,established; file_data; content:"table1.deleteRow|28 29 3B 0A 09|tfoot1.rows"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8447; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8447; classtype:attempted-user; sid:47731; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer memory corruption attempt"; flow:to_client,established; file_data; content:"table1.deleteRow|28 29 3B 0A 09|tfoot1.rows"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8447; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8447; classtype:attempted-user; sid:47730; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt"; flow:to_client,established; file_data; content:"-5.3049894784e-314"; fast_pattern:only; content:"2.3023e-320"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0953; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0953; classtype:attempted-user; sid:47638; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt"; flow:to_server,established; file_data; content:"0x80000002"; fast_pattern; content:"80000002"; within:250; content:"2.3023e-320"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0953; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0953; classtype:attempted-user; sid:47637; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt"; flow:to_server,established; file_data; content:"-5.3049894784e-314"; fast_pattern:only; content:"2.3023e-320"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0953; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0953; classtype:attempted-user; sid:47636; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt"; flow:to_client,established; file_data; content:"0x80000002"; fast_pattern; content:"80000002"; within:250; content:"2.3023e-320"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0953; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0953; classtype:attempted-user; sid:47635; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer VBScript engine memory corruption attempt"; flow:to_server,established; file_data; content:"Class_Initialize"; fast_pattern:only; content:"vbscript"; content:"ReDim"; content:"Preserve"; within:50; content:"Default"; content:"Property"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8373; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8373; classtype:attempted-user; sid:47592; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VBScript engine memory corruption attempt"; flow:to_client,established; file_data; content:"Class_Initialize"; fast_pattern:only; content:"vbscript"; content:"ReDim"; content:"Preserve"; within:50; content:"Default"; content:"Property"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8373; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8373; classtype:attempted-user; sid:47591; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Chakra Scripting Engine localeCompare type confusion attempt"; flow:to_client,established; file_data; content:"'a'.localeCompare('x', [])"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8355; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8355; classtype:attempted-user; sid:47493; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Chakra Scripting Engine localeCompare type confusion attempt"; flow:to_server,established; file_data; content:"'a'.localeCompare('x', [])"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8355; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8355; classtype:attempted-user; sid:47492; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Chakra Scripting Engine memory corruption attempt"; flow:to_client,established; file_data; content:"o.e = 0x41414141|3B| // [[ 1 ]]"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8266; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8266; classtype:attempted-user; sid:47491; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Chakra Scripting Engine memory corruption attempt"; flow:to_server,established; file_data; content:"o.e = 0x41414141|3B| // [[ 1 ]]"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8266; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8266; classtype:attempted-user; sid:47490; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge transform type confusion attempt"; flow:to_server,established; file_data; content:"outline-style|3A|outset|3B|"; fast_pattern:only; content:"transform-style|3A|preserve-3d|3B|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8403; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8403; classtype:attempted-user; sid:47489; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge transform type confusion attempt"; flow:to_client,established; file_data; content:"outline-style|3A|outset|3B|"; fast_pattern:only; content:"transform-style|3A|preserve-3d|3B|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8403; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8403; classtype:attempted-user; sid:47488; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge out of bounds write attempt"; flow:to_client,established; file_data; content:"x-shader|2F|x-fragment"; fast_pattern; content:"main("; within:250; content:"void"; within:100; content:"STREAM_DRAW"; content:".drawArrays"; within:250; content:"DYNAMIC_DRAW"; within:500; content:".drawElements"; within:250; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8387; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8387; classtype:attempted-user; sid:47487; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge out of bounds write attempt"; flow:to_server,established; file_data; content:"x-shader|2F|x-fragment"; fast_pattern; content:"main("; within:250; content:"void"; within:100; content:"STREAM_DRAW"; content:".drawArrays"; within:250; content:"DYNAMIC_DRAW"; within:500; content:".drawElements"; within:250; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8387; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8387; classtype:attempted-user; sid:47486; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer memory corruption attempt"; flow:to_server,established; file_data; content:"CollectGarbage()|3B 0A 7D 3B 0A|var z = new ActiveXObject"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8389; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8389; classtype:attempted-user; sid:47485; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer memory corruption attempt"; flow:established,to_client; file_data; content:"CollectGarbage()|3B 0A 7D 3B 0A|var z = new ActiveXObject"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-8389; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8389; classtype:attempted-user; sid:47484; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge type confusion vulnerability attempt"; flow:to_server,established; file_data; content:"let o = {|0A| get a() {},|0A| 0: 0,"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8384; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8384; classtype:attempted-user; sid:47481; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge type confusion vulnerability attempt"; flow:to_client,established; file_data; content:"let o = {|0A| get a() {},|0A| 0: 0,"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8384; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8384; classtype:attempted-user; sid:47480; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Chakra Scripting Engine type confusion attempt"; flow:to_server,established; file_data; content:"([{},{}],[{},{}])|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8372; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8372; classtype:attempted-user; sid:47479; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Chakra Scripting Engine type confusion attempt"; flow:to_client,established; file_data; content:"([{},{}],[{},{}])|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8372; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8372; classtype:attempted-user; sid:47478; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge browser redirection vulnerability attempt"; flow:to_server,established; file_data; content:"window.location.replace = |22|http://|22| + domain|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8383; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8383; classtype:attempted-user; sid:47475; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge browser redirection vulnerability attempt"; flow:to_client,established; file_data; content:"window.location.replace = |22|http://|22| + domain|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8383; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8383; classtype:attempted-user; sid:47474; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer pre-line use after free attempt"; flow:to_client,established; file_data; content:"data=|22|line|22|> |0D 0A 09 09|<pre></pre>|0D 0A 09 09|<button> </button>"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-0025; reference:cve,2013-1288; reference:cve,2015-6050; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-021; classtype:attempted-user; sid:47463; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer page layout use after free attempt"; flow:to_client,established; file_data; content:"FileReader|28|"; nocase; content:"readAsText|28|"; within:100; fast_pattern; nocase; content:"Blob|28|"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3288; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-095; classtype:attempted-user; sid:47311; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer page layout use after free attempt"; flow:to_server,established; file_data; content:"FileReader|28|"; nocase; content:"readAsText|28|"; within:100; fast_pattern; nocase; content:"Blob|28|"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3288; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-095; classtype:attempted-user; sid:47310; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt"; flow:to_server,established; file_data; content:"*|3A|after"; fast_pattern; content:"counter|28|"; within:100; content:"url|28|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0108; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-023; classtype:attempted-user; sid:47294; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt"; flow:to_client,established; file_data; content:"*|3A|after"; fast_pattern; content:"counter|28|"; within:100; content:"url|28|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0108; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-023; classtype:attempted-user; sid:47293; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt"; flow:to_server,established; file_data; content:"*|3A 3A|after"; fast_pattern; content:"counter|28|"; within:100; content:"url|28|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0108; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-023; classtype:attempted-user; sid:47292; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt"; flow:to_client,established; file_data; content:"*|3A 3A|after"; fast_pattern; content:"counter|28|"; within:100; content:"url|28|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0108; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-023; classtype:attempted-user; sid:47291; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge mutation event memory corruption attempt"; flow:to_server,established; file_data; content:".addEventListener"; content:"DOMNodeRemoved"; within:50; fast_pattern; content:".appendChild"; content:".firstChild"; content:".nextSibling"; within:50; content:".nodeValue"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0003; reference:cve,2016-0124; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-024; classtype:attempted-user; sid:47161; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge mutation event memory corruption attempt"; flow:to_client,established; file_data; content:".addEventListener"; content:"DOMNodeRemoved"; within:50; fast_pattern; content:".appendChild"; content:".firstChild"; content:".nextSibling"; within:50; content:".nodeValue"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0003; reference:cve,2016-0124; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-024; classtype:attempted-user; sid:47160; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt"; flow:to_server,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6"; fast_pattern:only; content:".remove"; nocase; content:"CollectGarbage"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-023; classtype:attempted-user; sid:47152; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6"; fast_pattern:only; content:".remove"; nocase; content:"CollectGarbage"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-023; classtype:attempted-user; sid:47151; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge scripting engine type confusion attempt"; flow:to_client,established; file_data; content:"-webkit-user-modify: read-write|3B|"; content:"document.execCommand(|22|superscript|22|, false)|3B|"; content:".appendChild("; within:100; content:".deselectAll()|3B|"; within:100; content:".appendChild("; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8324; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8324; classtype:attempted-user; sid:47142; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge scripting engine type confusion attempt"; flow:to_server,established; file_data; content:"-webkit-user-modify: read-write|3B|"; content:"document.execCommand(|22|superscript|22|, false)|3B|"; content:".appendChild("; within:100; content:".deselectAll()|3B|"; within:100; content:".appendChild("; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8324; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8324; classtype:attempted-user; sid:47141; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge scripting engine memory corruption attempt"; flow:to_server,established; file_data; content:"baseObj.val|28 27|this.prop0 = |27| + |28|this |7C| 0|29 29 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8283; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8283; classtype:attempted-user; sid:47122; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge scripting engine memory corruption attempt"; flow:to_client,established; file_data; content:"baseObj.val|28 27|this.prop0 = |27| + |28|this |7C| 0|29 29 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8283; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8283; classtype:attempted-user; sid:47121; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge browser memory corruption attempt"; flow:to_server,established; file_data; content:"try { var00051.setSkewX(0.814826321635)|3B| } catch(e) { }"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8125; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8125; classtype:attempted-user; sid:47118; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge browser memory corruption attempt"; flow:to_client,established; file_data; content:"try { var00051.setSkewX(0.814826321635)|3B| } catch(e) { }"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8125; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8125; classtype:attempted-user; sid:47117; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge heap overflow attempt"; flow:to_server,established; file_data; content:".bufferData("; content:".ELEMENT_ARRAY_BUFFER"; within:50; content:"Int16Array("; within:50; pcre:"/Int16Array\s*\(\s*\[.*?([1-9]\d{5,}|6553[6-9]|655[4-9]\d|65[6-9]\d{2}|6[6-9]\d{3}|[7-9]\d{4}).*\]\s*\)/iG"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8262; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8262; classtype:attempted-user; sid:47114; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge heap overflow attempt"; flow:to_client,established; file_data; content:".bufferData("; content:".ELEMENT_ARRAY_BUFFER"; within:50; content:"Int16Array("; within:50; pcre:"/Int16Array\s*\(\s*\[.*?([1-9]\d{5,}|6553[6-9]|655[4-9]\d|65[6-9]\d{2}|6[6-9]\d{3}|[7-9]\d{4}).*\]\s*\)/iG"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8262; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8262; classtype:attempted-user; sid:47113; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Form buffer overflow attempt"; flow:to_server,established; file_data; content:"function go() {|0D 0A|var form1 = document.getElementById(|22|form1|22|)|3B 0D 0A|form1.submit()|3B 0D 0A|}"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8289; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8289; classtype:attempted-user; sid:47112; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Form buffer overflow attempt"; flow:to_client,established; file_data; content:"function go() { var form1 = document.getElementById(|22|form1|22|)|3B| form1.submit()|3B| }"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8289; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8289; classtype:attempted-user; sid:47111; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_server,established; file_data; content:"00|3B| i++) {|0A| this['a' + i] = 1|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8291; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8291; classtype:attempted-admin; sid:47110; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_client,established; file_data; content:"10000|3B| i++) { this['a' + i] = 1|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8291; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8291; classtype:attempted-admin; sid:47109; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge event handling use-after-free attempt"; flow:to_server,established; file_data; content:"scrollTo(0.3679749975738149,0.5224532531038253)"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8274; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8274; classtype:attempted-user; sid:47108; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge event handling use-after-free attempt"; flow:to_client,established; file_data; content:"scrollTo(0.3679749975738149,0.5224532531038253)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8274; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8274; classtype:attempted-user; sid:47107; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Intl.js memory corruption attempt"; flow:to_server,established; file_data; content:"formatToParts"; fast_pattern:only; content:"DateTimeFormat"; content:"NumberFormat"; content:".prototype"; content:".apply"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8298; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8298; classtype:attempted-user; sid:47103; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Intl.js memory corruption attempt"; flow:to_client,established; file_data; content:"formatToParts"; fast_pattern:only; content:"DateTimeFormat"; content:"NumberFormat"; content:".prototype"; content:".apply"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8298; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8298; classtype:attempted-user; sid:47102; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge TryArraySplice memory corruption attempt"; flow:to_server, established; file_data; content:"Object.defineProperty|28|Array, Symbol.species, { get: function|28 29| { rebuildSegmentMap|28 29 3B| return Array|3B| } }|29 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8275; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8275; classtype:attempted-user; sid:47101; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge TryArraySplice memory corruption attempt"; flow:to_client, established; file_data; content:"Object.defineProperty|28|Array, Symbol.species, { get: function|28 29| { rebuildSegmentMap|28 29 3B| return Array|3B| } }|29 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8275; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8275; classtype:attempted-user; sid:47100; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge parseFloat type confusion attempt"; flow:to_server,established; file_data; content:"parseFloat.bind|28|"; fast_pattern:only; content:"async"; content:"await"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8279; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8279; classtype:attempted-user; sid:47099; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge parseFloat type confusion attempt"; flow:to_client,established; file_data; content:"parseFloat.bind|28|"; fast_pattern:only; content:"async"; content:"await"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8279; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8279; classtype:attempted-user; sid:47098; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer crafted UNC path sandbox escape attempt"; flow:to_server,established; file_data; content:"mhtml:file:"; content:"|E3 80 82|"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0949; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0949; classtype:attempted-user; sid:47092; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer crafted UNC path sandbox escape attempt"; flow:to_client,established; file_data; content:"mhtml:file:"; content:"|E3 80 82|"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0949; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0949; classtype:attempted-user; sid:47091; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge sandbox escape attempt"; flow:to_server,established; file_data; content:"|4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; depth:20; byte_test:1,&,0x10,24; byte_extract:2,56,id_list_size,little,relative; content:".|00|l|00|n|00|k|00 00 00|"; within:id_list_size; content:"|00 00|"; within:2; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8463; reference:cve,2018-8469; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8469; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8463; classtype:attempted-user; sid:48163; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge sandbox escape attempt"; flow:to_client,established; file_data; content:"|4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; depth:20; byte_test:1,&,0x10,24; byte_extract:2,56,id_list_size,little,relative; content:".|00|l|00|n|00|k|00 00 00|"; within:id_list_size; content:"|00 00|"; within:2; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8463; reference:cve,2018-8469; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8469; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8463; classtype:attempted-user; sid:48162; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge information disclosure attempt"; flow:to_server,established; file_data; content:"performance.getEntriesByType(|22|resource|22|)[1].name"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8545; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8545; classtype:attempted-user; sid:48388; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge information disclosure attempt"; flow:to_client,established; file_data; content:"performance.getEntriesByType(|22|resource|22|)[1].name"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8545; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8545; classtype:attempted-user; sid:48387; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge bailOnImplicitCall type confusion attempt"; flow:to_server,established; file_data; content:"553e-312|3B 20 20|//0x12398765432|3B 0D 0A 09 0D 0A|}|0D 0A 0D 0A 0D 0A|bigarr.length|20|=|20|0x800"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8556; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8556; classtype:attempted-user; sid:48377; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge bailOnImplicitCall type confusion attempt"; flow:to_client,established; file_data; content:"let|20|bigarr|20|=|20|[1.1,2.2]|3B 20|bigarr.length|20|=|20|3|3B 20|let|20|vict"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8556; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8556; classtype:attempted-user; sid:48376; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt"; flow:to_client,established; file_data; content:"Scripting.Dictionary"; fast_pattern:only; content:"dict.removeAll()"; content:"dict.Add("; within:19; distance:79; content:"dict.Item("; within:20; distance:18; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8544; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8544; classtype:attempted-user; sid:48373; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt"; flow:to_server,established; file_data; content:"Scripting.Dictionary"; fast_pattern:only; content:"dict.removeAll()"; content:"dict.Add("; within:19; distance:79; content:"dict.Item("; within:20; distance:18; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8544; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8544; classtype:attempted-admin; sid:48372; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DirectX information disclosure attempt"; flow:to_server,established; file_data; content:"ᾱ|3B|ൽ|3B|᲋|3B|≋|3B|࢝|3B|ͫ|3B|ᆔ|3B|ᠰ|3B|Z"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8563; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8563; classtype:attempted-user; sid:48371; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DirectX information disclosure attempt"; flow:to_client,established; file_data; content:"ᾱ|3B|ൽ|3B|᲋|3B|≋|3B|࢝|3B|ͫ|3B|ᆔ|3B|ᠰ|3B|Z"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8563; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8563; classtype:attempted-user; sid:48370; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt"; flow:to_server,established; file_data; content:"or|20|Resume|20|Next|0D 0A 0D 0A|Class|20|class1|0D 0A 20 20|Public|20|Default|20|Property|20|Ge"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8552; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8552; classtype:attempted-admin; sid:48369; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt"; flow:to_client,established; file_data; content:"or|20|Resume|20|Next|0D 0A 0D 0A|Class|20|class1|0D 0A 20 20|Public|20|Default|20|Property|20|Ge"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8552; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8552; classtype:attempted-user; sid:48368; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge JIT floating point value type confusion attempt"; flow:to_client,established; file_data; content:"Proxy({},|20|arr)|3B 20|set(buggy,|20|f64)|3B 20|trigger(arr,|20|buggy)|3B 20|alert("; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8555; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8555; classtype:attempted-user; sid:48361; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge JIT floating point value type confusion attempt"; flow:to_server,established; file_data; content:"f64)|3B 0D 0A 20 20 20 20|}|0D 0A 0D 0A 20 20 20 20 0D 0A 20 20 20 20|let|20|buggy|20|=|20|[{},{},{}]|3B 0D 0A 20 20 20 0D 0A 20 20 20 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8555; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8555; classtype:attempted-admin; sid:48360; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Jscript.Encode out-of-bounds read attempt"; flow:to_server,established; file_data; content:"Array.prototype.sort.call("; fast_pattern:only; content:".prototype"; content:"arguments"; within:50; content:"Jscript.Encode"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8631; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8631; classtype:attempted-admin; sid:48534; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Jscript.Encode out-of-bounds read attempt"; flow:to_client,established; file_data; content:"Array.prototype.sort.call("; fast_pattern:only; content:".prototype"; content:"arguments"; within:50; content:"Jscript.Encode"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8631; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8631; classtype:attempted-user; sid:48533; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt"; flow:to_server,established; file_data; content:"ex = xml.transformNode(xsl)|3B 20|document.getElementById"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8619; reference:url,attack.mitre.org/techniques/T1220; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8619; classtype:attempted-user; sid:48532; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt"; flow:to_client,established; file_data; content:"ex = xml.transformNode(xsl)|3B 20|document.getElementById"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8619; reference:url,attack.mitre.org/techniques/T1220; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8619; classtype:attempted-user; sid:48531; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge buffer overflow attempt"; flow:to_server,established; file_data; content:"<script>|0A|function boom() {|0A|try { /* newvar{var00026:SpeechSynthesisUtterance} */ var var00026 = new SpeechSynthesisUtterance(Array(150).join(|22|edy|22|))"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8634; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8634; classtype:attempted-user; sid:48520; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge buffer overflow attempt"; flow:to_client,established; file_data; content:"<script> function boom() { try { /* newvar{var00026:SpeechSynthesisUtterance} */ var var00026 = new SpeechSynthesisUtterance(Array(150).join(|22|edy|22|))"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8634; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8634; classtype:attempted-user; sid:48519; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Chakra engine memory corruption attempt"; flow:to_server,established; file_data; content:"let|20|ut|20|=|20|new|20|Float64Array(0xf000)|3B 0D 0A 0D 0A|let|20|d|20|=|20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8624; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8624; classtype:attempted-admin; sid:48518; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Chakra engine memory corruption attempt"; flow:to_client,established; file_data; content:"let|20|ut|20|=|20|new|20|Float64Array(0xf000)|3B 20|let|20|d|20|=|20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8624; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8624; classtype:attempted-user; sid:48517; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt"; flow:to_server,established; file_data; content:",|20|end,|20|one,|20|victim,|20|changeMe){|0D 0A 09|[].slice()|3B 0D 0A 09 0D 0A 09|let|20|arr2"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8583; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8583; classtype:attempted-user; sid:48516; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt"; flow:to_client,established; file_data; content:",|20|end,|20|one,|20|victim,|20|changeMe){|0D 0A 09|[].slice()|3B 0D 0A 09 0D 0A 09|let|20|arr2"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8583; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8583; classtype:attempted-user; sid:48515; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge out of bounds write attempt"; flow:to_server,established; file_data; content:"|20|new|20|Uint8Array(scratch)|3B 0D 0A|var|20|scratch_u32|20|=|20|new|20|Uint32Array("; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8629; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8629; classtype:attempted-user; sid:48514; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge out of bounds write attempt"; flow:to_client,established; file_data; content:"|20|new|20|Uint8Array(scratch)|3B 0D 0A|var|20|scratch_u32|20|=|20|new|20|Uint32Array("; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8629; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8629; classtype:attempted-user; sid:48513; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Browser Chakra script type confusion exploit attempt"; flow:to_server,established; file_data; content:"Array.prototype.__defineSetter__(-1, function(){"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8618; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8618; classtype:attempted-user; sid:48510; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Browser Chakra script type confusion exploit attempt"; flow:to_client,established; file_data; content:"Array.prototype.__defineSetter__(-1, function(){"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8618; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8618; classtype:attempted-user; sid:48509; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer out-of-bounds read attempt"; flow:to_client,established; file_data; content:"var arr1 = Array.prototype.concat.call(new Array(0x10000), new Enumerator())"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8643; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8643; classtype:attempted-user; sid:48597; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer out-of-bounds read attempt"; flow:to_server,established; file_data; content:"var arr1 = Array.prototype.concat.call(new Array(0x10000), new Enumerator())"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service smtp; reference:cve,2018-8643; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8643; classtype:attempted-user; sid:48596; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt"; flow:to_server,established; file_data; content:"class"; nocase; content:"Default Property Get"; within:250; content:"ReDim"; within:75; content:"Array"; content:"Filter"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:48698; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt"; flow:to_client,established; file_data; content:"class"; nocase; content:"Default Property Get"; within:250; content:"ReDim"; within:75; content:"Array"; content:"Filter"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:48697; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt"; flow:to_server,established; file_data; content:"Scripting.Dictionary"; fast_pattern:only; content:"class"; nocase; content:"Class_Terminate"; within:50; content:"RemoveAll"; within:150; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8373; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8373; classtype:attempted-user; sid:48696; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt"; flow:to_client,established; file_data; content:"Scripting.Dictionary"; fast_pattern:only; content:"class"; nocase; content:"Class_Terminate"; within:50; content:"RemoveAll"; within:150; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8373; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8373; classtype:attempted-user; sid:48695; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt"; flow:to_server,established; file_data; content:"class"; nocase; content:"Class_Initialize"; within:50; content:"Default Property Get"; within:150; content:"ReDim preserve"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8373; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8373; classtype:attempted-user; sid:48694; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt"; flow:to_client,established; file_data; content:"class"; nocase; content:"Class_Initialize"; within:50; content:"Default Property Get"; within:150; content:"ReDim preserve"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8373; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8373; classtype:attempted-user; sid:48693; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer JavaScript engine memory corruption attempt"; flow:to_server,established; file_data; content:"new"; content:"Enumerator"; within:25; fast_pattern; content:"CollectGarbage()"; content:"instanceof"; content:"RegExp"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8653; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653; classtype:attempted-user; sid:48702; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer JavaScript engine memory corruption attempt"; flow:to_client,established; file_data; content:"new"; content:"Enumerator"; within:25; fast_pattern; content:"CollectGarbage()"; content:"instanceof"; content:"RegExp"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8653; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653; classtype:attempted-user; sid:48701; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer JavaScript engine downgrade detected"; flow:to_server,established; file_data; content:"Jscript.Compact"; fast_pattern:only; content:"IE=EmulateIE8"; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:48700; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer JavaScript engine downgrade detected"; flow:to_client,established; file_data; content:"Jscript.Compact"; fast_pattern:only; content:"IE=EmulateIE8"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:48699; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_server,established; file_data; content:"var v3= document.execCommand(|22|selectAll|22|, true)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:48734; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_client,established; file_data; content:"var v3= document.execCommand(|22|selectAll|22|, true)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:48733; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt"; flow:to_server,established; file_data; content:"wscript.shell"; fast_pattern:only; content:"meta"; nocase; content:"ProgID"; within:20; nocase; content:"HTAFILE"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0541; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0541; classtype:attempted-user; sid:48783; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt"; flow:to_client,established; file_data; content:"wscript.shell"; fast_pattern:only; content:"meta"; nocase; content:"ProgID"; within:20; nocase; content:"HTAFILE"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0541; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0541; classtype:attempted-user; sid:48782; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge object manipulation use-after-free attempt"; flow:to_client,established; file_data; content:"for(let i=0|3B|i<0x10000|3B|i++)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0567; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0567; classtype:attempted-user; sid:48781; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge object manipulation use-after-free attempt"; flow:to_server,established; file_data; content:"for(let i=0|3B|i<0x10000|3B|i++)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0567; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0567; classtype:attempted-user; sid:48780; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt"; flow:to_server,established; file_data; content:"object_prototype.__defineGetter__('x', Error.prototype.toString)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0568; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0568; classtype:attempted-user; sid:48779; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt"; flow:to_client,established; file_data; content:"object_prototype.__defineGetter__('x', Error.prototype.toString)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0568; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0568; classtype:attempted-user; sid:48778; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt"; flow:to_server,established; file_data; content:"for(let i=0|3B|i<0x10000|3B|i++)|0D 0A|opt(obj,|22|1|22|)|3B 0D 0A|obj = {a:1"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0539; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0539; classtype:attempted-user; sid:48773; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt"; flow:to_client,established; file_data; content:"for(let i=0|3B|i<0x10000|3B|i++)|0D 0A|opt(obj,|22|1|22|)|3B 0D 0A|obj = {a:1"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0539; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0539; classtype:attempted-user; sid:48772; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_server,established; content:"content1.addEventListener(|22|DOMNodeRemoved|22|, f)|3B 0D 0A|"; fast_pattern:only; file_data; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0565; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0565; classtype:attempted-user; sid:48771; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_client,established; content:"content1.addEventListener(|22|DOMNodeRemoved|22|, f)|3B 0D 0A|"; fast_pattern:only; file_data; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0565; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0565; classtype:attempted-user; sid:48770; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer page layout use after free attempt"; flow:to_server,established; file_data; content:"FileReader|28|"; nocase; content:"readAsBinaryString|28|"; within:100; fast_pattern; nocase; content:"Blob|28|"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3288; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-095; classtype:attempted-user; sid:48899; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer page layout use after free attempt"; flow:to_client,established; file_data; content:"FileReader|28|"; nocase; content:"readAsBinaryString|28|"; within:100; fast_pattern; nocase; content:"Blob|28|"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3288; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-095; classtype:attempted-user; sid:48898; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt"; flow:to_server,established; file_data; content:"contentEditable"; content:"getElementById"; within:200; content:"replaceNode"; within:200; fast_pattern; content:"createElement"; within:200; metadata:service smtp; reference:cve,2014-2782; classtype:attempted-user; sid:49084; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt"; flow:to_client,established; file_data; content:"contentEditable"; content:"getElementById"; within:200; content:"replaceNode"; within:200; fast_pattern; content:"createElement"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-2782; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-035; classtype:attempted-user; sid:49083; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt"; flow:to_server,established; file_data; content:"document"; content:".isEqualNode"; within:27; content:"getVideoPlaybackQuality"; within:100; fast_pattern; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3222; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-068; classtype:attempted-user; sid:49119; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt"; flow:to_client,established; file_data; content:"document"; content:".isEqualNode"; within:27; content:"getVideoPlaybackQuality"; within:100; fast_pattern; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3222; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-068; classtype:attempted-user; sid:49118; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer HtmlLayout styling use after free attempt"; flow:to_server,established; file_data; content:":first-letter"; content:"float:"; within:20; content:":first-line"; content:"display: inline-block|3B|"; metadata:service smtp; reference:cve,2014-4050; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-051; classtype:attempted-user; sid:49187; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer HtmlLayout styling use after free attempt"; flow:to_client,established; file_data; content:":first-letter"; content:"float:"; within:20; content:":first-line"; content:"display: inline-block|3B|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-4050; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-051; classtype:attempted-user; sid:49186; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge isSealed object buffer overrun attempt"; flow:to_client,established; file_data; content:"|66 75 6E 63 74 69 6F 6E 20 6F 70 74 28 61 2C 20 62 29 7B 0D 0A 20 20 20 20 61 2E 61 20 3D 20 31 0D 0A 20 20 20 20 61 2E 62 20 3D 20 31 0D 0A 20 20 20 20 66 6F 72 28 6C 65 74 20 69|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0642; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0642; classtype:attempted-user; sid:49170; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge isSealed object buffer overrun attempt"; flow:to_server,established; file_data; content:"|66 75 6E 63 74 69 6F 6E 20 6F 70 74 28 61 2C 20 62 29 7B 0D 0A 20 20 20 20 61 2E 61 20 3D 20 31 0D 0A 20 20 20 20 61 2E 62 20 3D 20 31 0D 0A 20 20 20 20 66 6F 72 28 6C 65 74 20 69|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0642; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0642; classtype:attempted-user; sid:49169; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge variable length manipulation type confusion attempt"; flow:to_server,established; file_data; content:"|2F 2F 20 61 6C 65 72 74 28 31 29 0D 0A 66 75 6E 63 74 69 6F 6E 20 6F 70 74 28 61 2C 20 62 29 7B 0D 0A 20 20 20 20 61 2E 61 20 3D 20 31 0D 0A 20 20 20 20 62 2E 70 6F 70 28 29 0D 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0655; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0655; classtype:attempted-user; sid:49168; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge variable length manipulation type confusion attempt"; flow:to_client,established; file_data; content:"|2F 2F 20 61 6C 65 72 74 28 31 29 0D 0A 66 75 6E 63 74 69 6F 6E 20 6F 70 74 28 61 2C 20 62 29 7B 0D 0A 20 20 20 20 61 2E 61 20 3D 20 31 0D 0A 20 20 20 20 62 2E 70 6F 70 28 29 0D 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0655; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0655; classtype:attempted-user; sid:49167; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge buffer manipulation out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|20 41 53 4D 4D 6F 64 75 6C 65 28 73 74 64 6C 69 62 2C 20 66 6F 72 65 69 67 6E 2C 20 62 75 66 66 65 72 29 20 7B 20 22 75 73 65 20 61 73 6D 22 3B 20 76 61 72 20 65 78 70 20 3D 20 73|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0658; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0658; classtype:attempted-user; sid:49166; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge buffer manipulation out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|41 53 4D 4D 6F 64 75 6C 65 28 73 74 64 6C 69 62 2C 20 66 6F 72 65 69 67 6E 2C 20 62 75 66 66 65 72 29 20 7B 0D 0A 20 20 22 75 73 65 20 61 73 6D 22 3B 0D 0A 0D 0A 20 20 76 61 72 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0658; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0658; classtype:attempted-user; sid:49165; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge out of bounds read attempt "; flow:to_server,established; file_data; content:"String.fromCharCode(92)"; content:"new RegExp(|22|[|5C 5C|c|22| + letter + |22|]|22|)"; within:70; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0648; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0648; classtype:attempted-user; sid:49158; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge out of bounds read attempt "; flow:to_client,established; file_data; content:"String.fromCharCode(92)"; content:"new RegExp(|22|[|5C 5C|c|22| + letter + |22|]|22|)"; within:70; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0648; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0648; classtype:attempted-user; sid:49157; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer information disclosure attempt"; flow:to_server,established; file_data; content:"|20 20 20 20 20 20 7D 0A 09 09 09 20 20 20 20 20 20 20 7D 0A 09 09 09 20 20 20 20 20 20 20 6E 56 5A 5A 4E 72 50 2E 69 6E 73 74 61 6C 6C 65 64 61 70 70 2E 73 6F 72 74 28 29 3B 0A 09|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0676; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0676; classtype:attempted-user; sid:49156; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer information disclosure attempt"; flow:to_client,established; file_data; content:"|69 6F 6E 20 52 45 50 5F 43 68 65 63 6B 4C 6F 61 64 49 6D 61 67 65 41 6E 64 53 6C 65 65 70 28 29 7B 20 52 45 50 5F 76 61 72 43 68 65 63 6B 4C 6F 61 64 49 6D 61 67 65 3D 73 65 74 49|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0676; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0676; classtype:attempted-user; sid:49155; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Promise object context switch use-after-free attempt"; flow:to_server,established; file_data; content:"|20 20 20 20 6C 65 74 20 6F 62 6A 20 3D 20 6F 70 74 28 29 3B 20 20 2F 2F 20 22 6F 70 74 22 20 72 65 74 75 72 6E 73 20 74 68 65 20 66 72 65 65 64 20 73 74 72 69 6E 67 20 63 6F 6E 73|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0640; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0640; classtype:attempted-user; sid:49154; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Promise object context switch use-after-free attempt"; flow:to_client,established; file_data; content:"|22 6F 70 74 22 20 72 65 74 75 72 6E 73 20 74 68 65 20 66 72 65 65 64 20 73 74 72 69 6E 67 20 63 6F 6E 73 74 61 6E 74 2E 20 61 6C 65 72 74 28 6F 62 6A 29 3B 20 7D 3B 20 2F 2F 20 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0640; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0640; classtype:attempted-user; sid:49153; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt"; flow:to_server,established; file_data; content:"|6E 28 29 20 7B 0A 20 20 20 20 77 69 74 68 28 7B 7D 29 20 7B 0A 20 20 20 20 20 20 61 72 67 30 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0644; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0644; classtype:attempted-user; sid:49152; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt"; flow:to_client,established; file_data; content:"|6E 28 29 20 7B 0A 20 20 20 20 77 69 74 68 28 7B 7D 29 20 7B 0A 20 20 20 20 20 20 61 72 67 30 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0644; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0644; classtype:attempted-user; sid:49151; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge WebAssembly type confusion exploit attempt"; flow:to_server,established; file_data; content:"new Uint8Array([0x0,0x61,0x73,0x6d,0x1,0x0,0x0,"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0607; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0607; classtype:attempted-user; sid:49150; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge WebAssembly type confusion exploit attempt"; flow:to_client,established; file_data; content:"new Uint8Array([0x0,0x61,0x73,0x6d,0x1,0x0,0x0,"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0607; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0607; classtype:attempted-user; sid:49149; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge type confusion attempt"; flow:to_server,established; file_data; content:"Object.defineProperty(tf.__proto__.__proto__, |22|alias|22|, {|0D 0A 20 20 20 20 20 20 20 20 20 20 20 20 20|get:function( )"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0650; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0650; classtype:attempted-user; sid:49148; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge type confusion attempt"; flow:to_client,established; file_data; content:"Object.defineProperty(tf.__proto__.__proto__, |22|alias|22|, { get:function( )"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0650; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0650; classtype:attempted-user; sid:49147; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge type confusion exploit attempt"; flow:to_server,established; file_data; content:"let aa = [-5.3049894784e-314"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0606; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0606; classtype:attempted-user; sid:49145; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge type confusion exploit attempt"; flow:to_client,established; file_data; content:"let aa = [-5.3049894784e-314"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0606; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0606; classtype:attempted-user; sid:49144; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_server,established; file_data; content:"svg1.style.setProperty(|22|perspective|22|, |22|0px|22|)"; fast_pattern:only; content:"window.scrollTo(0,0)"; content:"a1.appendChild(menuitem1)"; within:70; distance:75; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0645; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0645; classtype:attempted-user; sid:49143; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_client,established; file_data; content:"svg1.style.setProperty(|22|perspective|22|, |22|0px|22|)"; fast_pattern:only; content:"window.scrollTo(0,0)"; content:"a1.appendChild(menuitem1)"; within:70; distance:75; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0645; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0645; classtype:attempted-user; sid:49142; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge ArrayBuffer out of bounds write attempt"; flow:to_server,established; file_data; content:"new ArrayBuffer(0x20000000)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0610; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0610; classtype:attempted-user; sid:49141; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge ArrayBuffer out of bounds write attempt"; flow:to_client,established; file_data; content:"new ArrayBuffer(0x20000000)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0610; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0610; classtype:attempted-user; sid:49140; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge scripting engine type confusion attempt"; flow:to_server,established; file_data; content:"[1.1]|3B| evil[0] = 6.17651672645e-312|3B|} return evil|3B|}"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0651; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0651; classtype:attempted-user; sid:49139; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge scripting engine type confusion attempt"; flow:to_client,established; file_data; content:"[1.1]|3B| evil[0] = 6.17651672645e-312|3B|} return evil|3B|}"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0651; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0651; classtype:attempted-user; sid:49138; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge scripting engine remote code execution attempt"; flow:to_client,established; file_data; content:"let heap_obj = inlinee(stack_obj)|3B 0D 0A 0D 0A 20 20 20 20|func("; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0652; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0652; classtype:attempted-user; sid:49137; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge scripting engine remote code execution attempt"; flow:to_server,established; file_data; content:"let heap_obj = inlinee(stack_obj)|3B 0D 0A 0D 0A 20 20 20 20|func("; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0652; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0652; classtype:attempted-user; sid:49136; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge type confusion attempt"; flow:to_server,established; file_data; content:"dv.setUint32(0x38 + 4, hi, true)|0D 0A|}"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0591; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0591; classtype:attempted-user; sid:49135; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge type confusion attempt"; flow:to_client,established; file_data; content:"dv.setUint32(0x38 + 4, hi, true)|0D 0A|}"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0591; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0591; classtype:attempted-user; sid:49134; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge type confusion exploit attempt"; flow:to_server,established; file_data; content:"2261635.5098039214"; fast_pattern:only; content:"o.valueOf"; content:"o.valueOf()"; within:55; distance:35; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0593; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0593; classtype:attempted-user; sid:49131; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge type confusion exploit attempt"; flow:to_client,established; file_data; content:"2261635.5098039214"; fast_pattern:only; content:"o.valueOf"; content:"o.valueOf()"; within:55; distance:35; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0593; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0593; classtype:attempted-user; sid:49130; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge type confusion attempt"; flow:to_server,established; file_data; file_data; content:"for (let i = 0|3B| i < n|3B| i++) {|0D 0A 20 20 20 20 20 20 20 20|new cls()|3B|"; content:"0x00010000"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0590; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0590; classtype:attempted-user; sid:49129; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge type confusion attempt"; flow:to_client,established; file_data; content:"for (let i = 0|3B| i < n|3B| i++) {|0D 0A 20 20 20 20 20 20 20 20|new cls()|3B|"; content:"0x00010000"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0590; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0590; classtype:attempted-user; sid:49128; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_client,established; file_data; content:"function b() {|0D 0A 20 20 20 20 20 20 20 20 20 20 20 20|let tmp = [d]|3B 0D 0A 20 20 20 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0609; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0609; classtype:attempted-user; sid:49395; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_server,established; file_data; content:"function b() {|0D 0A 20 20 20 20 20 20 20 20 20 20 20 20|let tmp = [d]|3B 0D 0A 20 20 20 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0609; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0609; classtype:attempted-user; sid:49394; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_client,established; file_data; content:"|28|Date.now|28 29| - start < 200"; fast_pattern:only; content:".postMessage"; content:".terminate"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0680; reference:cve,2019-0770; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0680; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0770; classtype:attempted-user; sid:49389; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_server,established; file_data; content:"|28|Date.now|28 29| - start < 200"; fast_pattern:only; content:".postMessage"; content:".terminate"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0680; reference:cve,2019-0770; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0680; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0770; classtype:attempted-user; sid:49388; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_client,established; file_data; content:"|72 74 79 0D 0A 45 6E 64 20 43 6C 61 73 73 0D 0A 0D 0A 0D 0A 0D 0A 43 6C 61 73 73 20 63 6C 61 73 73 32 0D 0A 20 20 50 72 69 76 61 74 65 20 53 75 62 20 43 6C 61 73 73 5F 54 65 72 6D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0667; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0667; classtype:attempted-user; sid:49387; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_server,established; file_data; content:"|72 74 79 0D 0A 45 6E 64 20 43 6C 61 73 73 0D 0A 0D 0A 0D 0A 0D 0A 43 6C 61 73 73 20 63 6C 61 73 73 32 0D 0A 20 20 50 72 69 76 61 74 65 20 53 75 62 20 43 6C 61 73 73 5F 54 65 72 6D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0667; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0667; classtype:attempted-user; sid:49386; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer memory corruption attempt"; flow:to_client,established; file_data; content:"|75 61 66 28 29 3B 0D 0A 3C 2F 73 63 72 69 70 74 3E 0D 0A 3C 6E 6F 6C 61 79 65 72 3E 3C 73 6D 61 6C 6C 3E 68 65 72 65 3C 2F 73 6D 61 6C 6C 3E 3C 2F 6E 6F 6C 61 79 65 72 3E 0D 0A 3C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0763; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0763; classtype:attempted-user; sid:49385; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer memory corruption attempt"; flow:to_server,established; file_data; content:"|75 61 66 28 29 3B 0D 0A 3C 2F 73 63 72 69 70 74 3E 0D 0A 3C 6E 6F 6C 61 79 65 72 3E 3C 73 6D 61 6C 6C 3E 68 65 72 65 3C 2F 73 6D 61 6C 6C 3E 3C 2F 6E 6F 6C 61 79 65 72 3E 0D 0A 3C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0763; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0763; classtype:attempted-user; sid:49384; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_client,established; file_data; content:"|28 7B 7D 29|.__proto__.__defineSetter__|28 27|raiseNeedObjectOfType"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0639; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0639; classtype:attempted-user; sid:49383; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_server,established; file_data; content:"|28 7B 7D 29|.__proto__.__defineSetter__|28 27|raiseNeedObjectOfType"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0639; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0639; classtype:attempted-user; sid:49382; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_client,established; file_data; content:"|0A 66 75 6E 63 74 69 6F 6E 20 6A 69 74 32 28 76 69 63 74 69 6D 2C 20 67 69 76 65 4D 65 4D 69 73 73 69 6E 67 56 61 6C 75 65 2C 20 63 68 61 6E 67 65 4D 65 29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0773; reference:cve,2019-0861; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0773; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0861; classtype:attempted-user; sid:49381; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_server,established; file_data; content:"|0A 66 75 6E 63 74 69 6F 6E 20 6A 69 74 32 28 76 69 63 74 69 6D 2C 20 67 69 76 65 4D 65 4D 69 73 73 69 6E 67 56 61 6C 75 65 2C 20 63 68 61 6E 67 65 4D 65 29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0773; reference:cve,2019-0861; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0773; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0861; classtype:attempted-user; sid:49380; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer memory corruption attempt"; flow:to_client,established; file_data; content:"|0D 0A 3C 73 63 72 69 70 74 20 6C 61 6E 67 75 61 67 65 3D 22 56 42 53 63 72 69 70 74 2E 45 6E 63 6F 64 65 22 3E 0D 0A 4D 73 67 42 6F 78 20 22 48 65 6C 6C 6F 22 0D 0A 3C 2F 73 63 72|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0768; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0768; classtype:attempted-user; sid:49379; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer memory corruption attempt"; flow:to_server,established; file_data; content:"|0D 0A 3C 73 63 72 69 70 74 20 6C 61 6E 67 75 61 67 65 3D 22 56 42 53 63 72 69 70 74 2E 45 6E 63 6F 64 65 22 3E 0D 0A 4D 73 67 42 6F 78 20 22 48 65 6C 6C 6F 22 0D 0A 3C 2F 73 63 72|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0768; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0768; classtype:attempted-user; sid:49378; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt"; flow:to_server,established; file_data; content:".runtimeStyle.posWidth"; content:"parseInt"; within:50; content:".focus()"; within:50; metadata:service smtp; reference:cve,2013-3882; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-080; classtype:attempted-user; sid:49375; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt"; flow:to_client,established; file_data; content:".runtimeStyle.posWidth"; content:"parseInt"; within:50; content:".focus()"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-3882; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-080; classtype:attempted-user; sid:49374; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge security feature bypass attempt"; flow:to_client,established; file_data; content:"var d = new Document()|3B 0D 0A 20 20|d.adoptNode(o)|3B 0D 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0612; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0612; classtype:attempted-user; sid:49372; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge security feature bypass attempt"; flow:to_server,established; file_data; content:"var d = new Document()|3B 0D 0A 20 20|d.adoptNode(o)|3B 0D 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0612; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0612; classtype:attempted-user; sid:49371; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_client,established; file_data; content:"|76 74 20 3D 20 72 65 61 64 33 32 28 68 69 2C 20 6C 6F 20 2B 20 34 29 2E 74 6F 53 74 72 69 6E 67 28 31 36 29 20 2B 20 72 65 61 64 33 32 28 68 69 2C 20 6C 6F 29 2E 74 6F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0592; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0592; classtype:attempted-user; sid:49369; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_server,established; file_data; content:"|76 74 20 3D 20 72 65 61 64 33 32 28 68 69 2C 20 6C 6F 20 2B 20 34 29 2E 74 6F 53 74 72 69 6E 67 28 31 36 29 20 2B 20 72 65 61 64 33 32 28 68 69 2C 20 6C 6F 29 2E 74 6F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0592; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0592; classtype:attempted-user; sid:49368; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge reference count memory corruption attempt"; flow:to_client,established; file_data; content:"|20 20 4E 65 78 74 0D 0A 0D 0A 20 20 6D 73 67 62 6F 78 28 22 66 61 69 6C 65 64 22 29 0D 0A 0D 0A 45 6E 64 20 53 75 62 0D 0A 0D 0A 43 6C 61 73 73 20 63 6C 61 73 73 31 0D 0A 20 20 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0665; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0665; classtype:attempted-user; sid:49365; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge reference count memory corruption attempt"; flow:to_server,established; file_data; content:"|20 20 4E 65 78 74 0D 0A 0D 0A 20 20 6D 73 67 62 6F 78 28 22 66 61 69 6C 65 64 22 29 0D 0A 0D 0A 45 6E 64 20 53 75 62 0D 0A 0D 0A 43 6C 61 73 73 20 63 6C 61 73 73 31 0D 0A 20 20 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0665; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0665; classtype:attempted-user; sid:49364; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge resource entry same-origin-policy bypass attempt"; flow:to_client,established; file_data; content:"embed src="; nocase; content:"performance.getEntries"; within:150; nocase; content:"resource"; within:50; nocase; content:".name"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:49627; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge resource entry same-origin-policy bypass attempt"; flow:to_server,established; file_data; content:"embed src="; nocase; content:"performance.getEntries"; within:150; nocase; content:"resource"; within:50; nocase; content:".name"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:49626; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer use-after-free attempt"; flow:to_server,established; file_data; content:"f(new RegExp,new RegExp,new RegExp,new"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0862; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0862; classtype:attempted-user; sid:49753; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer use-after-free attempt"; flow:to_client,established; file_data; content:"f(new RegExp,new RegExp,new RegExp,new"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0862; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0862; classtype:attempted-user; sid:49752; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt"; flow:to_server,established; file_data; content:"window.onload"; content:"document.isEqualNode("; distance:0; pcre:"/document\.isEqualNode\x28[^)]+(\x28?new MediaS(tream\x28\x29|ource\x28\x29)|\w+\.(getVideoPlaybackQuality\x28\x29|(audio|video|text)Tracks))/sm"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3222; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-068; classtype:attempted-user; sid:49726; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt"; flow:to_client,established; file_data; content:"window.onload"; content:"document.isEqualNode("; distance:0; pcre:"/document\.isEqualNode\x28[^)]+(\x28?new MediaS(tream\x28\x29|ource\x28\x29)|\w+\.(getVideoPlaybackQuality\x28\x29|(audio|video|text)Tracks))/sm"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3222; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-068; classtype:attempted-user; sid:49725; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_server,established; file_data; content:"jit2(farr, [1.1,2.2], farr)"; fast_pattern:only; content:"[].slice()"; content:"Array.isArray([])"; within:60; distance:260; content:"[].slice()"; within:60; distance:160; content:"6.17651672645e-312"; within:65; distance:150; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0829; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0829; classtype:attempted-user; sid:49723; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_client,established; file_data; content:"jit2(farr, [1.1,2.2], farr)"; fast_pattern:only; content:"[].slice()"; content:"Array.isArray([])"; within:65; distance:210; content:"[].slice()"; within:55; distance:150; content:"6.17651672645e-312"; within:70; distance:130; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0829; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0829; classtype:attempted-user; sid:49722; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_server,established; file_data; content:"opt(tmp, {x:1, y:1})"; fast_pattern:only; content:"clz.prototype"; content:"ff.prototype"; within:65; distance:140; content:"Array.isArray(a)"; within:60; distance:40; content:"ff.prototype"; within:35; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0806; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0806; classtype:attempted-user; sid:49717; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_client,established; file_data; content:"opt(tmp, {x:1, y:1})"; fast_pattern:only; content:"clz.prototype"; content:"ff.prototype"; within:60; distance:100; content:"Array.isArray(a)"; within:60; distance:30; content:"ff.prototype"; within:35; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0806; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0806; classtype:attempted-user; sid:49716; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_server,established; file_data; content:"opt(a, b){"; content:"opt(o, {})"; within:50; distance:200; content:"2.3023e-320"; within:55; distance:40; content:"Array.isArray(a)"; within:40; fast_pattern; content:"opt(a, a)"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0810; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0810; classtype:attempted-user; sid:49711; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_client,established; file_data; content:"opt(o, {})"; content:"c:2.3023e"; within:55; distance:20; content:"2.3023e-320"; within:35; content:"Array.isArray(a)"; within:40; fast_pattern; content:"opt(a, a)"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0810; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0810; classtype:attempted-user; sid:49710; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_server,established; file_data; content:"toString:function(){"; content:"CreateObject(|22|MSXML2.SAXXMLReader|22|)"; within:85; distance:410; content:"reader.putProperty(|22|input-source|22|, o)"; within:80; distance:15; content:"reader.putProperty(o1, o2)"; within:70; distance:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0753; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0753; classtype:attempted-user; sid:49709; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_client,established; file_data; content:"toString:function()"; content:"CreateObject(|22|MSXML2.SAXXMLReader|22|)"; within:85; distance:380; content:"reader.putProperty(|22|input-source|22|, o)"; within:80; distance:15; content:"reader.putProperty(o1, o2)"; within:70; distance:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0753; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0753; classtype:attempted-user; sid:49708; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_server,established; file_data; content:"func_0(function () {|27|use strict|27|"; fast_pattern:only; content:"func_0(f, p = {})"; content:"f.arguments"; within:55; distance:210; content:"new Proxy({}, {})"; within:60; distance:230; content:"func_0(class C {}, var_1)"; within:65; distance:210; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0860; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0860; classtype:attempted-user; sid:49707; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_client,established; file_data; content:"func_0(function () {|27|use strict|27|"; fast_pattern:only; content:"func_0(f, p = {})"; content:"f.arguments"; within:55; distance:15; content:"new Proxy({}, {})"; within:60; content:"func_0(class C {}, var_1)"; within:70; distance:70; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0860; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0860; classtype:attempted-user; sid:49706; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_server,established; file_data; content:"|0D 0A 0D 0A|</script>|0D 0A 0D 0A|<script language=|22|vbscript|22|>|0D 0A 0D 0A|class cla0|0D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0752; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0752; classtype:attempted-user; sid:49703; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_client,established; file_data; content:"|0D 0A 0D 0A|</script>|0D 0A 0D 0A|<script language=|22|vbscript|22|>|0D 0A 0D 0A|class cla0|0D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0752; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0752; classtype:attempted-user; sid:49702; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_server,established; file_data; content:"str.__defineGetter__(|22|x|22|,function() {})"; fast_pattern:only; content:"str.x = 0x12345670"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0812; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0812; classtype:attempted-user; sid:49699; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_client,established; file_data; content:"str.__defineGetter__(|22|x|22|,function() {})"; fast_pattern:only; content:"str.x = 0x12345670"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0812; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0812; classtype:attempted-user; sid:49698; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt"; flow:to_server,established; file_data; content:"postMessage("; fast_pattern:only; content:"ArrayBuffer("; content:".sort"; pcre:"/postMessage\s*\x28.*?var\s*(?P<typedArrayName>\w+)\s*=\s*new\s*(U?[Ii]nt|Float)(64|32|16|8)(Clamped)?Array\x28.*?(?P=typedArrayName)\.sort\x28/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-7288; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-145; classtype:attempted-user; sid:49687; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt"; flow:to_client,established; file_data; content:"postMessage("; fast_pattern:only; content:"ArrayBuffer("; content:".sort"; pcre:"/postMessage\s*\x28.*?var\s*(?P<typedArrayName>\w+)\s*=\s*new\s*(U?[Ii]nt|Float)(64|32|16|8)(Clamped)?Array\x28.*?(?P=typedArrayName)\.sort\x28/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7288; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-145; classtype:attempted-user; sid:49686; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer MHTML XXE external entity attempt"; flow:to_client,established; flowbits:isset,file.mht; file_data; content:"<?xml"; nocase; content:"<!ENTITY % "; fast_pattern; nocase; content:"SYSTEM |22|http://"; within:150; nocase; content:".xml|22|>"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt; classtype:attempted-user; sid:49800; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer MHTML XXE external entity attempt"; flow:to_server,established; flowbits:isset,file.mht; file_data; content:"<?xml"; nocase; content:"<!ENTITY % "; fast_pattern; nocase; content:"SYSTEM |22|http://"; within:150; nocase; content:".xml|22|>"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt; classtype:attempted-user; sid:49799; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer invalid object property memory corruption attempt"; flow:to_server,established; file_data; content:"CollectGarbage"; fast_pattern:only; content:"document.getElementsByTagName(|22|ul|22|)[0]"; nocase; content:".style."; distance:0; nocase; content:".innerHTML"; distance:0; nocase; pcre:"/\x2estyle\x2e(?!(fontWeight|textAlign|wordSpacing|textIndent|widows|font\x20|list|fontVariant|color|maxHeight|overflow|outline|zIndex|padding|width|clear|empty|cursor|minWidth|height|left|background|maxWidth|display|border|position|right|top|vertical|visibility|bottom|margin|clip|caption|pageBreak|fontFamily|orphans|whiteSpace|textDecoration|unicode|textTransform|quotes|letter|lineHeight|fontStyle|fontSize\x20|cssText|direction|table))/i"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-4787; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-077; classtype:attempted-user; sid:49812; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer invalid object property memory corruption attempt"; flow:to_client,established; file_data; content:"CollectGarbage"; fast_pattern:only; content:"document.getElementsByTagName(|22|ul|22|)[0]"; nocase; content:".style."; distance:0; nocase; content:".innerHTML"; distance:0; nocase; pcre:"/\x2estyle\x2e(?!(fontWeight|textAlign|wordSpacing|textIndent|widows|font\x20|list|fontVariant|color|maxHeight|overflow|outline|zIndex|padding|width|clear|empty|cursor|minWidth|height|left|background|maxWidth|display|border|position|right|top|vertical|visibility|bottom|margin|clip|caption|pageBreak|fontFamily|orphans|whiteSpace|textDecoration|unicode|textTransform|quotes|letter|lineHeight|fontStyle|fontSize\x20|cssText|direction|table))/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4787; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-077; classtype:attempted-user; sid:49811; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Element object use-after-free attempt"; flow:to_server,established; file_data; content:"X-UA-Compatible"; nocase; content:"IE="; within:20; content:"|5B 22|onprop|22| + |27|erty|27| + |22|change|22 5D|"; fast_pattern:only; content:"CollectGarbage"; content:"contentEditable"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1705; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-043; classtype:attempted-admin; sid:49806; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer Element object use-after-free attempt"; flow:to_client,established; file_data; content:"X-UA-Compatible"; nocase; content:"IE="; within:20; content:"|5B 22|onprop|22| + |27|erty|27| + |22|change|22 5D|"; fast_pattern:only; content:"CollectGarbage"; content:"contentEditable"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1705; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-043; classtype:attempted-admin; sid:49805; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt"; flow:to_server,established; file_data; content:".style['quotes']"; content:"iframe|22|.substr(1,5) + 'settings'.substr(0,3)"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2014-6351; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-065; classtype:attempted-user; sid:49871; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt"; flow:to_client,established; file_data; content:".style['quotes']"; content:"iframe|22|.substr(1,5) + 'settings'.substr(0,3)"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6351; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-065; classtype:attempted-user; sid:49870; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge SIMD memory corruption attempt"; flow:to_client,established; file_data; content:"SIMD."; fast_pattern:only; content:"toLocaleString("; pcre:"/toLocaleString\x28[^\x3b]*?(\x28(?>[^\x28\x29]|(?1))*\x29)?\x2c[^\x3b]*(\x28(?>[^\x28\x29]|(?1))*\x29)?\x2c/Oi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7286; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-145; classtype:attempted-user; sid:49869; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge SIMD memory corruption attempt"; flow:to_server,established; file_data; content:"SIMD."; fast_pattern:only; content:"toLocaleString("; pcre:"/toLocaleString\x28[^\x3b]*?(\x28(?>[^\x28\x29]|(?1))*\x29)?\x2c[^\x3b]*(\x28(?>[^\x28\x29]|(?1))*\x29)?\x2c/Oi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-7286; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-145; classtype:attempted-user; sid:49868; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer eval type confusion attempt"; flow:to_server,established; file_data; content:"eval"; content:"eval"; distance:0; pcre:"/eval\s*=\s*removeEventListener.*?eval\(/s"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-3382; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-119; classtype:attempted-user; sid:49863; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer eval type confusion attempt"; flow:to_client,established; file_data; content:"eval"; content:"eval"; distance:0; pcre:"/eval\s*=\s*removeEventListener.*?eval\(/s"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3382; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-119; classtype:attempted-user; sid:49862; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Windows IOleCvt interface use attempt"; flow:to_client,established; file_data; content:"CreateObject"; content:"OlePrn.OleCvt"; within:25; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0845; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0845; classtype:policy-violation; sid:49887; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Windows IOleCvt interface use attempt"; flow:to_server,established; file_data; content:"CreateObject"; content:"OlePrn.OleCvt"; within:25; metadata:policy max-detect-ips drop, service smtp; reference:cve,2019-0845; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0845; classtype:policy-violation; sid:49886; rev:1;)
|