snort2-docker/docker/etc/rules/browser-webkit.rules
2020-02-24 08:56:30 -05:00

100 lines
40 KiB
Plaintext

# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#----------------------
# BROWSER-WEBKIT RULES
#----------------------
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Google Chrome and Apple Safari CSS float use-after-free attempt"; flow:to_server,established; file_data; content:"document.body.offsetTop"; nocase; content:"absolute"; within:125; nocase; content:"absolute"; within:125; nocase; content:"document.body.offsetTop"; within:200; nocase; pcre:"/var\s+(?P<element1>\w+)\s*?=\s*?document\.getElementById.*?var\s+(?P<element2>\w+)\s*?=\s*?(?P=element1).style.*?(?P=element2)\.height\s*?=\s*?[\x22\x27]\d/si"; metadata:service smtp; reference:bugtraq,48960; reference:cve,2011-2790; classtype:attempted-user; sid:29812; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Google Chrome and Apple Safari CSS float use-after-free attempt"; flow:to_server,established; file_data; content:"float:"; content:"document.body.offsetTop"; nocase; content:"absolute"; content:"document.body.offsetTop"; nocase; pcre:"/body\.offsetTop\x3b.*?\.position\s*?=\s*?[\x22\x27]absolute[\x22\x27].*?\.offsetTop\x3b.*?\.height\s*=.*?\.display\s*=/si"; metadata:service smtp; reference:bugtraq,48960; reference:cve,2011-2790; classtype:attempted-user; sid:29811; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Google Chrome and Apple Safari CSS float use-after-free attempt"; flow:to_client,established; file_data; content:"document.body.offsetTop"; nocase; content:"absolute"; within:125; nocase; content:"absolute"; within:125; nocase; content:"document.body.offsetTop"; within:200; nocase; pcre:"/var\s+(?P<element1>\w+)\s*?=\s*?document\.getElementById.*?var\s+(?P<element2>\w+)\s*?=\s*?(?P=element1).style.*?(?P=element2)\.height\s*?=\s*?[\x22\x27]\d/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,48960; reference:cve,2011-2790; classtype:attempted-user; sid:29810; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Google Chrome and Apple Safari CSS float use-after-free attempt"; flow:to_client,established; file_data; content:"float:"; content:"document.body.offsetTop"; nocase; content:"absolute"; content:"document.body.offsetTop"; nocase; pcre:"/body\.offsetTop\x3b.*?\.position\s*?=\s*?[\x22\x27]absolute[\x22\x27].*?\.offsetTop\x3b.*?\.height\s*=.*?\.display\s*=/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,48960; reference:cve,2011-2790; classtype:attempted-user; sid:29809; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-WEBKIT Possible Google Chrome Plugin install from non-trusted source"; flow:to_server,established; content:!"googleusercontent"; http_header; content:!"google.com"; http_header; content:"|2F|crx|2F|blobs"; http_uri; content:!"gvt1.com"; http_header; metadata:ruleset community, service http; reference:url,blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx; classtype:bad-unknown; sid:26658; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Apple Safari Webkit libxslt arbitrary file creation attempt"; flow:to_server,established; file_data; content:"http://icl.com/saxon"; fast_pattern:only; content:":output"; nocase; pcre:"/\s*[^>]file=/iR"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,48840; reference:cve,2011-1774; reference:url,attack.mitre.org/techniques/T1220; reference:url,support.apple.com/kb/HT4808; classtype:attempted-user; sid:26592; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari SVG Markers Memory Use-After-Free attempt"; flow:to_client,established; file_data; content:"object_whiteList"; fast_pattern:only; content:"shellcode"; nocase; content:"payload"; distance:0; nocase; content:"shellcode"; within:25; nocase; content:"window.open("; within:50; nocase; content:".svg"; within:25; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,46677; reference:cve,2011-1453; reference:url,support.apple.com/kb/HT4808; classtype:attempted-user; sid:26259; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari SVG Markers Memory Use-After-Free attempt"; flow:to_client,established; flowbits:isset,file.svg; file_data; content:"marker id"; fast_pattern; nocase; content:"removeChild"; distance:0; nocase; content:"document.getElementById"; within:35; nocase; pcre:"/marker id\s*\x3d\s*["']?(?P<m1>\w+)["'\s].*?marker\x2d(start|mid|end).*?removeChild\s*\x28\s*document\x2egetElementById\x28\s*["']?(?P=m1)["'\s]/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,46677; reference:cve,2011-1453; reference:url,support.apple.com/kb/HT4808; classtype:attempted-user; sid:26258; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt"; flow:to_server,established; file_data; content:"<style"; nocase; content:"title"; distance:0; nocase; content:"</style>"; distance:0; content:"<script"; distance:0; nocase; content:"<title"; distance:0; nocase; content:"</script"; distance:0; nocase; metadata:service smtp; reference:cve,2012-3684; reference:url,support.apple.com/kb/HT5485; reference:url,support.apple.com/kb/HT5502; reference:url,support.apple.com/kb/HT5503; classtype:attempted-user; sid:25040; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt"; flow:to_server,established; file_data; content:"<style>*"; nocase; content:"</style>"; distance:0; content:"<script"; distance:0; nocase; content:"<title"; distance:0; nocase; content:"</script"; distance:0; nocase; metadata:service smtp; reference:cve,2012-3684; reference:url,support.apple.com/kb/HT5485; reference:url,support.apple.com/kb/HT5502; reference:url,support.apple.com/kb/HT5503; classtype:attempted-user; sid:25039; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari innerHTML use after free exploit attempt"; flow:to_client,established; file_data; content:"setTimeout"; nocase; content:"document.body.innerHTML"; distance:0; nocase; content:"document.getElementById("; distance:0; nocase; content:".innerHTML"; distance:0; nocase; pcre:"/setTimeout.*?\x7b[^\x7d]*document\.body\.innerHTML.*?\x7d.*document\.getElementById\x28(?P<q1>\x22|\x27|)(?P<m1>\w+?)(?P=q1)\x29\.innerHTML.*?div\s+id\s*\x3d\s*(?P<q2>\x22|\x27|)(?P=m1)(?P=q2)/smi"; metadata:service http; reference:bugtraq,48844; reference:cve,2011-0221; classtype:attempted-user; sid:21189; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Webkit Display box rendering corruption attempt"; flow:to_client,established; file_data; content:"-webkit-box"; fast_pattern:only; content:"<script"; nocase; content:"function "; distance:0; nocase; content:".getElementById("; distance:0; nocase; content:".removeChild("; distance:0; nocase; content:".appendChild("; distance:0; nocase; pcre:"/\x2egetelementbyid\x28(?P<m1>\x22|\x27|)(?P<q1>\w+?)(?P=m1).*?\x2eremoveChild\x28(?P<m2>\x22|\x27|)(?P=q1)(?P=m2).*?\x2eappendChild\x28(?P<m3>\x22|\x27|)(?P=q1)(?P=m3)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,48960; reference:cve,2011-2818; classtype:attempted-user; sid:20997; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari x-man-page URI terminal escape attempt"; flow:to_client,established; file_data; content:"x-man-page://"; nocase; content:"%1b"; within:100; metadata:service http; reference:bugtraq,13502; reference:cve,2005-1342; classtype:attempted-user; sid:20736; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit SVG memory corruption attempt"; flow:to_client,established; file_data; flowbits:isset,file.svg; content:"|2E|svg"; nocase; content:"documentElement"; distance:0; nocase; pcre:"/\x3cscript.*documentElement\x2e(height|preserveAspectRatio|viewBox|width|x|y)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,48844; reference:cve,2011-0222; reference:url,support.apple.com/kb/HT4808; classtype:attempted-user; sid:19807; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit SVG memory corruption attempt"; flow:to_client,established; file_data; content:"target|2E|svg"; nocase; content:"arrey_name26|2E|push"; distance:0; nocase; content:"tweak_properties"; distance:0; nocase; metadata:service http; reference:bugtraq,48844; reference:cve,2011-0222; reference:url,support.apple.com/kb/HT4808; classtype:attempted-user; sid:19806; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari WebKit ParentStyleSheet exploit attempt"; flow:to_client,established; file_data; content:".sheet.rules["; fast_pattern:only; pcre:"/getElementById\(\x22(.*?)\x22\)\.sheet\.rules\[\d+\].*?([A-Z\d_]+)\s*=\s*document\.getElementById\(\x22\1\x22\).*?\s+\2\.parentElement/smi"; metadata:service http; reference:url,svnsearch.org/svnsearch/repos/WEBKIT/search?logMessage=51993; classtype:attempted-user; sid:18508; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C|img width=0.3133731337313373133731337"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:18295; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; file_data; content:"var Overflow = |22|31337|22 20 2B 20|0|2E|313373133731337313373133731337"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:18294; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari LI tag with large VALUE attribute exploit attempt"; flow:to_client,established; file_data; content:"<li"; nocase; pcre:"/^[^\x3E]+?value\s*\x3D\s*\d{10}/iR"; metadata:service http; reference:bugtraq,17634; reference:cve,2006-1988; classtype:attempted-user; sid:17218; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari invalid FRAME tag remote code execution attempt"; flow:to_client,established; file_data; content:"<frame"; nocase; content:"scrolling"; within:100; nocase; isdataat:10,relative; content:!"auto"; within:10; nocase; content:!"yes"; within:10; nocase; content:!"no"; within:10; nocase; pcre:"/\x3Cframe([^\x3E]+scrolling\s*\x3D(?!\s*(\x22|\x27)?\s*(yes|no|auto))){2}/i"; metadata:service http; reference:bugtraq,17634; reference:cve,2006-1987; classtype:attempted-user; sid:17217; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari TABLE tag with large CELLSPACING attribute exploit attempt"; flow:to_client,established; file_data; content:"cellspacing"; nocase; pcre:"/^\s*\x3D\s*\d{10}/R"; metadata:service http; reference:bugtraq,17634; reference:cve,2006-1986; classtype:attempted-user; sid:17216; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Apple Safari x-unix-mode executable mail attachment"; flow:to_server,established; content:"x-unix-mode"; fast_pattern:only; pcre:"/x-unix-mode\s*\x3D\s*(?(?=\d{4})[0-7]([1357][0-7]{2}|[0-7][1357][0-7]|[0-7]{2}[1357])|([1357][0-7]{2}|[0-7][1357][0-7]|[0-7]{2}[1357]))/smi"; metadata:service smtp; reference:bugtraq,16736; reference:cve,2006-0848; reference:url,www.heise.de/english/newsticker/news/69919; reference:url,www.kb.cert.org/vuls/id/999708; classtype:attempted-user; sid:5714; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit attribute child removal code execution attempt"; flow:to_client,established; file_data; content:"= document.getElementById|28 22|t|22 29|"; fast_pattern; content:"= elem.getAttributeNode|28 27|id|27 29|"; within:50; content:"rows.childNodes|20|setTimeout|28|function|28 29 20 7B|"; within:80; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40642; reference:cve,2010-1119; classtype:attempted-user; sid:29623; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://<"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33631; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://^"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33630; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://|5C|"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33629; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://`"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33628; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://}"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33627; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://|7C|"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33626; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://>"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33625; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://{"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33624; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://%"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33623; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://|22|"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33622; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Apple Webkit rowspan denial of service attempt"; flow:to_server,established; file_data; content:"<td"; nocase; content:"rowspan"; within:50; nocase; pcre:"/rowspan\s*=\s*[\x22\x27]?\s*\d{6}/si"; metadata:service smtp; reference:cve,2007-0342; classtype:attempted-dos; sid:33911; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Webkit rowspan denial of service attempt"; flow:to_client,established; file_data; content:"<td"; nocase; content:"rowspan"; within:50; nocase; pcre:"/rowspan\s*=\s*[\x22\x27]?\s*\d{6}/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-0342; classtype:attempted-dos; sid:33910; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple WebKit QuickTime plugin content-type http header buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime|file.smil; content:"Content-Type: "; http_header; content:!"|3B|"; within:255; http_header; content:!"|0A|"; within:255; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2012-3753; reference:url,attack.mitre.org/techniques/T1176; classtype:attempted-user; sid:29394; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt"; flow:to_client,established; file_data; content:"<style"; nocase; content:"title"; distance:0; nocase; content:"</style>"; distance:0; content:"<script"; distance:0; nocase; content:"<title"; distance:0; nocase; content:"</script"; distance:0; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-3684; reference:url,support.apple.com/kb/HT5485; reference:url,support.apple.com/kb/HT5502; reference:url,support.apple.com/kb/HT5503; classtype:attempted-user; sid:25038; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt"; flow:to_client,established; file_data; content:"<style>*"; nocase; content:"</style>"; distance:0; content:"<script"; distance:0; nocase; content:"<title"; distance:0; nocase; content:"</script"; distance:0; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-3684; reference:url,support.apple.com/kb/HT5485; reference:url,support.apple.com/kb/HT5502; reference:url,support.apple.com/kb/HT5503; classtype:attempted-user; sid:25037; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari WebKit form elements virtual function DoS attempt"; flow:established,to_client; file_data; content:" form="; fast_pattern; content:"<form"; nocase; content:"</form>"; distance:0; nocase; content:" form="; distance:0; nocase; pcre:"/<form\s[^>]*?id=[^>]+?>[^<]*?<\/form>.*?<\w+(?<!form)\s[^>]*?form=/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-2813; reference:url,support.apple.com/kb/HT4981; classtype:attempted-dos; sid:25036; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT WebKit button column memory corruption attempt"; flow:to_client,established; file_data; content:"-webkit-column-span"; fast_pattern; nocase; content:"document.documentElement.offsetTop"; distance:0; pcre:"/(function\s+(?P<function>[a-z0-9_\-]+)\(\)\s*\{.*?(?P<div>[a-z0-9_\-]+)\s*=\s*document\.createElement\('div'\)\x3b.*?(?P=div)\.style\['-webkit-column-span'\]\s*=\s*'all'\x3b.*?document\.getElementById\(\"(?P<button>[a-z0-9_\-]+)\"\)\.appendChild\((?P=div)\)\x3b.*?document\.documentElement\.offsetTop\x3b.*?\<body[^>]*?onload\s*=\s*\"(?P=function)\(\)\"[^>]*?>.*?<button[^>]*?id\s*=\s*\"(?P=button)\"[^>]*?style\s*=\s*\"[^\"]*?-webkit-column-width\x3a1px\"[^>]*?>)|(<style>.*?\{\s*-webkit-column-span\x3a\s*all\x3b.*?function\s+(?P<function2>[a-z0-9_\-]+)\(\)\s*\{.*?(?P<div2>[a-z0-9_\-]+)*\s*=\s*document\.createElement\('div'\)\x3b.*?(?P<button2>[a-z0-9_\-]+)\s*=\s*document\.createElement\('button'\)\x3b.*?document\.documentElement.appendChild\((?P=button2)\)\x3b.*?(?P=button2)\.appendChild\((?P=div2)\).*?document\.documentElement\.offsetTop\x3b)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54680; reference:cve,2012-1520; classtype:attempted-user; sid:23805; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Microsoft Windows 7 x64 Apple Safari abnormally long iframe exploit attempt"; flow:to_client,established; file_data; content:"<iframe"; fast_pattern; nocase; content:"height|3D|"; within:50; nocase; pcre:"/<iframe[^>]*?height\x3d\s*[\x22\x27]?\s*[0-9]{6}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,51122; reference:cve,2011-5046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-008; classtype:attempted-dos; sid:20999; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit libxslt arbitrary file creation attempt"; flow:to_client,established; file_data; content:"http://icl.com/saxon"; fast_pattern:only; content:":output"; nocase; pcre:"/\s*[^>]file=/iR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1774; reference:url,attack.mitre.org/techniques/T1220; reference:url,support.apple.com/kb/HT4808; classtype:attempted-user; sid:20593; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari CSS font format corruption attempt"; flow:to_client,established; file_data; content:"src|3A|"; nocase; content:"url("; within:100; nocase; content:"format("; within:300; nocase; pcre:"/\x7B[^\x7D]*?src\x3A\s+url\([^\)]*\)\s+format\([^\x22\x27\)]*\)/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,38684; reference:cve,2010-0046; reference:url,support.apple.com/kb/HT4070; classtype:attempted-user; sid:19099; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit ContentEditable code exeuction attempt"; flow:to_client,established; file_data; content:"target.innerHTML = |22 3C|option|3E|PASS|3C 2F|option|3E 22 3B|"; content:"getElementById|28 22|result|22 29|.innerHTML = target.value"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40647; reference:cve,2010-1396; classtype:attempted-user; sid:19098; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit ContentEditable code execution attempt"; flow:to_client,established; file_data; content:"object.innerHTML = |22 22 3B|"; content:"object.value|3B|"; within:30; content:"|3C|select id|3D 22|object|22 3E 3C|option|3E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40647; reference:cve,2010-1396; classtype:attempted-user; sid:19097; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit CSS Charset Text transformation code execution attempt"; flow:to_client,established; file_data; content:"text-transform|3A 20|lowercase|3B|"; fast_pattern:only; content:"document|2E|getElementById|28 22|result|22 29 2E|innerHTML|20 3D 20 22|PASS|22 3B|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40653; reference:cve,2010-1770; classtype:attempted-user; sid:19096; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit CSS Charset Text transformation code execution attempt"; flow:to_client,established; file_data; content:"text-transform|3A 20|capitalize|3B|"; fast_pattern:only; content:"document.body.addTextNode"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40653; reference:cve,2010-1770; classtype:attempted-user; sid:19095; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari WebKit menu onchange memory corruption attempt"; flow:to_client,established; file_data; content:"element = document.getElementById"; content:"element.onchange = function|28 29 20 7B 20|element.size = 50|3B 20 7D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43083; reference:cve,2010-1814; classtype:attempted-user; sid:19010; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari WebKit menu onchange memory corruption attempt"; flow:to_client,established; file_data; content:"window.layoutTestController"; content:"eventSender.keyDown|28 22|e|22 29 3B|"; distance:0; content:"eventSender.keyDown|28 22 5C|r|22 2C 20 5B 5D 29 3B|"; distance:0; content:"document.body.offsetTop|3B|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43083; reference:cve,2010-1814; classtype:attempted-user; sid:19009; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit floating point conversion memory corruption attempt"; flow:to_client,established; file_data; content:"parseFloat("; content:"NAN(ffffe"; within:25; fast_pattern; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43047; reference:cve,2010-1807; classtype:attempted-user; sid:19008; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit run-in use-after-free attempt"; flow:to_client,established; file_data; content:"p|20 7B 20|display|3A 20|run|2D|in|20 7D|"; content:"document.getElementById|28 22|run|2D|in|22 29 2E|appendChild|28|child|29 3B|"; content:"document.getElementById|28 22|test|22 29|.appendChild|28|document.getElementById|28 22|sibling|22 29 29 3B|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43049; reference:cve,2010-1806; classtype:attempted-user; sid:19004; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit run-in use-after-free attempt"; flow:to_client,established; file_data; content:"elem.setAttribute|28 22|style|22 2C 20 22|display|3A 20|run|2D|in|22 29 3B|"; content:"document.getElementById|28 22|run|2D|in|22 29 2E|appendChild|28|elem|29 3B|"; content:"document.getElementById|28 22|output|22 29|.appendChild|28|document.getElementById|28 22|block-sibling|22 29 29 3B|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43049; reference:cve,2010-1806; classtype:attempted-user; sid:19003; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit removeAllRanges use-after-free attempt"; flow:to_client,established; file_data; content:"window|2E|getSelection|28 29 2E|selectAllChildren"; content:"style|2E|display|20 3D 20 27|none|27|"; distance:0; content:"window|2E|getSelection|28 29 2E|removeAllRanges"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43079; reference:cve,2010-1812; classtype:attempted-user; sid:18995; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt"; flow:to_client,established; file_data; content:"<style>"; nocase; content:"|3A|first-letter"; distance:0; nocase; content:"display|3A 20|block"; distance:0; nocase; pcre:"/(?P<a>\w+)\s*\x7b[^\x7d]*?display\s*\x3a\s*block.*?\x3cinput(?=[^\x3e]+type\s*\x3d\s*[\x22\x27]?(button|submit))[^\x3e]+class\s*\x3d\s*[\x22\x27]?(?P=a)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40644; reference:cve,2010-1392; classtype:attempted-user; sid:18973; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit attribute child removal code execution attempt"; flow:to_client,established; file_data; content:"elem.getAttributeNode|28 27|rows|27 29 2E|removeChild|28|nodes|5B 30 5D 29 3B|"; content:"setTimeout|28|function|28 29 20 7B 20 67|"; within:40; content:"try|20 7B 20|nodes|5B 30 5D 2E|textContent|20 7D 20|catch|20 28 65 78 29 20 7B 20 7D|"; within:100; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40642; reference:cve,2010-1119; classtype:attempted-user; sid:18958; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit attribute child removal code execution attempt"; flow:to_client,established; file_data; content:"= document.getElementById|28 22|t|22 29|"; content:"= id.getAttributeNode|28 27|id|27 29|"; within:50; content:"document.body.removeChild|28|id|29 3B|"; within:100; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40642; reference:cve,2010-1119; classtype:attempted-user; sid:18957; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari WebKit Rendering Counter Code Execution"; flow:to_client,established; file_data; content:"counter-reset|3A|"; nocase; content:"counter-reset|3A|"; distance:0; nocase; content:"counter|28|"; distance:0; nocase; content:"document.body.removeChild|28|"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42036; reference:cve,2010-1784; classtype:attempted-user; sid:18903; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari WebKit range object remote code execution attempt"; flow:to_client,established; file_data; content:"document.addEventListener(|22|DOM"; nocase; content:".innerHTML|20 3D|"; distance:0; nocase; content:"document.createRange|28 29 3B|"; distance:0; nocase; content:".extractContents|28 29 3B|"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,46746; reference:cve,2011-0115; classtype:attempted-user; sid:18770; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari window.parent.close unspecified remote code execution vulnerability"; flow:to_client,established; file_data; content:"for|28|var i = 0|3B| i |3C| 2|3B| i|2B 2B 29|"; content:"parent.alert|28 22|"; within:50; content:"self.close|28 29 3B|"; within:50; metadata:policy max-detect-ips drop, service http; reference:bugtraq,39990; reference:cve,2010-1939; reference:url,secunia.com/advisories/39670; classtype:attempted-user; sid:16666; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari image use after reparent attempt"; flow:to_client,established; file_data; content:"imgBar = document.body.getElementsByTagName(|22|img|22|)[0]"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,38691; reference:cve,2010-0054; reference:url,"support.apple.com/kb/HT4070"; classtype:attempted-user; sid:16632; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari image use after remove attempt"; flow:to_client,established; file_data; content:"removeChild(document.getElementsByTagName(|22|img|22|)[0])"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,38691; reference:cve,2010-0054; reference:url,"support.apple.com/kb/HT4070"; classtype:attempted-user; sid:16631; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari information disclosure and remote code execution attempt"; flow:to_client,established; file_data; content:"parent"; content:".prompt"; distance:0; pcre:"/var\s+(\w+)\s*\x3D\s*parent\s*\x3b.*\1\x2Eprompt.*\1\x2Eclose/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-1939; reference:url,secunia.com/advisories/39670; classtype:attempted-user; sid:16596; rev:13;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari inline text box use after free attempt"; flow:to_client,established; file_data; content:".innerHTML"; nocase; content:"rtl"; nocase; content:"<NOBR"; fast_pattern; nocase; pcre:"/<(body|html)[^>]+dir\s*=\s*(?P<q1>\x22|\x27|)rtl(?P=q1)/smi"; pcre:"/(?P<obj>[A-Z\d_]+)\s*=\s*document\.getElementsByTagName\((?P<q2>\x22|\x27|)NOBR(?P=q2)\).*?(?P=obj)\.innerHTML\s*=\s*(\x22\x22|\x27\x27)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-0049; classtype:attempted-user; sid:16492; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; file_data; content:"var pi=3+0.14159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852"; content:"document.write|28 22|Area = pi*|28|r^2|29 22|+pi*|28|radius*radius|29 29 3B|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:16145; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari URI spoofing attempt"; flow:to_client,established; file_data; content:"setInterval"; nocase; content:"location"; within:200; nocase; pcre:"/(^|\s)setInterval\x28\s*=.*?location\s*=\s*\([^,]+,\s*\d{1,2}[^\d]/si"; metadata:service http; reference:cve,2015-1084; classtype:policy-violation; sid:35045; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari URI spoofing attempt"; flow:to_client,established; file_data; content:"location"; nocase; content:"setInterval"; distance:0; nocase; pcre:"/(^|\s)location\s*=.*?setInterval\s*\([^,]+,\s*\d{1,2}[^\d]/si"; metadata:service http; reference:cve,2015-1084; classtype:policy-violation; sid:35044; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari user assisted applescript code execution attempt"; flow:to_client,established; file_data; content:"applescript://com.apple.scripteditor"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-7007; reference:url,attack.mitre.org/techniques/T1155; reference:url,support.apple.com/en-us/HT205375; classtype:attempted-user; sid:36585; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Apple Safari FTP URL cross-domain restriction bypass attempt"; flow:to_server,established; file_data; content:"iframe"; nocase; content:"ftp|3A|//"; within:200; fast_pattern; nocase; content:"%40"; within:100; content:"%2F"; within:100; nocase; content:"%23@"; within:100; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,73977; reference:cve,2015-1126; classtype:misc-activity; sid:41855; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari FTP URL cross-domain restriction bypass attempt"; flow:to_client,established; file_data; content:"iframe"; nocase; content:"ftp|3A|//"; within:200; fast_pattern; nocase; content:"%40"; within:100; content:"%2F"; within:100; nocase; content:"%23@"; within:100; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,73977; reference:cve,2015-1126; classtype:misc-activity; sid:41854; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit WebCore CSSSelector denial of service attempt"; flow:to_client,established; file_data; content:"*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>"; fast_pattern:only; content:"text/css"; nocase; metadata:service http; reference:cve,2010-1029; classtype:denial-of-service; sid:43298; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt"; flow:to_client,established; file_data; content:".capitalize:first-letter {|0A|text-transform: uppercase"; fast_pattern; content:".block {|0A|display: block|3B 0A|}"; within:500; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1392; classtype:attempted-user; sid:45735; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt"; flow:to_server,established; file_data; content:".capitalize:first-letter {|0A|text-transform: uppercase"; fast_pattern; content:".block {|0A|display: block|3B 0A|}"; within:500; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-1392; classtype:attempted-user; sid:45734; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt"; flow:to_client,established; file_data; content:".first:first-letter {|0A 20 20 20 20 20 20 20 20|font-size:"; fast_pattern; content:".second {|0A 20 20 20 20 20 20 20 20|display: block|3B 0A 20 20 20 20|}"; within:500; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1392; classtype:attempted-user; sid:45733; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt"; flow:to_server,established; file_data; content:".first:first-letter {|0A 20 20 20 20 20 20 20 20|font-size:"; fast_pattern; content:".second {|0A 20 20 20 20 20 20 20 20|display: block|3B 0A 20 20 20 20|}"; within:500; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-1392; classtype:attempted-user; sid:45732; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Apple WebKit memory corruption attempt"; flow:to_server,established; file_data; content:"trigger(|27|this.result = o[0]|27|, |27|o[0] = val|27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4233; reference:url,support.apple.com/en-us/HT208848; classtype:attempted-user; sid:47023; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple WebKit memory corruption attempt"; flow:to_client,established; file_data; content:"trigger(|27|this.result = o[0]|27|, |27|o[0] = val|27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4233; reference:url,support.apple.com/en-us/HT208848; classtype:attempted-user; sid:47022; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT WebKit RegEx engine optimization arbitrary code execution attempt"; flow:to_server,established; file_data; content:"regexLastIndex.toString = function() {"; fast_pattern:only; content:"reg.lastIndex = regexLastIndex|3B|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,bugs.webkit.org/show_bug.cgi?id=191731; classtype:attempted-user; sid:48547; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT WebKit RegEx engine optimization arbitrary code execution attempt"; flow:to_client,established; file_data; content:"regexLastIndex.toString = function() {"; fast_pattern:only; content:"reg.lastIndex = regexLastIndex|3B|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,bugs.webkit.org/show_bug.cgi?id=191731; classtype:attempted-user; sid:48546; rev:1;)