96 lines
35 KiB
Plaintext
96 lines
35 KiB
Plaintext
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
|
|
#
|
|
# This file contains (i) proprietary rules that were created, tested and certified by
|
|
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
|
|
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
|
|
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
|
|
# GNU General Public License (GPL), v2.
|
|
#
|
|
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
|
|
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
|
|
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
|
|
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
|
|
# list of third party owners and their respective copyrights.
|
|
#
|
|
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
|
|
# to the VRT Certified Rules License Agreement (v2.0).
|
|
#
|
|
#---------------------
|
|
# BROWSER-OTHER RULES
|
|
#---------------------
|
|
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Novell Messenger Client nim URI handler buffer overflow attempt"; flow:to_server,established; file_data; content:"nim:import?"; fast_pattern; nocase; content:"filename="; distance:0; nocase; isdataat:486,relative; content:!">"; within:486; pcre:"/nim:import\?[^\x22\x27>\s]*?filename=[^\x22\x27>\s]{485}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1085; reference:url,www.novell.com/support/kb/doc.php?id=7011935; classtype:attempted-user; sid:26490; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Novell Messenger Client nim URI handler buffer overflow attempt"; flow:to_client,established; file_data; content:"nim:import?"; fast_pattern; nocase; content:"filename="; distance:0; nocase; isdataat:486,relative; content:!">"; within:486; pcre:"/nim:import\?[^\x22\x27>\s]*?filename=[^\x22\x27>\s]{485}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1085; reference:url,www.novell.com/support/kb/doc.php?id=7011935; classtype:attempted-user; sid:26489; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera browser window null pointer dereference attempt"; flow:to_client,established; file_data; content:"window.open|28|"; content:"document.createElement|28|"; within:50; nocase; content:"document.body.appendChild|28|"; within:50; nocase; content:".close|28|"; within:50; nocase; content:"document.cloneNode|28|"; within:50; nocase; metadata:service http; reference:bugtraq,46872; classtype:attempted-user; sid:25653; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Opera use after free attempt"; flow:to_server,established; file_data; content:"window.opera.collect|28 29|"; fast_pattern:only; content:"<svg"; content:"<clipPath"; content:"document.createElement"; content:"use"; within:3; distance:2; pcre:"/\x3cclippath\s*?id\s*?\x3d[\x22\x27](?P<id_name>\w+).*?(\x3ccircle|\x3crect|\x3cellipse|\x3cline|\x3cpolyline|\x3cpolygon)\s*?id\s*?\x3d\s*?[\x22\x27](?P<shape_name>\w+).*?document\x2egetElementById\x28[\x22\x27](?P=shape_name).*?\x3d\s*[\x22\x27]url\x28\x23(?P=id_name)/smi"; metadata:service smtp; reference:url,pastie.org/6029531#32; classtype:attempted-user; sid:25622; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera use after free attempt"; flow:to_client,established; file_data; content:"window.opera.collect|28 29|"; fast_pattern:only; content:"<svg"; content:"<clipPath"; content:"document.createElement"; content:"use"; within:3; distance:2; pcre:"/\x3cclippath\s*?id\s*?\x3d[\x22\x27](?P<id_name>\w+).*?(\x3ccircle|\x3crect|\x3cellipse|\x3cline|\x3cpolyline|\x3cpolygon)\s*?id\s*?\x3d\s*?[\x22\x27](?P<shape_name>\w+).*?document\x2egetElementById\x28[\x22\x27](?P=shape_name).*?\x3d\s*[\x22\x27]url\x28\x23(?P=id_name)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,pastie.org/6029531#32; classtype:attempted-user; sid:25621; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER suspicious named empty form detected"; flow:to_client,established; file_data; content:"<form "; content:"</form>"; within:30; pcre:"/<form\s*id\s*=\s*\x22[^\x22]*\x22\s*>\s*<\x2fform>/smi"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:25124; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-OTHER Puffin Browser usage detected"; flow:to_server,established; content:"X-Puffin-UA|3A| "; fast_pattern:only; http_header; metadata:service http; reference:url,www.puffinbrowser.com; classtype:policy-violation; sid:24474; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER HTML5 canvas element heap spray attempt"; flow:to_client,established; file_data; content:"Uint8ClampedArray(1024*1024)|3B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=HTML5_Heap_Sprays_Pwn_All_The_Things; classtype:shellcode-detect; sid:24433; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER HTML5 canvas element heap spray attempt"; flow:to_client,established; file_data; content:" for"; content:"document.createElement(|27|canvas|27|)"; within:100; nocase; content:"getContext(|27|2d|27|)"; within:200; nocase; content:"createImageData("; within:200; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=HTML5_Heap_Sprays_Pwn_All_The_Things; classtype:shellcode-detect; sid:24432; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera Web Browser History Search Input validation vulnerability"; flow:established,to_client; file_data; content:"<html"; content:"#<script"; distance:0; fast_pattern; content:"</html>"; distance:0; metadata:service http; reference:bugtraq,31869; reference:cve,2008-4696; classtype:attempted-user; sid:21399; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Multiple web browser window injection attempt"; flow:to_client,established; file_data; content:"onunload"; fast_pattern; content:"open"; nocase; pcre:"/(\S*)onunload\s*\x3D\s*([^\x3B]*)\x3B\s*\x7D\s*function\2\s*\x28\s*\x29\s*\x7B[^\x7D]*\1open[^\x7D]*\x7D/smi"; metadata:service http; reference:cve,2004-1155; classtype:misc-attack; sid:20743; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera Config File script access attempt"; flow:to_client,established; file_data; content:"opera|3A|config"; fast_pattern; nocase; content:"opera|3A|cache"; nocase; metadata:service http; classtype:attempted-user; sid:20535; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera asynchronous document modifications attempted memory corruption"; flow:to_client,established; file_data; content:"function loop|28 29|"; content:"setInterval|28|doit,0|29|"; distance:0; content:"function doit|28 29|"; distance:0; content:"document.write"; distance:0; content:"setInterval|28|loop,0|29|"; distance:0; metadata:service http; reference:url,secunia.com/advisories/39590/; reference:url,www.opera.com/support/kb/view/953/; classtype:attempted-user; sid:16592; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Mozilla Netscape XMLHttpRequest local file read attempt"; flow:to_client,established; file_data; content:"new XMLHttpRequest|28|"; content:"file|3A|//"; nocase; metadata:ruleset community, service http; reference:bugtraq,4628; reference:cve,2002-0354; classtype:web-application-attack; sid:1735; rev:13;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BROWSER-OTHER Netscape 4.7 unsucessful overflow"; flow:to_server,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; metadata:ruleset community; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:unsuccessful-user; sid:311; rev:15;)
|
|
# alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"BROWSER-OTHER Netscape 4.7 client overflow"; flow:to_client,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; metadata:ruleset community; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:attempted-user; sid:283; rev:14;)
|
|
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"BROWSER-OTHER known revoked certificate for Tresor CA"; flow:to_client,established; ssl_state:server_hello; content:"|30 82 03 6C 30 82 02 54 A0 03 02 01 02 02 03 03 1D A7|"; fast_pattern:only; content:"130718100528Z|17 0D|140718100528Z"; content:"AC DG Tr|C3 A9|sor SSL"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:url,technet.microsoft.com/en-us/security/advisory/2916652; classtype:bad-unknown; sid:28893; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt"; flow:to_server,established; file_data; content:"srcElement.parentNode.removeChild"; pcre:"/srcElement\x2eparentNode\x2eremoveChild\s*\x28[^\x29]*srcElement/"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:30959; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt"; flow:to_client,established; file_data; content:"srcElement.parentNode.removeChild"; pcre:"/srcElement\x2eparentNode\x2eremoveChild\s*\x28[^\x29]*srcElement/"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:30958; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Android WebView same origin policy bypass attempt"; flow:to_client,established; file_data; content:"window.open"; content:"00javascript|3A|"; within:30; content:"document"; within:50; reference:bugtraq,69548; reference:cve,2014-6041; classtype:misc-activity; sid:32029; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BROWSER-OTHER WGet symlink arbitrary file write attempt"; flow:to_client,established; content:"total "; depth:6; content:"|0D 0A|l"; within:20; content:" -> "; within:100; metadata:policy max-detect-ips drop, service ftp-data; reference:bugtraq,70751; reference:cve,2014-4877; classtype:attempted-user; sid:32375; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-OTHER FreeBSD tnftp client detected"; flow:to_server,established; content:"User-Agent|3A| tnftp/"; fast_pattern:only; http_header; flowbits:set,tnftp; flowbits:noalert; metadata:service http; classtype:protocol-command-decode; sid:32525; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER FreeBSD tnftp fetch_url client side command injection attempt"; flow:to_client,established; flowbits:isset,tnftp; content:"Location|3A|"; http_header; content:"/|7C|"; distance:0; fast_pattern; http_header; pcre:"/^Location\x3a\s[^\s\r\n]+?\x2f\x7c/Hmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,70792; reference:cve,2014-8517; classtype:attempted-user; sid:32524; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER FreeBSD tnftp fetch_url client side command injection attempt"; flow:to_client,established; flowbits:isset,tnftp; content:"Location|3A|"; http_header; content:"/%7C"; distance:0; fast_pattern; nocase; http_header; pcre:"/^Location\x3a\s[^\s\r\n]+?\x2f%7C/Hmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,70792; reference:cve,2014-8517; classtype:attempted-user; sid:32523; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-OTHER Microsoft Internet Explorer cross site scripting filter bypass attempt"; flow:to_server,established; content:"%U00"; fast_pattern:only; content:"%U00"; http_raw_uri; pcre:"/(script|onload|src|alert)/Ii"; metadata:service http; reference:cve,2014-6328; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-080; classtype:attempted-user; sid:32713; rev:1;)
|
|
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"BROWSER-OTHER Network Security Services NSS library RSA signature forgery attempt"; flow:to_client,established; ssl_state:server_keyx; content:"|2A 86 48 86 F7 0D 01 01 05|"; fast_pattern; content:"|03|"; within:1; distance:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:20; distance:3; metadata:service ssl; reference:bugtraq,70116; reference:cve,2014-1568; reference:url,googlechromereleases.blogspot.ca/2014/09/stable-channel-update_24.html; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2014-73/; classtype:misc-activity; sid:33664; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Opera SVG use after free memory corruption attempt"; flow:to_server,established; content:"filename="; nocase; content:".svg"; within:100; nocase; file_data; content:"clip-path="; nocase; content:"xlink:href="; within:90; nocase; content:"getElementById"; distance:0; nocase; content:"setAttribute"; within:30; nocase; content:"clip-path"; within:12; nocase; metadata:service smtp; reference:bugtraq,57633; reference:cve,2013-1638; classtype:attempted-dos; sid:34171; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera SVG use after free memory corruption attempt"; flow:to_client,established; flowbits:isset,file.svg; file_data; content:"clip-path="; nocase; content:"xlink:href="; within:90; nocase; content:"getElementById"; distance:0; nocase; content:"setAttribute"; within:30; nocase; content:"clip-path"; within:12; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,57633; reference:cve,2013-1638; classtype:attempted-dos; sid:34170; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER local loopback address in html"; flow:to_client,established; file_data; content:"http|3A 2F 2F|127."; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,tools.ietf.org/html/rfc990; classtype:unknown; sid:26879; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera file URI handling buffer overflow"; flow:to_client,established; file_data; content:"var file = |22|file|3A 2F 2F 22 3B 0A 0A|"; nocase; content:"var i = 0|3B| i<16438|3B|"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,32323; reference:cve,2008-5178; classtype:attempted-user; sid:18597; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera file URI handling buffer overflow"; flow:to_client,established; file_data; content:"file|3A 2F 2F|"; fast_pattern:only; pcre:"/(src|href)\s*=\s*(\x22|\x27|)file\x3a\x2f\x2f[^\s\x22\x27]{900}/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,32323; reference:cve,2008-5178; classtype:attempted-user; sid:17725; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera browser document writing uninitialized memory access attempt"; flow:to_client,established; file_data; content:"document.write"; content:"setInterval"; fast_pattern:only; pcre:"/function\s+(?P<func>[a-z\x5F]+).+?\x7B[^\x7D]+?document\x2Ewrite[^\x7D]+?setInterval\x28(?P=func)/is"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,39855; reference:cve,2010-1728; classtype:attempted-user; sid:17165; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera Content-Length header integer overflow attempt"; flow:to_client,established; content:"Content-Length"; nocase; http_header; pcre:"/^Content-Length\s*\x3A\s*[^\n]{20}/miH"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,38519; reference:cve,2010-1349; reference:url,www.hack0wn.com/view.php?xroot=672.0&cat=exploits; classtype:attempted-user; sid:16481; rev:12;)
|
|
# alert tcp $EXTERNAL_NET [8088,$HTTP_PORTS] -> $HOME_NET any (msg:"BROWSER-OTHER Multiple web browsers HTTP chunked transfer-encoding memory corruption attempt"; flow:to_client,established; content:"Transfer-Encoding"; nocase; http_header; content:"chunked"; fast_pattern; nocase; http_header; pkt_data; pcre:"/^Transfer-Encoding\s*\x3a\s*chunked.*\n0*[8-9a-f][0-9a-f]{7}\s*\n/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35462; reference:cve,2005-2922; reference:cve,2009-0086; reference:cve,2009-2121; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-013; classtype:attempted-user; sid:15462; rev:20;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Google Chrome invalid URI denial of service attempt"; flow:to_client,established; file_data; content:"href"; content:"%0%30"; within:45; metadata:service http; reference:url,code.google.com/p/chromium/issues/detail?id=533361; classtype:denial-of-service; sid:36378; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Google Chrome invalid URI denial of service attempt"; flow:to_client,established; file_data; content:"href"; content:"%%30"; within:45; metadata:service http; reference:url,code.google.com/p/chromium/issues/detail?id=533361; classtype:denial-of-service; sid:36377; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Apple iOS CoreGraphics library PDF embedded image handling information leak attempt"; flow:to_client,established; file_data; content:"dyld_shared_cache_offset"; fast_pattern:only; content:"createElement"; nocase; content:"canvas"; within:20; nocase; content:".drawImage"; within:500; nocase; content:"getImageData"; within:250; nocase; metadata:service http; reference:bugtraq,69915; reference:cve,2014-4378; reference:url,support.apple.com/en-us/HT204532; classtype:attempted-recon; sid:38135; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER ICY HTTP version evasion attempt"; flow:to_client,established; content:"ICY 200 "; depth:8; content:!"icy-"; nocase; metadata:policy max-detect-ips drop, service http; classtype:non-standard-protocol; sid:38382; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER HTTP characters prior to header evasion attempt"; flow:to_client,established; content:"http"; depth:24; fast_pattern; nocase; content:!"http"; depth:4; nocase; pcre:"/^.{1,20}HTTP\s*\x2f\s*[12]\.[01]/i"; metadata:policy max-detect-ips drop, service http; classtype:non-standard-protocol; sid:38381; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt"; flow:to_client,established; file_data; content:"<Novell>"; content:"<folder"; fast_pattern; nocase; content:"name"; within:50; content:"|27|"; within:50; isdataat:200,relative; pcre:"/folder\s*name\s*=\s*[\x27][^\x27]{200}/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,52062; classtype:attempted-user; sid:39709; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt"; flow:to_server,established; file_data; content:"<Novell>"; content:"<folder"; fast_pattern; nocase; content:"name"; within:50; content:"|27|"; within:50; isdataat:200,relative; pcre:"/folder\s*name\s*=\s*[\x27][^\x27]{200}/i"; metadata:service smtp; reference:bugtraq,52062; classtype:attempted-user; sid:39708; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt"; flow:to_client,established; file_data; content:"<Novell>"; content:"<folder"; fast_pattern; nocase; content:"name"; within:50; content:"|22|"; within:50; isdataat:200,relative; pcre:"/folder\s*name\s*=\s*[\x22][^\x22]{200}/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,52062; classtype:attempted-user; sid:39707; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt"; flow:to_server,established; file_data; content:"<Novell>"; content:"<folder"; fast_pattern; nocase; content:"name"; within:50; content:"|22|"; within:50; isdataat:200,relative; pcre:"/folder\s*name\s*=\s*[\x22][^\x22]{200}/i"; metadata:service smtp; reference:bugtraq,52062; classtype:attempted-user; sid:39706; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Android Browser potential denial of service attempt"; flow:to_client,established; content:"market|3A|//"; fast_pattern:only; content:"createElement("; content:"iframe"; within:7; content:"src"; distance:0; content:"market|3A|//"; within:15; metadata:service http; reference:cve,2012-6301; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/android/android_stock_browser_iframe.rb; classtype:denial-of-service; sid:40361; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Android browser file exfiltration attempt"; flow:to_client,established; file_data; content:"file:///data/data/com.android.browser/"; fast_pattern:only; nocase; content:"javascript://"; nocase; metadata:service http; reference:url,android.googlesource.com/platform/packages/apps/Browser/+/d2391b492dec778452238bc6d9d549d56d41c107%5E%21/#F0; classtype:attempted-recon; sid:40458; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Cisco WebEx extension command execution attempt"; flow:to_server,established; file_data; file_data; content:"CustomEvent"; nocase; content:"connect"; within:50; nocase; content:"CustomEvent"; nocase; content:"message"; within:50; nocase; content:"message_type"; nocase; content:"launch_meeting"; within:50; nocase; content:"GpcComponentName"; fast_pattern; content:!"YXRtY2NsaS5ETEw="; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3823; reference:cve,2017-6753; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex; classtype:attempted-admin; sid:41408; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Cisco WebEx extension command execution attempt"; flow:to_client,established; file_data; content:"CustomEvent"; nocase; content:"connect"; within:50; nocase; content:"CustomEvent"; nocase; content:"message"; within:50; nocase; content:"message_type"; nocase; content:"launch_meeting"; within:50; nocase; content:"GpcComponentName"; fast_pattern; content:!"YXRtY2NsaS5ETEw="; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3823; reference:cve,2017-6753; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex; classtype:attempted-admin; sid:41407; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Apple Safari nested xml tag denial of service attempt"; flow:to_server,established; file_data; content:">|5C|<"; content:">|5C|<"; within:3; distance:1; content:">|5C|<"; within:3; distance:1; content:">|5C|<"; within:3; distance:1; content:">|5C|<"; within:3; distance:1; content:">|5C|<"; within:3; distance:1; metadata:service smtp; reference:cve,2009-1233; classtype:denial-of-service; sid:43517; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Apple Safari nested xml tag denial of service attempt"; flow:to_client,established; file_data; content:">|5C|<"; content:">|5C|<"; within:3; distance:1; content:">|5C|<"; within:3; distance:1; content:">|5C|<"; within:3; distance:1; content:">|5C|<"; within:3; distance:1; content:">|5C|<"; within:3; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-1233; classtype:denial-of-service; sid:43516; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-OTHER Foscam IP Camera User-Agent string detected"; flow:to_server,established; content:"User-Agent: Foscam"; fast_pattern:only; http_header; flowbits:set,foscam_ua; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:43080; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Opera animation element denial of service attempt"; flow:to_server,established; file_data; content:"<svg"; nocase; content:"<animation"; nocase; content:"xlink:href"; within:25; nocase; content:"#"; within:5; metadata:service smtp; reference:url,support.ixiacom.com/strikes/denial/browser/opera_svg_animation_element_denial.xml; classtype:denial-of-service; sid:43827; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera animation element denial of service attempt"; flow:to_client,established; file_data; content:"<svg"; nocase; content:"<animation"; nocase; content:"xlink:href"; within:25; nocase; content:"#"; within:5; metadata:service ftp-data, service http, service imap, service pop3; reference:url,support.ixiacom.com/strikes/denial/browser/opera_svg_animation_element_denial.xml; classtype:denial-of-service; sid:43826; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Apple Safari document.write buffer overflow attempt"; flow:to_server,established; file_data; content:"=1|3B|while("; nocase; content:"++) document.write("; within:50; fast_pattern; isdataat:1000,relative; content:!")"; within:1000; metadata:service smtp; reference:cve,2008-2000; classtype:attempted-admin; sid:44051; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Apple Safari document.write buffer overflow attempt"; flow:to_client,established; file_data; content:"=1|3B|while("; nocase; content:"++) document.write("; within:50; fast_pattern; isdataat:1000,relative; content:!")"; within:1000; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2008-2000; classtype:attempted-admin; sid:44050; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Adobe Acrobat Pro WebCapture information disclosure attempt"; flow:to_server,established; file_data; content:"<keygen"; content:"challange"; within:100; content:"|5C|8}spA|28|"; within:25; fast_pattern; metadata:service smtp; reference:cve,2017-16408; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:45043; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Adobe Acrobat Pro WebCapture information disclosure attempt"; flow:to_client,established; file_data; content:"<keygen"; content:"challange"; within:100; content:"|5C|8}spA|28|"; within:25; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-16408; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:45042; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER IBM Notes denial of service attempt"; flow:to_client,established; file_data; content:"setInterval(|22|f.click()|22|, 1)|3B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,100632; reference:cve,2017-1130; reference:url,ibm.com/support/docview.wss?uid=swg21999384; classtype:denial-of-service; sid:45257; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER IBM Notes denial of service attempt"; flow:to_server,established; file_data; content:"setInterval(|22|f.click()|22|, 1)|3B|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,100632; reference:cve,2017-1130; reference:url,ibm.com/support/docview.wss?uid=swg21999384; classtype:denial-of-service; sid:45256; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Apple Safari javascript mutlibyte character escaping denial of service attempt"; flow:to_server,established; file_data; content:"String.fromCharCode(257)"; fast_pattern:only; content:"escape("; metadata:policy max-detect-ips drop, service smtp; reference:url,www.apple.com/safari/; classtype:denial-of-service; sid:45355; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Apple Safari javascript mutlibyte character escaping denial of service attempt"; flow:to_client,established; file_data; content:"String.fromCharCode(257)"; fast_pattern:only; content:"escape("; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.apple.com/safari/; classtype:denial-of-service; sid:45354; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Multiple browser long unicode string denial of service attempt"; flow:to_server,established; file_data; content:"unescape(|22|%u"; fast_pattern; content:"unescape(|22|%u"; within:200; content:"<body onLoad"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:url,www.exploit-db.com/exploits/12493/; classtype:denial-of-service; sid:45303; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Multiple browser long unicode string denial of service attempt"; flow:to_client,established; pkt_data; content:"unescape(|22|%u"; fast_pattern; content:"unescape(|22|%u"; within:200; file_data; content:"<body onLoad"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.exploit-db.com/exploits/12493/; classtype:denial-of-service; sid:45302; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Mozilla Firefox table object integer underflow"; flow:to_server,established; file_data; content:"WebAssembly.Table("; content:".grow("; within:500; metadata:service smtp; reference:cve,2018-5093; classtype:attempted-admin; sid:46399; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Mozilla Firefox table object integer underflow"; flow:to_client,established; file_data; content:"WebAssembly.Table("; content:".grow("; within:500; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5093; classtype:attempted-admin; sid:46398; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER HTTP encoding header evasion attempt"; flow:to_client,established; content:"|0D 0D|Content-Encoding"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:policy-violation; sid:46444; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER HTTP encoding header evasion attempt"; flow:to_client,established; content:"|0D 0D|Transfer-Encoding"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:policy-violation; sid:46443; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Electron nodeIntegration bypass exploit attempt"; flow:to_server, established; file_data; content:"new WebView"; content:"setAttribute("; within:400; distance:-200; content:"webpreferences"; within:400; distance:-200; nocase; content:"nodeIntegration=yes"; within:400; distance:-200; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-1000136; reference:url,www.electronjs.org/blog/webview-fix; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass/; classtype:attempted-user; sid:46855; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Electron nodeIntegration bypass exploit attempt"; flow:to_client, established; file_data; content:"new WebView"; content:"setAttribute("; within:400; distance:-200; content:"webpreferences"; within:400; distance:-200; nocase; content:"nodeIntegration=yes"; within:400; distance:-200; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1000136; reference:url,www.electronjs.org/blog/webview-fix; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass/; classtype:attempted-user; sid:46854; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Microsoft Edge url spoofing attempt"; flow:to_server,established; file_data; content:"window.open("; content:".document.execCommand("; within:100; fast_pattern; content:"stop"; within:20; nocase; content:".document.close("; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-11646; reference:cve,2018-8278; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8278; classtype:attempted-user; sid:47120; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Microsoft Edge url spoofing attempt"; flow:to_client,established; file_data; content:"window.open("; content:".document.execCommand("; within:100; fast_pattern; content:"stop"; within:20; nocase; content:".document.close("; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-11646; reference:cve,2018-8278; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8278; classtype:attempted-user; sid:47119; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera GIF parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"|12 0C BB F9 FB 08 14 10 81 A3 C0 8D 9B 07 55 F6 1C 33 90 0E D5 84 38 7A BE E8 E9 37 00 A1 13 02|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-6470; classtype:attempted-user; sid:49115; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera GIF parsing buffer underflow attempt"; flow:to_client,established; file_data; content:"GIF8"; depth:4; content:"|86|"; within:1; distance:6; content:"|00|"; within:1; distance:1; content:"|2C 00 00 00 00|"; within:5; distance:384; content:"|00 07 FE 80|"; within:4; distance:4; content:"|FE|"; within:1; distance:253; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-6470; classtype:attempted-user; sid:49114; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Opera GIF parsing buffer overflow attempt"; flow:to_server,established; file_data; content:"|12 0C BB F9 FB 08 14 10 81 A3 C0 8D 9B 07 55 F6 1C 33 90 0E D5 84 38 7A BE E8 E9 37 00 A1 13 02|"; fast_pattern:only; metadata:service smtp; reference:cve,2012-6470; classtype:attempted-user; sid:49113; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Opera GIF parsing buffer underflow attempt"; flow:to_server,established; file_data; content:"GIF8"; depth:4; content:"|86|"; within:1; distance:6; content:"|00|"; within:1; distance:1; content:"|2C 00 00 00 00|"; within:5; distance:384; content:"|00 07 FE 80|"; within:4; distance:4; content:"|FE|"; within:1; distance:253; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-6470; classtype:attempted-user; sid:49112; rev:2;)
|