1254 lines
468 KiB
Plaintext
1254 lines
468 KiB
Plaintext
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
|
|
#
|
|
# This file contains (i) proprietary rules that were created, tested and certified by
|
|
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
|
|
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
|
|
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
|
|
# GNU General Public License (GPL), v2.
|
|
#
|
|
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
|
|
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
|
|
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
|
|
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
|
|
# list of third party owners and their respective copyrights.
|
|
#
|
|
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
|
|
# to the VRT Certified Rules License Agreement (v2.0).
|
|
#
|
|
#---------------------
|
|
# FILE-IDENTIFY RULES
|
|
#---------------------
|
|
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY language.engtesselate.ln file download request"; flow:to_server,established; content:"language.engtesselate.ln"; fast_pattern:only; http_uri; flowbits:set,file.engtesselate; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:19252; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MachO x64 Big Endian file magic detected"; flow:to_client,established; file_data; content:"|FE ED FA CF|"; depth:4; flowbits:set,file.macho64be; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20491; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY ffmpeg file magic detected"; flow:to_client,established; file_data; content:"4XMV"; depth:4; flowbits:set,file.ffmpeg; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20513; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Postscript file magic detected"; flow:to_client,established; file_data; content:"|25 21 50 53 2D 41 64 6F 62 65 2D|"; depth:11; flowbits:set,file.postscript; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20454; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY CryptFF file magic detected"; flow:to_client,established; file_data; content:"|B6 B9 AC AE FE FF FF FF|"; flowbits:set,file.cryptff; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20479; rev:13;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY TNEF file magic detected"; flow:to_client,established; file_data; content:"x|9F|>|22|"; depth:4; flowbits:set,file.tnef; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20476; rev:18;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Visual Basic script file download request"; flow:to_server,established; content:".vbs"; fast_pattern:only; http_uri; pcre:"/\x2evbs([\?\x5c\x2f]|$)/smiU"; metadata:service http; reference:url,en.wikipedia.org/wiki/Vbs; classtype:misc-activity; sid:18758; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office PowerPoint .MSProducerZ file download request"; flow:to_server,established; content:".MSProducerZ"; fast_pattern:only; http_uri; pcre:"/\x2eMSProducerZ([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.msproducer; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:16477; rev:18;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Core Audio Format file download request"; flow:to_server,established; content:".caf"; fast_pattern:only; http_uri; pcre:"/\x2ecaf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.caff; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Core_Audio_Format; classtype:misc-activity; sid:15444; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY ARJ file magic detected"; flow:to_client,established; file_data; content:"|60 EA 00 00|"; depth:4; flowbits:set,file.arj; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20475; rev:14;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY EPS file download request"; flow:to_server,established; content:".eps"; fast_pattern:only; http_uri; pcre:"/\x2eeps([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.eps; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Encapsulated_PostScript; classtype:misc-activity; sid:13983; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY 7zip file magic detected"; flow:to_client,established; file_data; content:"7z|BC AF 27 1C|"; depth:6; flowbits:set,file.7zip; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20487; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Ultimate Packer for Executables/UPX v2.90 v2.93-v3.00 packed file magic detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"`|BE|"; content:"|8D BE|"; within:2; distance:4; pcre:"/^\x57(\x83\xCD\xFF)?\x89\xE5\x8D\x9C\x24.{4}\x31\xC0\x50\x39\xDC\x75\xFB\x46\x46\x53\x68.{4}\x57\x83\xC3\x04\x53\x68.{4}\x56\x83\xC3\x04\x53\x50\xC7\x03.{4}\x90\x90/R"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,upx.sourceforge.net; reference:url,www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx; classtype:misc-activity; sid:16436; rev:15;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Visual Studio DISCO file download request"; flow:to_server,established; content:".disco"; fast_pattern:only; http_uri; pcre:"/\x2edisco([\?\x5c\x2f]|$)/smiU"; metadata:service http; reference:url,msdn.microsoft.com/en-us/library/8k0zafxb(v=vs.80).aspx; classtype:misc-activity; sid:19233; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows HTML help workshop file download request"; flow:to_server,established; content:".hhp"; fast_pattern:only; http_uri; pcre:"/\x2ehhp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.hlp; flowbits:noalert; metadata:policy max-detect-ips alert, service http; reference:url,en.wikipedia.org/wiki/Microsoft_WinHelp; classtype:misc-activity; sid:5740; rev:18;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY PLF playlist file download request"; flow:to_server,established; content:".plf"; fast_pattern:only; http_uri; pcre:"/\x2eplf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.plf; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:16691; rev:16;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Client Agent Helper JAR file download request"; flow:to_server,established; content:"_helper.jar"; fast_pattern:only; pcre:"/agent_(win|lin|mac)_helper\.jar$/siU"; flowbits:set,file.jar.agent_helper; flowbits:noalert; metadata:ruleset community, service http; reference:cve,2011-1969; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-079; classtype:misc-activity; sid:20260; rev:17;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY amf file download request"; flow:to_server,established; content:".amf"; nocase; http_uri; pcre:"/\x2Eamf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.amf; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:20563; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Metastock mwl file magic detected"; flow:to_client,established; file_data; content:"[MetaStock"; depth:10; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.equis.com/products/endofday/metastock/?overview; classtype:misc-activity; sid:20172; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY mx4 file magic detected"; flow:to_client,established; file_data; content:"MXC3"; depth:4; flowbits:set,file.mx4; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20512; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office PowerPoint .MSProducerBF file download request"; flow:to_server,established; content:".MSProducerBF"; fast_pattern:only; http_uri; pcre:"/\x2eMSProducerBF([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.msproducer; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:16478; rev:18;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY MHTML file download request"; flow:to_server,established; content:".mht"; fast_pattern:only; http_uri; pcre:"/\x2emht(ml)?([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.mht; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/MHTML; classtype:misc-activity; sid:19289; rev:16;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Adobe .pfb file download request"; flow:to_server, established; content:".pfb"; fast_pattern:only; http_uri; pcre:"/\x2epfb([\?\x5c\x2f]|$)/smiU"; metadata:service http; reference:cve,2008-1806; reference:cve,2008-1807; reference:url,en.wikipedia.org/wiki/Printer_Font_Binary#Printer_Font_Binary; classtype:misc-activity; sid:16552; rev:12;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY CSV file download request"; flow:to_server,established; content:".csv"; fast_pattern:only; http_uri; pcre:"/\x2ecsv([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.csv; flowbits:noalert; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0112; reference:url,en.wikipedia.org/wiki/Comma-separated_values; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:misc-activity; sid:13584; rev:19;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows CAB file magic detected"; flow:to_client,established; file_data; content:"MSCF"; depth:4; flowbits:set,file.cab; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20461; rev:15;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY BAT file download request"; flow:to_server,established; content:".bat"; fast_pattern:only; http_uri; pcre:"/\x2ebat([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.bat; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:18273; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Script encoder file magic detected"; flow:to_client,established; file_data; content:"|23 40 7E 5E|"; depth:4; flowbits:set,file.screnc; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20453; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY caff file magic detected"; flow:to_client,established; file_data; content:"caff|00 01 00 00|"; depth:8; flowbits:set,file.caff; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20516; rev:13;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows .NET Application file download request"; flow:to_server,established; content:".application"; fast_pattern:only; http_uri; pcre:"/\x2eapplication([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.application; flowbits:noalert; metadata:policy max-detect-ips drop, service http; reference:bugtraq,21688; reference:cve,2006-6696; reference:url,en.wikipedia.org/wiki/ASP.NET; classtype:misc-activity; sid:17508; rev:18;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY SIS file magic detected"; flow:to_client,established; file_data; content:"|19 04 00 10|"; depth:4; flowbits:set,file.sis; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20484; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office Access MSISAM file magic detected"; flow:to_client,established; file_data; content:"MSISAM Database"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26468; reference:cve,2005-0944; reference:cve,2007-6026; reference:cve,2008-1092; reference:url,en.wikipedia.org/wiki/Microsoft_access; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-028; classtype:misc-activity; sid:13633; rev:18;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Ultimate Packer for Executables/UPX v0.51-v0.61 packed file magic detected"; flow:to_client,established; file_data; content:"`|E8 00 00 00 00|X|83 E8|=P|8D B8|"; content:"|FF|W"; within:2; distance:3; content:"|8A 06|F|88 07|G|EB EB 90 90 90 B8 01 00 00 00 01|"; within:17; distance:28; metadata:service ftp-data, service http, service imap, service pop3; reference:url,upx.sourceforge.net; reference:url,www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx; classtype:misc-activity; sid:16434; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY vmd file magic detected"; flow:to_client,established; file_data; content:"|2E 03 00 00 01|"; depth:5; flowbits:set,file.vmd; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20520; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MachO Little Endian file magic detected"; flow:to_client,established; file_data; content:"|CE FA ED FE|"; depth:4; flowbits:set,file.machole; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20488; rev:14;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY BAK file download request"; flow:to_server,established; content:".bak"; fast_pattern:only; http_uri; pcre:"/\x2ebak([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.bak; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:13915; rev:17;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY bcproj file magic detected"; flow:to_client,established; file_data; content:"beat"; depth:4; flowbits:set,file.bcproj; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20511; rev:12;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY ELF file magic detected"; flow:to_client,established; file_data; content:"|7F|ELF"; depth:4; flowbits:set,file.elf; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20477; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"FILE-IDENTIFY .htr access file download request"; flow:to_server,established; content:".htr"; fast_pattern:only; http_uri; pcre:"/\x2ehtr([\?\x5c\x2f]|$)/smiU"; metadata:ruleset community, service http; reference:bugtraq,1488; reference:cve,2000-0630; reference:cve,2001-0004; reference:nessus,10680; reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004; classtype:misc-activity; sid:987; rev:31;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY SIP log file magic detected"; flow:to_client,established; file_data; content:"|53 49 50 2D 48 49 54 20 28 53 49 50 2F 48|"; depth:14; flowbits:set,file.siplog; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20485; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY GZip file magic detected"; flow:to_client,established; file_data; content:"|1F 8B 08 00|"; depth:4; flowbits:set,file.gzip; flowbits:noalert; metadata:policy max-detect-ips alert, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20452; rev:15;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Ogg Stream file magic detected"; flow:to_client,established; file_data; content:"OggS|00|"; depth:5; flowbits:set,file.ogg; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20462; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Portable Executable compact binary file magic detected"; flow:to_client,established; file_data; content:"MZ"; byte_jump:4,58,little,relative; content:"PE|00 00|"; within:4; distance:-64; content:"APECO"; distance:0; flowbits:set,file.pecompact; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:13797; rev:18;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY BinHex file magic detected"; flow:to_client,established; file_data; content:"(This file must be converted with BinHex 4.0)"; fast_pattern:only; flowbits:set,file.binhex; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20455; rev:13;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY ARJ format file download request"; flow:to_server,established; content:".arj"; fast_pattern:only; http_uri; pcre:"/\x2earj([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.arj; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Arj; classtype:misc-activity; sid:15582; rev:14;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 04 00|"; within:4; distance:16; flowbits:set,file.oless.v4; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:16475; rev:18;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Mail file download request"; flow:to_server,established; content:".eml"; fast_pattern:only; http_uri; pcre:"/\x2eeml([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.eml; flowbits:noalert; metadata:service http; reference:nessus,10767; classtype:misc-activity; sid:18274; rev:14;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY compressed Adobe Shockwave Flash file magic detected"; flow:to_client,established; file_data; content:"CWS"; depth:3; byte_test:1,>=,0x06,0,relative; flowbits:set,file.cws; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20495; rev:20;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows Address Book file magic detected"; flow:to_client,established; file_data; content:"|9C CB CB 8D 13|u|D2 11 91|X|00 C0|OyV|A4|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-2386; reference:url,en.wikipedia.org/wiki/Windows_Address_Book; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-076; classtype:misc-activity; sid:9639; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY bzip file magic detected"; flow:to_client,established; file_data; content:"BZh"; depth:3; flowbits:set,file.bzip; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20458; rev:14;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MachO x64 Little Endian file magic detected"; flow:to_client,established; file_data; content:"|CF FA ED FE|"; depth:4; flowbits:set,file.macho64le; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20489; rev:17;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY ivr file magic detected"; flow:to_client,established; file_data; content:".R1M"; depth:4; flowbits:set,file.ivr; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20515; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY CDR file magic detected"; flow:to_client,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"CDR"; within:3; distance:4; flowbits:set,file.cdr; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/CorelDRAWCDR_file_format; classtype:misc-activity; sid:20589; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office Access JSDB file magic detected"; flow:to_client,established; file_data; content:"|00 01 00 00|Jet System DB"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26468; reference:cve,2005-0944; reference:cve,2007-6026; reference:cve,2008-1092; reference:url,en.wikipedia.org/wiki/Microsoft_access; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-028; classtype:misc-activity; sid:13629; rev:18;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MachO Big Endian file magic detected"; flow:to_client,established; file_data; content:"|FE ED FA CE|"; depth:4; flowbits:set,file.machobe; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20490; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office Access TJDB file magic detected"; flow:to_client,established; file_data; content:"|00 01 00 00|Temp Jet DB"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26468; reference:cve,2005-0944; reference:cve,2007-6026; reference:cve,2008-1092; reference:url,en.wikipedia.org/wiki/Microsoft_access; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-028; classtype:misc-activity; sid:13630; rev:18;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY amf file magic detected"; flow:to_client,established; file_data; content:"AMF"; depth:3; flowbits:set,file.amf; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20564; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Symantec file magic detected"; flow:to_client,established; file_data; content:"X-Symantec-"; depth:11; flowbits:set,file.symantec; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20474; rev:14;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY CDR file download request"; flow:to_server,established; content:".cdr"; fast_pattern:only; http_uri; pcre:"/\x2ecdr([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.cdr; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/CorelDRAWCDR_file_format; classtype:misc-activity; sid:20588; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY MAKI file download request"; flow:to_server,established; content:".maki"; fast_pattern:only; http_uri; pcre:"/\x2emaki([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.maki; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:15426; rev:18;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY vmd file download request"; flow:to_server,established; content:".vmd"; nocase; http_uri; pcre:"/\x2Evmd([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.vmd; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:20519; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office PowerPoint .MSProducer file download request"; flow:to_server,established; content:".MSProducer"; fast_pattern:only; http_uri; pcre:"/\x2eMSProducer([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.msproducer; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:16476; rev:18;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY remote desktop configuration file download request"; flow:to_server,established; content:".rdp"; fast_pattern:only; http_uri; pcre:"/\x2erdp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.rdp; flowbits:noalert; metadata:service http; reference:url,attack.mitre.org/techniques/T1076; reference:url,en.wikipedia.org/wiki/Remote_Desktop_Protocol; classtype:misc-activity; sid:16742; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows Media download detected"; flow:to_client,established; content:"Content-Type|3A|"; nocase; http_header; pcre:"/^Content-Type\x3a\s*(?=[av])(video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/smiH"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:1437; rev:27;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY webm file download request"; flow:to_server,established; content:".webm"; fast_pattern:only; http_uri; pcre:"/\x2ewebm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.webm; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:20751; rev:10;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY webm file magic detected"; flow:to_client,established; file_data; content:"|1A 45 DF A3|"; depth:4; content:"webm"; within:4; distance:27; flowbits:set,file.webm; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20750; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Autodesk Maya embedded language script download request"; flow:to_server,established; content:".ma"; nocase; http_uri; pcre:"/\x2ema([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.autodesk_ma; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:20859; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY DAZ Studio script download request"; flow:to_server,established; content:".ds"; nocase; http_uri; pcre:"/\x2eds[aeb]?([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.daz_ds; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:20852; rev:9;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY caff file attachment detected"; flow:to_client,established; content:".caf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecaf/i"; flowbits:set,file.caff; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20915; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Video Spirit file attachment detected"; flow:to_server,established; content:".visprj"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2evisprj/i"; flowbits:set,file.visprj; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20894; rev:8;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY EPS file attachment detected"; flow:to_client,established; content:".eps"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eeps/i"; flowbits:set,file.eps; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20911; rev:9;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Video Spirit visprj download attempt"; flow:to_server,established; content:".visprj"; nocase; http_uri; pcre:"/\x2evisprj([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.visprj; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:20888; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MAKI file attachment detected"; flow:to_server,established; content:".maki"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emaki/i"; flowbits:set,file.maki; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20849; rev:14;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY AutoDesk 3D Studio Maxscript file attachment detected"; flow:to_client,established; content:".max"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emax/i"; flowbits:set,file.autodesk_max; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20895; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY caff file attachment detected"; flow:to_server,established; content:".caf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecaf/i"; flowbits:set,file.caff; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20916; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Autodesk Maya file magic detected"; flow:to_client,established; file_data; content:"//Maya"; depth:6; flowbits:set,file.autodesk_ma; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20860; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY EPS file attachment detected"; flow:to_server,established; content:".eps"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eeps/i"; flowbits:set,file.eps; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20912; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected"; flow:to_server,established; content:".emf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eemf/i"; flowbits:set,file.emf; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:20851; rev:18;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY MAKI file attachment detected"; flow:to_client,established; content:".maki"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emaki/i"; flowbits:set,file.maki; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20848; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY AutoDesk 3D Studio Maxscript file attachment detected"; flow:to_server,established; content:".max"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emax/i"; flowbits:set,file.autodesk_max; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20896; rev:13;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY BAK file attachment detected"; flow:to_client,established; content:".bak"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ebak/i"; flowbits:set,file.bak; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20917; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Autodesk 3D Studio Maxscript download request"; flow:to_server,established; content:".max"; nocase; http_uri; pcre:"/\x2emax([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.autodesk_max; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:20869; rev:9;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected"; flow:to_client,established; content:".emf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eemf/i"; flowbits:set,file.emf; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:20850; rev:17;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY BAK file attachment detected"; flow:to_server,established; content:".bak"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ebak/i"; flowbits:set,file.bak; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20918; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Video Spirit file attachment detected"; flow:to_client,established; content:".visprj"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2evisprj/i"; flowbits:set,file.visprj; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20893; rev:7;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY DAT file download request"; flow:established,to_server; content:".dat"; fast_pattern:only; http_uri; pcre:"/\x2edat([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.dat; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:16630; rev:15;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Media Player compressed skin download request"; flow:established,to_server; content:".wmd"; nocase; http_uri; pcre:"/\x2ewmd([\?\x5c\x2f]|$)/smiU"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25305; reference:cve,2007-3037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-047; classtype:policy-violation; sid:17546; rev:10;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Cytel Studio cy3 file download request"; flow:to_server,established; content:".cy3"; fast_pattern:only; http_uri; pcre:"/\x2ecy3([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.cy3; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21012; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Money file download request"; flow:to_server,established; content:".mny"; fast_pattern:only; http_uri; pcre:"/\x2emny([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.mny; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21008; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Money file magic detected"; flow:to_client,established; file_data; content:"|00 01 00 00 4D 53 49 53|"; flowbits:set,file.mny; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21007; rev:8;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY cy3 Cytel Studio file magic detected"; flow:to_client,established; file_data; content:"90"; depth:2; fast_pattern; content:"|0A|"; within:2; pcre:"/90\x0D?\x0A[^\x20]*\x20[^\x0A]*\x0A/i"; flowbits:set,file.cy3; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21015; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Cytel Studio cyb file attachment detected"; flow:to_server,established; content:".cyb"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecyb/i"; flowbits:set,file.cyb; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21016; rev:15;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Cytel Studio cy3 file attachment detected"; flow:to_server,established; content:".cy3"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecy3/i"; flowbits:set,file.cy3; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21014; rev:13;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY cyb Cytel Studio file download request"; flow:to_server,established; content:".cyb"; fast_pattern:only; http_uri; pcre:"/\x2ecyb([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.cyb; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21018; rev:11;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office PowerPoint file magic detected"; flow:to_client,established; file_data; content:"P|00|o|00|w|00|e|00|r|00|P|00|o|00|i|00|n|00|t|00 20 00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t"; flowbits:set,file.ppt; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21011; rev:8;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Cytel Studio cy3 file attachment detected"; flow:to_client,established; content:".cy3"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecy3/i"; flowbits:set,file.cy3; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21013; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY cyb Cytel Studio file attachment detected"; flow:to_client,established; content:".cyb"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecyb/i"; flowbits:set,file.cyb; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21017; rev:14;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Money file attachment detected"; flow:to_server,established; content:".mny"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emny/i"; flowbits:set,file.mny; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21010; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Money file attachment detected"; flow:to_client,established; content:".mny"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emny/i"; flowbits:set,file.mny; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21009; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY UltraISO CUE file attachment detected"; flow:to_client,established; content:".cue"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecue/i"; flowbits:set,file.cue; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21053; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY UltraISO CUE file download request"; flow:to_server,established; content:".cue"; fast_pattern:only; http_uri; pcre:"/\x2ecue([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.cue; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21052; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY UltraISO CUE file attachment detected"; flow:to_server,established; content:".cue"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecue/i"; flowbits:set,file.cue; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21054; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY New Executable binary file magic detected"; flow:to_client,established; file_data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"NE"; within:2; distance:-64; metadata:service ftp-data, service http, service imap, service pop3; reference:url,support.microsoft.com/kb/65122; classtype:misc-activity; sid:21244; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY FON file attachment detected"; flow:to_client,established; content:".fon"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2efon/i"; flowbits:set,file.fon; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21295; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY FON file attachment detected"; flow:to_server,established; content:".fon"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2efon/i"; flowbits:set,file.fon; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21296; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY MPPL file download request"; flow:to_server,established; content:".mppl"; nocase; http_uri; pcre:"/\x2Emppl([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.mppl; metadata:service http; classtype:misc-activity; sid:21398; rev:7;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY MPPL file attachment detected"; flow:to_client,established; content:".mppl"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emppl/i"; flowbits:set,file.mppl; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21432; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MPPL file attachment detected"; flow:to_server,established; content:".mppl"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emppl/i"; flowbits:set,file.mppl; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21433; rev:9;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Visual Studio addin file attachment detected"; flow:to_client,established; content:".addin"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eaddin/i"; flowbits:set,file.addin; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21574; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Visual Studio addin file attachment detected"; flow:to_server,established; content:".addin"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eaddin/i"; flowbits:set,file.addin; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21575; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Visual Studio addin file download request"; flow:to_server,established; content:".addin"; fast_pattern:only; http_uri; pcre:"/\x2eaddin([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.addin; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21573; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY VisiWave VWR file attachment detected"; flow:to_server,established; content:".vwr"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2evwr/i"; flowbits:set,file.vwr; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21586; rev:7;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY VisiWave VWR file attachment detected"; flow:to_client,established; content:".vwr"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2evwr/i"; flowbits:set,file.vwr; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21585; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY VisiWave VWR file download request"; flow:to_server,established; content:".vwr"; fast_pattern:only; http_uri; pcre:"/\x2evwr([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.vwr; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21584; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Works file attachment detected"; flow:to_server,established; content:".wps"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewps/i"; flowbits:set,file.wps; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21708; rev:6;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Works file attachment detected"; flow:to_client,established; content:".wps"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewps/i"; flowbits:set,file.wps; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21707; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY HT-MP3Player file attachment detected"; flow:to_server,established; content:".ht3"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eht3/i"; flowbits:set,file.ht3; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21804; rev:9;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY HT-MP3Player file attachment detected"; flow:to_client,established; content:".ht3"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eht3/i"; flowbits:set,file.ht3; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21803; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY HT-MP3Player file download request"; flow:to_server,established; content:".ht3"; fast_pattern:only; http_uri; pcre:"/\x2eht3([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.ht3; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21802; rev:8;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Google Chrome extension file attachment detected"; flow:to_client,established; content:".crx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecrx/i"; flowbits:set,file.crx; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21863; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Google Chrome extension file attachment detected"; flow:to_server,established; content:".crx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecrx/i"; flowbits:set,file.crx; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21864; rev:8;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY EMF file magic detected"; flow:to_client,established; file_data; content:"|01 00 00 00|"; depth:4; content:"|20|EMF"; within:4; distance:36; fast_pattern; flowbits:set,file.emf; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21940; rev:13;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Visual Basic v6.0 - additional file magic detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|FF 25|"; content:"|68|"; within:1; distance:4; content:"|E8|"; within:1; distance:4; content:"|FF FF FF|"; within:3; distance:1; content:"|30|"; within:1; distance:6; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:22002; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Visual Studio DBP file download request"; flow:to_server,established; content:".dbp"; fast_pattern:only; http_uri; pcre:"/\x2edbp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.dbp; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:22013; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Visual Studio SLN file attachment detected"; flow:to_server,established; content:".sln"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esln/i"; flowbits:set,file.sln; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22023; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Visual Studio PKP file download request"; flow:to_server,established; content:".pkp"; fast_pattern:only; http_uri; pcre:"/\x2epkp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.pkp; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:22017; rev:5;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows hlp file attachment detected"; flow:to_client,established; content:".hlp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ehlp/i"; flowbits:set,file.hlp; flowbits:noalert; metadata:policy max-detect-ips alert, service imap, service pop3; classtype:misc-activity; sid:21956; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Visual Studio DBP file magic detected"; flow:to_client,established; file_data; content:"Microsoft Developer Studio Project File - Database Project"; fast_pattern:only; flowbits:set,file.dbp; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:22016; rev:6;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Visual Studio VAP file attachment detected"; flow:to_client,established; content:".vap"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2evap/i"; flowbits:set,file.vap; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:22026; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows hlp file magic detected"; flow:to_client,established; file_data; content:"|3F 5F 03 00|"; depth:4; flowbits:set,file.hlp; flowbits:noalert; metadata:policy max-detect-ips alert, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21955; rev:8;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Visual Studio SLN file attachment detected"; flow:to_client,established; content:".sln"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esln/i"; flowbits:set,file.sln; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:22022; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Windows hlp file attachment detected"; flow:to_server,established; content:".hlp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ehlp/i"; flowbits:set,file.hlp; flowbits:noalert; metadata:policy max-detect-ips alert, service smtp; classtype:misc-activity; sid:21957; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Visual Studio DBP file attachment detected"; flow:to_server,established; content:".dbp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edbp/i"; flowbits:set,file.dbp; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22015; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Visual Studio VAP file download request"; flow:to_server,established; content:".vap"; fast_pattern:only; http_uri; pcre:"/\x2evap([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.vap; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:22025; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Visual Studio SLN file download request"; flow:to_server,established; content:".sln"; fast_pattern:only; http_uri; pcre:"/\x2esln([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.sln; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:22021; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Visual Studio PKP file attachment detected"; flow:to_server,established; content:".pkp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epkp/i"; flowbits:set,file.pkp; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22019; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Visual Studio VAP file magic detected"; flow:to_client,established; file_data; content:"Microsoft Developer Studio Project File - Analyzer Project"; fast_pattern:only; flowbits:set,file.vap; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:22028; rev:6;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Visual Studio DBP file attachment detected"; flow:to_client,established; content:".dbp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edbp/i"; flowbits:set,file.dbp; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:22014; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Visual Studio SLN file magic detected"; flow:to_client,established; file_data; content:"Microsoft Developer Studio Project File - Solution"; fast_pattern:only; flowbits:set,file.sln; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:22024; rev:6;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Visual Studio PKP file attachment detected"; flow:to_client,established; content:".pkp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epkp/i"; flowbits:set,file.pkp; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:22018; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Visual Studio PKP file magic detected"; flow:to_client,established; file_data; content:"Microsoft Developer Studio Project File - Distribution Unit"; fast_pattern:only; flowbits:set,file.pkp; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:22020; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Visual Studio VAP file attachment detected"; flow:to_server,established; content:".vap"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2evap/i"; flowbits:set,file.vap; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22027; rev:7;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XM file download request"; flow:to_server,established; content:".xm"; fast_pattern:only; http_uri; pcre:"/\x2exm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xm; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:22043; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XM file magic detected"; flow:to_client,established; file_data; content:"Extended Module:"; fast_pattern:only; flowbits:set,file.xm; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:22046; rev:7;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XM file attachment detected"; flow:to_client,established; content:".xm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exm/i"; flowbits:set,file.xm; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:22044; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XM file attachment detected"; flow:to_server,established; content:".xm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exm/i"; flowbits:set,file.xm; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:22045; rev:8;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office PowerPoint pptx file download request"; flow:to_server,established; content:".pptx"; fast_pattern:only; http_uri; pcre:"/\x2epptx([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.pptx; flowbits:noalert; metadata:policy max-detect-ips alert, service http; reference:url,en.wikipedia.org/wiki/Microsoft_word; classtype:misc-activity; sid:22082; rev:7;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office PowerPoint pptx file attachment detected"; flow:to_client,established; content:".pptx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epptx/i"; flowbits:set,file.pptx; flowbits:noalert; metadata:policy max-detect-ips alert, service imap, service pop3; classtype:misc-activity; sid:22083; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Office PowerPoint pptx file attachment detected"; flow:to_server,established; content:".pptx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epptx/i"; flowbits:set,file.pptx; flowbits:noalert; metadata:policy max-detect-ips alert, service smtp; classtype:misc-activity; sid:22084; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY M4A file attachment detected"; flow:to_server,established; content:".m4a"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2em4a/i"; flowbits:set,file.m4a; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22974; rev:5;)
|
|
# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY 3G2 file attachment detected"; flow:to_client,established; content:".3g2"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2e3g2/i"; flowbits:set,file.3g2; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:22985; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY SKM file attachment detected"; flow:to_server,established; content:".skm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eskm/i"; flowbits:set,file.skm; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22990; rev:5;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY MHTML file attachment detected"; flow:to_client,established; content:".mht"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emht/i"; flowbits:set,file.mht; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:22997; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY M4R file attachment detected"; flow:to_server,established; content:".m4r"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2em4r/i"; flowbits:set,file.m4r; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22978; rev:5;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY M4B file attachment detected"; flow:to_client,established; content:".m4b"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2em4b/i"; flowbits:set,file.m4b; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:22981; rev:5;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY CSV file attachment detected"; flow:to_client,established; content:".csv"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecsv/i"; flowbits:set,file.csv; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:23002; rev:5;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY M4P file attachment detected"; flow:to_client,established; content:".m4p"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2em4p/i"; flowbits:set,file.m4p; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:22975; rev:5;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY RealNetworks RealPlayer RP file attachment detected"; flow:to_client,established; content:".rp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2erp/i"; flowbits:set,file.rp; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:22967; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY 3G2 file attachment detected"; flow:to_server,established; content:".3g2"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2e3g2/i"; flowbits:set,file.3g2; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22986; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY remote desktop configuration file attachment detected"; flow:to_server,established; content:".rdp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2erdp/i"; flowbits:set,file.rdp; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1076; classtype:misc-activity; sid:22970; rev:7;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY SKM file attachment detected"; flow:to_client,established; content:".skm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eskm/i"; flowbits:set,file.skm; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:22989; rev:5;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY QT file attachment detected"; flow:to_client,established; content:".qt"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eqt/i"; flowbits:set,file.qt; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:22991; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY M4B file attachment detected"; flow:to_server,established; content:".m4b"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2em4b/i"; flowbits:set,file.m4b; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22982; rev:5;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY RealNetworks RealPlayer RMP file attachment detected"; flow:to_client,established; content:".rmp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ermp/i"; flowbits:set,file.rmp; flowbits:noalert; metadata:policy max-detect-ips alert, service imap, service pop3; classtype:misc-activity; sid:22963; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY k3g file attachment detected"; flow:to_client,established; content:".k3g"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ek3g/i"; flowbits:set,file.k3g; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:22987; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY M4P file attachment detected"; flow:to_server,established; content:".m4p"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2em4p/i"; flowbits:set,file.m4p; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22976; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MHTML file attachment detected"; flow:to_server,established; content:".mht"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emht/i"; flowbits:set,file.mht; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22998; rev:8;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY AMF file attachment detected"; flow:to_client,established; content:".amf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eamf/i"; flowbits:set,file.amf; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:22955; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RealNetworks RealPlayer RP file attachment detected"; flow:to_server,established; content:".rp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2erp/i"; flowbits:set,file.rp; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22968; rev:6;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY 3GP file attachment detected"; flow:to_client,established; content:".3gp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2e3gp/i"; flowbits:set,file.3gp; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:22983; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RealNetworks RealPlayer RMP file attachment detected"; flow:to_server,established; content:".rmp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ermp/i"; flowbits:set,file.rmp; flowbits:noalert; metadata:policy max-detect-ips alert, service smtp; classtype:misc-activity; sid:22964; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY k3g file attachment detected"; flow:to_server,established; content:".k3g"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ek3g/i"; flowbits:set,file.k3g; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22988; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY QT file attachment detected"; flow:to_server,established; content:".qt"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eqt/i"; flowbits:set,file.qt; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22992; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY AMF file attachment detected"; flow:to_server,established; content:".amf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eamf/i"; flowbits:set,file.amf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22956; rev:6;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY remote desktop configuration file attachment detected"; flow:to_client,established; content:".rdp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2erdp/i"; flowbits:set,file.rdp; flowbits:noalert; metadata:service imap, service pop3; reference:url,attack.mitre.org/techniques/T1076; classtype:misc-activity; sid:22969; rev:7;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY M4A file attachment detected"; flow:to_client,established; content:".m4a"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2em4a/i"; flowbits:set,file.m4a; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:22973; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY 3GP file attachment detected"; flow:to_server,established; content:".3gp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2e3gp/i"; flowbits:set,file.3gp; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22984; rev:5;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY M4R file attachment detected"; flow:to_client,established; content:".m4r"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2em4r/i"; flowbits:set,file.m4r; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:22977; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY CSV file attachment detected"; flow:to_server,established; content:".csv"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecsv/i"; flowbits:set,file.csv; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23003; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY download of RMF file - potentially malicious"; flow:established,to_client; file_data; content:"IREZ"; depth:4; content:"MThd"; distance:0; flowbits:set,file.rmf; metadata:policy max-detect-ips alert, service ftp-data, service http, service imap, service pop3; reference:bugtraq,39077; reference:cve,2010-0842; classtype:misc-activity; sid:17106; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PLP file attachment detected"; flow:to_server,established; content:".plp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eplp/i"; flowbits:set,file.plp; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23476; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY TAR file attachment detected"; flow:to_server,established; content:".tar"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2etar/i"; flowbits:set,file.tar; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23321; rev:7;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY PLP file attachment detected"; flow:to_client,established; content:".plp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eplp/i"; flowbits:set,file.plp; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:23475; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY TAR file download request"; flow:to_client,established; file_data; content:"ustar"; depth:5; offset:257; flowbits:set,file.tar; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:23322; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY PLP file download request"; flow:to_server,established; content:".plp"; fast_pattern:only; http_uri; pcre:"/\x2eplp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.plp; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23474; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY PLP file magic detected"; flow:to_client,established; file_data; content:"ACDFotoSlateDocument"; fast_pattern:only; flowbits:set,file.plp; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:23477; rev:4;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY TAR file attachment detected"; flow:to_client,established; content:".tar"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2etar/i"; flowbits:set,file.tar; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:23320; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY TAR file download request"; flow:to_server,established; content:".tar"; nocase; http_uri; pcre:"/\x2etar([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.tar; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23319; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JOB file download request"; flow:to_server,established; content:".job"; fast_pattern:only; http_uri; pcre:"/\x2ejob([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.job; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23486; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY CUR file download request"; flow:to_server,established; content:".cur"; fast_pattern:only; http_uri; pcre:"/\x2ecur([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.cur; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23496; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JOB file attachment detected"; flow:to_server,established; content:".job"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejob/i"; flowbits:set,file.job; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23488; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY CUR file attachment detected"; flow:to_server,established; content:".cur"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecur/i"; flowbits:set,file.cur; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23498; rev:8;)
|
|
# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JOB file attachment detected"; flow:to_client,established; content:".job"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejob/i"; flowbits:set,file.job; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:23487; rev:7;)
|
|
# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY CUR file attachment detected"; flow:to_client,established; content:".cur"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecur/i"; flowbits:set,file.cur; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:23497; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY CryptFF file magic detected"; flow:to_server,established; file_data; content:"|B6 B9 AC AE FE FF FF FF|"; flowbits:set,file.cryptff; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23665; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY SAP Crystal Reports file magic detected"; flow:to_server,established; flowbits:isset,file.rpt; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1 00|"; depth:9; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,21261; reference:cve,2006-6133; reference:url,en.wikipedia.org/wiki/Crystal_Report; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-052; classtype:misc-activity; sid:23699; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Money file magic detected"; flow:to_server,established; file_data; content:"|00 01 00 00 4D 53 49 53|"; flowbits:set,file.mny; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23750; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Windows hlp file magic detected"; flow:to_server,established; file_data; content:"|3F 5F 03 00|"; depth:4; flowbits:set,file.hlp; flowbits:noalert; metadata:policy max-detect-ips alert, service smtp; classtype:misc-activity; sid:23767; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY 7zip file magic detected"; flow:to_server,established; file_data; content:"7z|BC AF 27 1C|"; depth:6; flowbits:set,file.7zip; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23671; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Office Access file magic detected"; flow:to_server,established; file_data; content:"Standard Jet DB"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26468; reference:cve,2005-0944; reference:cve,2007-6026; reference:cve,2008-1092; reference:url,en.wikipedia.org/wiki/Microsoft_access; reference:url,technet.microsoft.com/en-us/security/advisory/950627; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-028; classtype:misc-activity; sid:23715; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PLP file magic detected"; flow:to_server,established; file_data; content:"ACDFotoSlateDocument"; fast_pattern:only; flowbits:set,file.plp; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23776; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Ultimate Packer for Executables/UPX v0.62-v1.22 packed file magic detected"; flow:to_server,established; file_data; content:"|8A 06|F|88 07|G|01 DB|u|07 8B 1E 83 EE FC 11 DB|"; pcre:"/^(\x72\xED\xB8\x01.{3}|\x8A\x07\x72\xEB\xB8\x01\x00\x00\x00)\x01\xDB\x75\x07\x8B\x1E\x83\xEE\xFC\x11\xDB\x11\xC0\x01\xDB[\x73\x77].{3}\x8B\x1E\x83\xEE\xFC/R"; metadata:service smtp; reference:url,upx.sourceforge.net; reference:url,www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx; classtype:misc-activity; sid:23705; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY caff file magic detected"; flow:to_server,established; file_data; content:"caff|00 01 00 00|"; depth:8; flowbits:set,file.caff; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23693; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Visual Studio PKP file magic detected"; flow:to_server,established; file_data; content:"Microsoft Developer Studio Project File - Distribution Unit"; fast_pattern:only; flowbits:set,file.pkp; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23770; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY mx4 file magic detected"; flow:to_server,established; file_data; content:"MXC3"; depth:4; flowbits:set,file.mx4; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23689; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Office Access JSDB file magic detected"; flow:to_server,established; file_data; content:"Jet System DB"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26468; reference:cve,2005-0944; reference:cve,2007-6026; reference:cve,2008-1092; reference:url,en.wikipedia.org/wiki/Microsoft_access; reference:url,technet.microsoft.com/en-us/security/advisory/950627; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-028; classtype:misc-activity; sid:23716; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ffmpeg file magic detected"; flow:to_server,established; file_data; content:"4XMV"; depth:4; flowbits:set,file.ffmpeg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23690; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MachO Little Endian file magic detected"; flow:to_server,established; file_data; content:"|CE FA ED FE|"; depth:4; flowbits:set,file.machole; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23672; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY GZip file magic detected"; flow:to_server,established; file_data; content:"|1F 8B 08 00|"; depth:4; flowbits:set,file.gzip; flowbits:noalert; metadata:policy max-detect-ips alert, service smtp; classtype:misc-activity; sid:23641; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Office Access MSISAM file magic detected"; flow:to_server,established; file_data; content:"MSISAM Database"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26468; reference:cve,2005-0944; reference:cve,2007-6026; reference:cve,2008-1092; reference:url,en.wikipedia.org/wiki/Microsoft_access; reference:url,technet.microsoft.com/en-us/security/advisory/950627; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-028; classtype:misc-activity; sid:23718; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Visual Basic v6.0 - additional file magic detected"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|FF 25|"; content:"|68|"; within:1; distance:4; content:"|E8|"; within:1; distance:4; content:"|FF FF FF|"; within:3; distance:1; content:"|30|"; within:1; distance:6; metadata:service smtp; classtype:misc-activity; sid:23768; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY compressed Adobe Shockwave Flash file magic detected"; flow:to_server,established; file_data; content:"CWS"; depth:3; byte_test:1,>=,0x06,0,relative; flowbits:set,file.cws; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23679; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Ultimate Packer for Executables/UPX v0.51-v0.61 packed file magic detected"; flow:to_server,established; file_data; content:"`|E8 00 00 00 00|X|83 E8|=P|8D B8|"; content:"|FF|W"; within:2; distance:3; content:"|8A 06|F|88 07|G|EB EB 90 90 90 B8 01 00 00 00 01|"; within:17; distance:28; metadata:service smtp; reference:url,upx.sourceforge.net; reference:url,www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx; classtype:misc-activity; sid:23704; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY BinHex file magic detected"; flow:to_server,established; file_data; content:"(This file must be converted with BinHex 4.0)"; fast_pattern:only; flowbits:set,file.binhex; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23644; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY vmd file magic detected"; flow:to_server,established; file_data; content:"|2E 03 00 00 01|"; depth:5; flowbits:set,file.vmd; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23694; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Autodesk Maya file magic detected"; flow:to_server,established; file_data; content:"//Maya"; depth:6; flowbits:set,file.autodesk_ma; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23734; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY SIP log file magic detected"; flow:to_server,established; file_data; content:"SIP-HIT (SIP/H"; depth:14; flowbits:set,file.siplog; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23669; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY New Executable binary file magic detected"; flow:to_server,established; file_data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"NE"; within:2; distance:-64; metadata:service smtp; reference:url,support.microsoft.com/kb/65122; classtype:misc-activity; sid:23756; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XM file magic detected"; flow:to_server,established; file_data; content:"Extended Module:"; fast_pattern:only; flowbits:set,file.xm; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23773; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Symantec file magic detected"; flow:to_server,established; file_data; content:"X-Symantec-"; depth:11; flowbits:set,file.symantec; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23660; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY webm file magic detected"; flow:to_server,established; file_data; content:"|1A 45 DF A3|"; depth:4; content:"webm"; within:4; distance:27; flowbits:set,file.webm; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23733; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Portable Executable compact binary file magic detected"; flow:to_server,established; file_data; content:"MZ"; byte_jump:4,58,little,relative; content:"PE|00 00|"; within:4; distance:-64; content:"APECO"; distance:0; flowbits:set,file.pecompact; metadata:service smtp; classtype:misc-activity; sid:23726; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Word for Mac 5 file magic detected"; flow:to_server,established; file_data; content:"|FE|7|00 23|"; depth:4; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,25906; reference:cve,2007-3899; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-060; classtype:misc-activity; sid:23700; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Ogg Stream file magic detected"; flow:to_server,established; file_data; content:"OggS|00|"; depth:5; flowbits:set,file.ogg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23650; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Script encoder file magic detected"; flow:to_server,established; file_data; content:"|23 40 7E 5E|"; depth:4; flowbits:set,file.screnc; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23642; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Office Access TJDB file magic detected"; flow:to_server,established; file_data; content:"Temp Jet DB"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26468; reference:cve,2005-0944; reference:cve,2007-6026; reference:cve,2008-1092; reference:url,en.wikipedia.org/wiki/Microsoft_access; reference:url,technet.microsoft.com/en-us/security/advisory/950627; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-028; classtype:misc-activity; sid:23717; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ivr file magic detected"; flow:to_server,established; file_data; content:".R1M"; depth:4; flowbits:set,file.ivr; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23692; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY cy3 Cytel Studio file magic detected"; flow:to_server,established; file_data; content:"90"; depth:2; fast_pattern; content:"|0A|"; within:2; pcre:"/90\x0D?\x0A[^\x20]*\x20[^\x0A]*\x0A/i"; flowbits:set,file.cy3; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23752; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Windows CAB file magic detected"; flow:to_server,established; file_data; content:"MSCF"; depth:4; flowbits:set,file.cab; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23649; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ELF file magic detected"; flow:to_server,established; file_data; content:"|7F|ELF"; depth:4; flowbits:set,file.elf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23663; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY TNEF file magic detected"; flow:to_server,established; file_data; content:"x|9F|>|22|"; depth:4; flowbits:set,file.tnef; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23662; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Visual Studio VAP file magic detected"; flow:to_server,established; file_data; content:"Microsoft Developer Studio Project File - Analyzer Project"; fast_pattern:only; flowbits:set,file.vap; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23772; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY SIS file magic detected"; flow:to_server,established; file_data; content:"|19 04 00 10|"; depth:4; flowbits:set,file.sis; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23668; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Metastock mwl file magic detected"; flow:to_server,established; file_data; content:"[MetaStock"; depth:10; metadata:service smtp; reference:url,www.equis.com/products/endofday/metastock/?overview; classtype:misc-activity; sid:23713; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY bzip file magic detected"; flow:to_server,established; file_data; content:"BZh"; depth:3; flowbits:set,file.bzip; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23646; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MachO x64 Little Endian file magic detected"; flow:to_server,established; file_data; content:"|CF FA ED FE|"; depth:4; flowbits:set,file.macho64le; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23673; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Visual Studio DBP file magic detected"; flow:to_server,established; file_data; content:"Microsoft Developer Studio Project File - Database Project"; fast_pattern:only; flowbits:set,file.dbp; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23769; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 04 00|"; within:4; distance:16; flowbits:set,file.oless.v4; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23708; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY amf file magic detected"; flow:to_server,established; file_data; content:"AMF"; depth:3; flowbits:set,file.amf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23730; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Ultimate Packer for Executables/UPX v2.90 v2.93-v3.00 packed file magic detected"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"`|BE|"; content:"|8D BE|"; within:2; distance:4; pcre:"/^\x57(\x83\xCD\xFF)?\x89\xE5\x8D\x9C\x24.{4}\x31\xC0\x50\x39\xDC\x75\xFB\x46\x46\x53\x68.{4}\x57\x83\xC3\x04\x53\x68.{4}\x56\x83\xC3\x04\x53\x50\xC7\x03.{4}\x90\x90/R"; metadata:service smtp; reference:url,upx.sourceforge.net; reference:url,www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx; classtype:misc-activity; sid:23706; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Office PowerPoint file magic detected"; flow:to_server,established; file_data; content:"P|00|o|00|w|00|e|00|r|00|P|00|o|00|i|00|n|00|t|00 20 00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t"; flowbits:set,file.ppt; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23751; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ARJ file magic detected"; flow:to_server,established; file_data; content:"|60 EA 00 00|"; depth:4; flowbits:set,file.arj; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23661; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY EMF file magic detected"; flow:to_server,established; file_data; content:"|01 00 00 00|"; depth:4; content:"|20|EMF"; within:4; distance:36; fast_pattern; flowbits:set,file.emf; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23766; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Windows Address Book file magic detected"; flow:to_server,established; file_data; content:"|9C CB CB 8D 13|u|D2 11 91|X|00 C0|OyV|A4|"; fast_pattern:only; metadata:service smtp; reference:cve,2006-2386; reference:url,en.wikipedia.org/wiki/Windows_Address_Book; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-076; classtype:misc-activity; sid:23722; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Postscript file magic detected"; flow:to_server,established; file_data; content:"|25 21 50 53 2D 41 64 6F 62 65 2D|"; depth:11; flowbits:set,file.postscript; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23643; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY bcproj file magic detected"; flow:to_server,established; file_data; content:"beat"; depth:4; flowbits:set,file.bcproj; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23688; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MachO Big Endian file magic detected"; flow:to_server,established; file_data; content:"|FE ED FA CE|"; depth:4; flowbits:set,file.machobe; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23674; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY WordPerfect file magic detected"; flow:to_server,established; file_data; content:"|FF|WPC"; depth:4; fast_pattern; content:"|01 0A 02 01|"; within:4; distance:4; metadata:service smtp; reference:url,www.corelconnected.com/html/files/WPFF_%21DocumentStructure.htm; classtype:misc-activity; sid:23702; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY CDR file magic detected"; flow:to_server,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"CDR"; within:3; distance:4; flowbits:set,file.cdr; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/CorelDRAWCDR_file_format; classtype:misc-activity; sid:23731; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MachO x64 Big Endian file magic detected"; flow:to_server,established; file_data; content:"|FE ED FA CF|"; depth:4; flowbits:set,file.macho64be; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23675; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Visual Studio SLN file magic detected"; flow:to_server,established; file_data; content:"Microsoft Developer Studio Project File - Solution"; fast_pattern:only; flowbits:set,file.sln; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23771; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Winamp skin file wsz file download request"; flow:to_server,established; content:".wsz"; fast_pattern:only; http_uri; pcre:"/\x2ewsz([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.winampskin; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:24045; rev:5;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Winamp skin file wal file attachment detected"; flow:to_client,established; content:".wal"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewal/i"; flowbits:set,file.winampskin; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:24049; rev:5;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Winamp skin file wsz file attachment detected"; flow:to_client,established; content:".wsz"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewsz/i"; flowbits:set,file.winampskin; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:24046; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Winamp skin file wsz file attachment detected"; flow:to_server,established; content:".wsz"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewsz/i"; flowbits:set,file.winampskin; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24047; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Winamp skin file wal file attachment detected"; flow:to_server,established; content:".wal"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewal/i"; flowbits:set,file.winampskin; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24050; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Winamp skin file wal file download request"; flow:to_server,established; content:".wal"; fast_pattern:only; http_uri; pcre:"/\x2ewal([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.winampskin; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:24048; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .msh2 attachment file type blocked by Outlook detected"; flow:to_server,established; content:".msh2"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emsh2\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18860; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .sct attachment file type blocked by Outlook detected"; flow:to_server,established; content:".sct"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2esct\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18878; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .wsh attachment file type blocked by Outlook detected"; flow:to_server,established; content:".wsh"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2ewsh\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18898; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .hta attachment file type blocked by Outlook detected"; flow:to_server,established; content:".hta"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2ehta\s*\x22/i"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1170; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18831; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .ps1xml attachment file type blocked by Outlook detected"; flow:to_server,established; content:".ps1xml"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2eps1xml\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18882; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .app attachment file type blocked by Outlook detected"; flow:to_server,established; content:".app"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2eapp\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18813; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .mad attachment file type blocked by Outlook detected"; flow:to_server,established; content:".mad"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emad\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18840; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .mat attachment file type blocked by Outlook detected"; flow:to_server,established; content:".mat"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emat\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18847; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .ksh attachment file type blocked by Outlook detected"; flow:to_server,established; content:".ksh"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2eksh\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18838; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .vsw attachment file type blocked by Outlook detected"; flow:to_server,established; content:".vsw"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2evsw\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18894; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .mdz attachment file type blocked by Outlook detected"; flow:to_server,established; content:".mdz"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emdz\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18856; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .shb attachment file type blocked by Outlook detected"; flow:to_server,established; content:".shb"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2eshb\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18879; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .cpl attachment file type blocked by Outlook detected"; flow:to_server,established; content:".cpl"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2ecpl\s*\x22/i"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1196; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18822; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .psc2 attachment file type blocked by Outlook detected"; flow:to_server,established; content:".psc2"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2epsc2\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18886; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .msi attachment file type blocked by Outlook detected"; flow:to_server,established; content:".msi"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emsi\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18864; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .cer attachment file type blocked by Outlook detected"; flow:to_server,established; content:".cer"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2ecer\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18817; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .pst attachment file type blocked by Outlook detected"; flow:to_server,established; content:".pst"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2epst\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18874; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .msh1 attachment file type blocked by Outlook detected"; flow:to_server,established; content:".msh1"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emsh1\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18859; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .osd attachment file type blocked by Outlook detected"; flow:to_server,established; content:".osd"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2eosd\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18868; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .mam attachment file type blocked by Outlook detected"; flow:to_server,established; content:".mam"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emam\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18843; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .isp attachment file type blocked by Outlook detected"; flow:to_server,established; content:".isp"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2eisp\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18834; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .exe attachment file type blocked by Outlook detected"; flow:to_server,established; content:".exe"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2eexe\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18826; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .inf attachment file type blocked by Outlook detected"; flow:to_server,established; content:".inf"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2einf\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18832; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .fxp attachment file type blocked by Outlook detected"; flow:to_server,established; content:".fxp"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2efxp\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18827; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .pif attachment file type blocked by Outlook detected"; flow:to_server,established; content:".pif"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2epif\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18870; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .vbs attachment file type blocked by Outlook detected"; flow:to_server,established; content:".vbs"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2evbs\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18892; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .mas attachment file type blocked by Outlook detected"; flow:to_server,established; content:".mas"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emas\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18846; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .mshxml attachment file type blocked by Outlook detected"; flow:to_server,established; content:".mshxml"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emshxml\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18861; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .ps2 attachment file type blocked by Outlook detected"; flow:to_server,established; content:".ps2"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2eps2\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18883; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .cnt attachment file type blocked by Outlook detected"; flow:to_server,established; content:".cnt"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2ecnt\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18820; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .mdw attachment file type blocked by Outlook detected"; flow:to_server,established; content:".mdw"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emdw\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18855; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .wsf attachment file type blocked by Outlook detected"; flow:to_server,established; content:".wsf"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2ewsf\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18897; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .asp attachment file type blocked by Outlook detected"; flow:to_server,established; content:".asp"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2easp\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18814; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .lnk attachment file type blocked by Outlook detected"; flow:to_server,established; content:".lnk"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2elnk\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18839; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .msp attachment file type blocked by Outlook detected"; flow:to_server,established; content:".msp"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emsp\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18865; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .crt attachment file type blocked by Outlook detected"; flow:to_server,established; content:".crt"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2ecrt\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18823; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .plg attachment file type blocked by Outlook detected"; flow:to_server,established; content:".plg"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2eplg\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18871; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .tmp attachment file type blocked by Outlook detected"; flow:to_server,established; content:".tmp"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2etmp\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18887; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .vsmacros attachment file type blocked by Outlook detected"; flow:to_server,established; content:".vsmacros"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2evsmacros\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18893; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .mav attachment file type blocked by Outlook detected"; flow:to_server,established; content:".mav"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emav\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18849; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .reg attachment file type blocked by Outlook detected"; flow:to_server,established; content:".reg"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2ereg\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18875; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .chm attachment file type blocked by Outlook detected"; flow:to_server,established; content:".chm"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2echm\s*\x22/i"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1223; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18818; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .its attachment file type blocked by Outlook detected"; flow:to_server,established; content:".its"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2eits\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18835; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .mag attachment file type blocked by Outlook detected"; flow:to_server,established; content:".mag"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emag\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18842; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .mdb attachment file type blocked by Outlook detected"; flow:to_server,established; content:".mdb"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emdb\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18852; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .pcd attachment file type blocked by Outlook detected"; flow:to_server,established; content:".pcd"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2epcd\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18869; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .ade attachment file type blocked by Outlook detected"; flow:to_server,established; content:".ade"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2eade\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18811; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .ins attachment file type blocked by Outlook detected"; flow:to_server,established; content:".ins"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2eins\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18833; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .gadget attachment file type blocked by Outlook detected"; flow:to_server,established; content:".gadget"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2egadget\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18828; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .mar attachment file type blocked by Outlook detected"; flow:to_server,established; content:".mar"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emar\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18845; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .mdt attachment file type blocked by Outlook detected"; flow:to_server,established; content:".mdt"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emdt\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18854; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .msh1xml attachment file type blocked by Outlook detected"; flow:to_server,established; content:".msh1xml"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emsh1xml\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18862; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .ps2xml attachment file type blocked by Outlook detected"; flow:to_server,established; content:".ps2xml"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2eps2xml\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18884; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .bas attachment file type blocked by Outlook detected"; flow:to_server,established; content:".bas"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2ebas\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18815; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .prf attachment file type blocked by Outlook detected"; flow:to_server,established; content:".prf"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2eprf\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18872; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .url attachment file type blocked by Outlook detected"; flow:to_server,established; content:".url"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2eurl\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18888; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .mau attachment file type blocked by Outlook detected"; flow:to_server,established; content:".mau"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emau\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18848; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .vb attachment file type blocked by Outlook detected"; flow:to_server,established; content:".vb"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2evb\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18889; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .mst attachment file type blocked by Outlook detected"; flow:to_server,established; content:".mst"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emst\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18866; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .cmd attachment file type blocked by Outlook detected"; flow:to_server,established; content:".cmd"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2ecmd\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18819; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .js attachment file type blocked by Outlook detected"; flow:to_server,established; content:".js"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2ejs\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18836; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .scf attachment file type blocked by Outlook detected"; flow:to_server,established; content:".scf"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2escf\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18876; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .maf attachment file type blocked by Outlook detected"; flow:to_server,established; content:".maf"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emaf\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18841; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .mda attachment file type blocked by Outlook detected"; flow:to_server,established; content:".mda"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emda\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18851; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .msh attachment file type blocked by Outlook detected"; flow:to_server,established; content:".msh"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emsh\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18858; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .wsc attachment file type blocked by Outlook detected"; flow:to_server,established; content:".wsc"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2ewsc\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18896; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .csh attachment file type blocked by Outlook detected"; flow:to_server,established; content:".csh"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2ecsh\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18824; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .maq attachment file type blocked by Outlook detected"; flow:to_server,established; content:".maq"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emaq\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18844; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .ps1 attachment file type blocked by Outlook detected"; flow:to_server,established; content:".ps1"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2eps1\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18881; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .mde attachment file type blocked by Outlook detected"; flow:to_server,established; content:".mde"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emde\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18853; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .scr attachment file type blocked by Outlook detected"; flow:to_server,established; content:".scr"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2escr\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18877; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .adp attachment file type blocked by Outlook detected"; flow:to_server,established; content:".adp"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2eadp\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18812; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .hpj attachment file type blocked by Outlook detected"; flow:to_server,established; content:".hpj"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2ehpj\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18830; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .hlp attachment file type blocked by Outlook detected"; flow:to_server,established; content:".hlp"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2ehlp\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18829; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .vbe attachment file type blocked by Outlook detected"; flow:to_server,established; content:".vbe"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2evbe\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18890; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .com attachment file type blocked by Outlook detected"; flow:to_server,established; content:".com"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2ecom\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18821; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .msh2xml attachment file type blocked by Outlook detected"; flow:to_server,established; content:".msh2xml"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emsh2xml\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18863; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .bat attachment file type blocked by Outlook detected"; flow:to_server,established; content:".bat"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2ebat\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18816; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .jse attachment file type blocked by Outlook detected"; flow:to_server,established; content:".jse"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2ejse\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18837; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .msc attachment file type blocked by Outlook detected"; flow:to_server,established; content:".msc"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emsc\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18857; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .vbp attachment file type blocked by Outlook detected"; flow:to_server,established; content:".vbp"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2evbp\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18891; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .ops attachment file type blocked by Outlook detected"; flow:to_server,established; content:".ops"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2eops\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18867; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .shs attachment file type blocked by Outlook detected"; flow:to_server,established; content:".shs"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2eshs\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18880; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .ws attachment file type blocked by Outlook detected"; flow:to_server,established; content:".ws"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2ews\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18895; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .der attachment file type blocked by Outlook detected"; flow:to_server,established; content:".der"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2eder\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18825; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .maw attachment file type blocked by Outlook detected"; flow:to_server,established; content:".maw"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2emaw\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18850; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .xnk attachment file type blocked by Outlook detected"; flow:to_server,established; content:".xnk"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2exnk\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18899; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .prg attachment file type blocked by Outlook detected"; flow:to_server,established; content:".prg"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2eprg\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18873; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .psc1 attachment file type blocked by Outlook detected"; flow:to_server,established; content:".psc1"; fast_pattern:only; pcre:"/filename\s*=\s*\x22[^\x22]*\x2epsc1\s*\x22/i"; metadata:service smtp; reference:url,office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx; classtype:policy-violation; sid:18885; rev:6;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY GZip file attachment detected"; flow:to_client,established; content:".gz"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2egz/i"; flowbits:set,file.gzip; flowbits:noalert; metadata:policy max-detect-ips alert, service imap, service pop3; classtype:misc-activity; sid:24072; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY GZip file attachment detected"; flow:to_server,established; content:".gz"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2egz/i"; flowbits:set,file.gzip; flowbits:noalert; metadata:policy max-detect-ips alert, service smtp; classtype:misc-activity; sid:24073; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY GZip file download request"; flow:to_server,established; content:".gz"; fast_pattern:only; http_uri; pcre:"/\x2egz([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.gzip; flowbits:noalert; metadata:policy max-detect-ips alert, service http; classtype:misc-activity; sid:24071; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PLF file attachment detected"; flow:to_server,established; content:".plf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eplf/i"; flowbits:set,file.plf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24101; rev:8;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY PLF file attachment detected"; flow:to_client,established; content:".plf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eplf/i"; flowbits:set,file.plf; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:24100; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY .rtx file download request"; flow:to_server,established; content:".rtx"; fast_pattern:only; http_uri; pcre:"/\x2ertx([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.rtx; flowbits:noalert; metadata:policy max-detect-ips alert, service http; classtype:misc-activity; sid:24156; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .rtx file attachment detected"; flow:to_server,established; content:".rtx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ertx/i"; flowbits:set,file.rtx; flowbits:noalert; metadata:policy max-detect-ips alert, service smtp; classtype:misc-activity; sid:24158; rev:7;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY .rtx file attachment detected"; flow:to_client,established; content:".rtx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ertx/i"; flowbits:set,file.rtx; flowbits:noalert; metadata:policy max-detect-ips alert, service imap, service pop3; classtype:misc-activity; sid:24157; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XCF file magic detection"; flow:to_server,established; content:"gimp xcf "; depth:9; flowbits:set,file.xcf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24471; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY PSD file download request"; flow:to_server,established; content:".psd"; fast_pattern:only; http_uri; pcre:"/\x2epsd([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.psd; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:24459; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY PSD file magic detection"; flow:to_client,established; content:"8BPS|00 01|"; depth:6; flowbits:set,file.psd; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24462; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XCF file download request"; flow:to_server,established; content:".xcf"; fast_pattern:only; http_uri; pcre:"/\x2excf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xcf; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:24467; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PSD file attachment detected"; flow:to_server,established; content:".psd"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epsd/i"; flowbits:set,file.psd; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24461; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PSD file magic detection"; flow:to_server,established; content:"8BPS|00 01|"; depth:6; flowbits:set,file.psd; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24466; rev:4;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY PSD file attachment detected"; flow:to_client,established; content:".psd"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epsd/i"; flowbits:set,file.psd; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:24460; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XCF file attachment detected"; flow:to_server,established; content:".xcf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2excf/i"; flowbits:set,file.xcf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24469; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Webm file attachment detected"; flow:to_server,established; content:".webm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewebm/i"; flowbits:set,file.webm; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24454; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XCF file magic detection"; flow:to_client,established; content:"gimp xcf "; depth:9; flowbits:set,file.xcf; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24470; rev:4;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XCF file attachment detected"; flow:to_client,established; content:".xcf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2excf/i"; flowbits:set,file.xcf; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:24468; rev:4;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Webm file attachment detected"; flow:to_client,established; content:".webm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewebm/i"; flowbits:set,file.webm; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:24453; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY rmf file download request"; flow:established,to_client; file_data; content:"IREZ"; depth:4; flowbits:set,file.rmf; flowbits:noalert; metadata:policy max-detect-ips alert, service ftp-data, service http, service imap, service pop3; reference:bugtraq,39077; reference:cve,2010-0842; classtype:attempted-user; sid:24509; rev:5;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft proxy autoconfig script file download request"; flow:to_server,established; content:".pac"; fast_pattern:only; http_uri; pcre:"/\x2epac([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.pac; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:24651; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft proxy autoconfig script file magic detected"; flow:to_client,established; file_data; content:"FindProxyForURL|28|"; fast_pattern:only; flowbits:set,file.pac; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25014; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Apple Quicktime Targa Image file download request"; flow:to_server,established; content:".tga"; fast_pattern:only; http_uri; pcre:"/\x2etga([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.tga; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25373; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Apple Quicktime Targa Image file attachment detected"; flow:to_server,established; content:".tga"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2etga/i"; flowbits:set,file.tga; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:25375; rev:4;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Apple Quicktime Targa Image file attachment detected"; flow:to_client,established; content:".tga"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2etga/i"; flowbits:set,file.tga; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:25374; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY cSounds.com Csound audio file file attachment detected"; flow:to_server,established; content:".csd"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecsd/i"; flowbits:set,file.csd; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:25606; rev:7;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY cSounds.com Csound audio file file attachment detected"; flow:to_client,established; content:".csd"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecsd/i"; flowbits:set,file.csd; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:25605; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY cSounds.com Csound audio file file download request"; flow:to_server,established; content:".csd"; fast_pattern:only; http_uri; pcre:"/\x2ecsd([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.csd; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25604; rev:5;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; content:".ogx"; fast_pattern:only; http_uri; pcre:"/\x2eogx([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.ogg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25937; rev:2;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".ogv"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eogv/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:25932; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; content:".spx"; fast_pattern:only; http_uri; pcre:"/\x2espx([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.ogg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25940; rev:2;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".ogg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eogg/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:25929; rev:2;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".ogx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eogx/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:25938; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_server,established; content:".opus"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eopus/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:25945; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; content:".ogg"; fast_pattern:only; http_uri; pcre:"/\x2eogg([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.ogg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25928; rev:2;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".spx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2espx/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:25941; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_server,established; content:".ogv"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eogv/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:25933; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_server,established; content:".ogg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eogg/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:25930; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_server,established; content:".ogx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eogx/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:25939; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; content:".oga"; fast_pattern:only; http_uri; pcre:"/\x2eoga([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.ogg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25934; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_server,established; content:".spx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2espx/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:25942; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; content:".ogv"; fast_pattern:only; http_uri; pcre:"/\x2eogv([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.ogg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25931; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_server,established; content:".oga"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eoga/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:25936; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; content:".opus"; fast_pattern:only; http_uri; pcre:"/\x2eopus([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.ogg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25943; rev:2;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".oga"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eoga/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:25935; rev:2;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".opus"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eopus/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:25944; rev:2;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office Word docm file attachment detected"; flow:to_client,established; content:".docm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edocm/i"; flowbits:set,file.docm; flowbits:noalert; metadata:policy max-detect-ips alert, service imap, service pop3; classtype:misc-activity; sid:26064; rev:8;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office PowerPoint file download request"; flow:to_server,established; content:".ppsx"; fast_pattern:only; http_uri; pcre:"/\x2eppsx([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.ppsx; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:26060; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Office PowerPoint file magic detected"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"[Content_Types].xml"; fast_pattern:only; content:"ppt/presentation.xml"; offset:49; nocase; flowbits:set,file.ppsx; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:26059; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office Word docm file download request"; flow:to_server,established; content:".docm"; fast_pattern:only; http_uri; pcre:"/\x2edocm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.docm; flowbits:noalert; metadata:policy max-detect-ips alert, service http; reference:url,en.wikipedia.org/wiki/Microsoft_word; classtype:misc-activity; sid:26063; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Office Word docm file attachment detected"; flow:to_server,established; content:".docm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edocm/i"; flowbits:set,file.docm; flowbits:noalert; metadata:policy max-detect-ips alert, service smtp; classtype:misc-activity; sid:26065; rev:8;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office PowerPoint file attachment detected"; flow:to_client,established; content:".ppsx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eppsx/i"; flowbits:set,file.ppsx; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:26061; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Office PowerPoint file attachment detected"; flow:to_server,established; content:".ppsx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eppsx/i"; flowbits:set,file.ppsx; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:26062; rev:5;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office Excel file download request"; flow:to_server,established; content:".xlsx"; fast_pattern:only; http_uri; pcre:"/\x2exlsx([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xlsx; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:26083; rev:7;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office Excel file attachment detected"; flow:to_client,established; content:".xlsx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exlsx/i"; flowbits:set,file.xlsx; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:26084; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Office Excel file attachment detected"; flow:to_server,established; content:".xlsx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exlsx/i"; flowbits:set,file.xlsx; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:26085; rev:9;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Internet Explorer HTML Component file attachment detected"; flow:to_client,established; content:".htc"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ehtc/i"; flowbits:set,file.htc; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:26127; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Internet Explorer HTML Component file attachment detected"; flow:to_server,established; content:".htc"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ehtc/i"; flowbits:set,file.htc; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:26128; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Internet Explorer HTML Component file download request"; flow:to_server,established; content:".htc"; fast_pattern:only; http_uri; pcre:"/\x2ehtc([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.htc; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:26126; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY CyberLink Power2Go file download request"; flow:to_server,established; content:".p2g"; fast_pattern:only; http_uri; pcre:"/\x2ep2g([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.p2g; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:26206; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY CyberLink Power2Go file attachment detected"; flow:to_server,established; content:".p2g"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ep2g/i"; flowbits:set,file.p2g; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:26208; rev:5;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY CyberLink Power2Go file attachment detected"; flow:to_client,established; content:".p2g"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ep2g/i"; flowbits:set,file.p2g; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:26207; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Metalink File file attachment detected"; flow:to_server,established; content:".metalink"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emetalink/i"; flowbits:set,file.metalink; flowbits:noalert; metadata:policy max-detect-ips alert, service smtp; classtype:misc-activity; sid:26423; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Metalink File file download request"; flow:to_server,established; content:".metalink"; fast_pattern:only; http_uri; pcre:"/\x2emetalink([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.metalink; flowbits:noalert; metadata:policy max-detect-ips alert, service http; classtype:misc-activity; sid:26424; rev:5;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Metalink File file attachment detected"; flow:to_client,established; content:".metalink"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emetalink/i"; flowbits:set,file.metalink; flowbits:noalert; metadata:policy max-detect-ips alert, service imap, service pop3; classtype:misc-activity; sid:26422; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY maplet bin file download attempt"; flow:to_server,established; content:"|2E|bin"; fast_pattern:only; http_uri; pcre:"/\x2Ebin([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.maplet.bin; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:26517; rev:5;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY maplet file attachment detected"; flow:to_client,established; content:".maplet"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emaplet/i"; flowbits:set,file.maplet; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:26515; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY maplet file attachment detected"; flow:to_server,established; content:".maplet"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emaplet/i"; flowbits:set,file.maplet; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:26516; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY maplet file download attempt"; flow:to_server,established; content:"|2E|maplet"; fast_pattern:only; http_uri; pcre:"/\x2Emaplet([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.maplet; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:26514; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY Android APK download file attachment detected"; flow:to_server,established; content:".apk"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eapk/i"; flowbits:set,file.apk; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:26904; rev:5;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Android APK download file attachment detected"; flow:to_client,established; content:".apk"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eapk/i"; flowbits:set,file.apk; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:26903; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Android APK download request"; flow:to_server,established; content:".apk"; fast_pattern:only; http_uri; pcre:"/\x2eapk([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.apk; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:26902; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Trimble SketchUp file download request"; flow:to_server,established; content:".skp"; fast_pattern:only; http_uri; pcre:"/\x2eskp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.skp; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:27277; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY Trimble SketchUp file attachment detected"; flow:to_server,established; content:".skp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eskp/i"; flowbits:set,file.skp; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:27276; rev:6;)
|
|
# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Trimble SketchUp file attachment detected"; flow:to_client,established; content:".skp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eskp/i"; flowbits:set,file.skp; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:27275; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY Python bytecode file magic detected"; flow:to_server,established; file_data; content:"|03 F3 0D 0A|"; depth:4; flowbits:set,file.pyc; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:27543; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Python bytecode file magic detected"; flow:to_client,established; file_data; content:"|03 F3 0D 0A|"; depth:4; flowbits:set,file.pyc; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:27542; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY HTML Help Index download file attachment detected"; flow:to_server,established; content:".hhk"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ehhk/i"; flowbits:set,file.hhk; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:28384; rev:2;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY HTML Help Index download file attachment detected"; flow:to_client,established; content:".hhk"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ehhk/i"; flowbits:set,file.hhk; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:28383; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY HTML Help Index file download request"; flow:to_server,established; content:".hhk"; fast_pattern:only; http_uri; pcre:"/\x2ehhk([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.hhk; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:28382; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY CIS file attachment detected"; flow:to_server,established; content:".cis"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecis/i"; flowbits:set,file.cis; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:28370; rev:5;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY CIS file attachment detected"; flow:to_client,established; content:".cis"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecis/i"; flowbits:set,file.cis; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:28369; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY CIS file magic detected"; flow:to_client,established; file_data; content:"|43 49 53 00 00 00 00 00|"; fast_pattern:only; flowbits:set,file.cis; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:28368; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY CIS file magic detected"; flow:to_server,established; file_data; content:"|43 49 53 00 00 00 00 00|"; fast_pattern:only; flowbits:set,file.cis; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:28367; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY Microsoft Write file download file attachment detected"; flow:to_server,established; content:".wri"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewri/i"; flowbits:set,file.wri; flowbits:noalert; metadata:policy max-detect-ips alert, service smtp; classtype:misc-activity; sid:28508; rev:3;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Write file download file attachment detected"; flow:to_client,established; content:".wri"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewri/i"; flowbits:set,file.wri; flowbits:noalert; metadata:policy max-detect-ips alert, service imap, service pop3; classtype:misc-activity; sid:28507; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY WordPerfect file magic detected"; flow:to_client,established; file_data; content:"|FF|WPC"; depth:4; flowbits:set,file.corel; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.magicdb.org/magic.db; classtype:misc-activity; sid:28497; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY FDF file download request"; flow:to_server,established; content:".fdf"; fast_pattern:only; http_uri; pcre:"/\x2efdf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.fdf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Forms_Data_Format; classtype:misc-activity; sid:28574; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY FDF file magic detected"; flow:to_server,established; file_data; content:"%FDF-"; nocase; flowbits:set,file.fdf; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/Forms_Data_Format; classtype:misc-activity; sid:28573; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY FDF file attachment detected"; flow:to_server,established; content:".fdf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2efdf/i"; flowbits:set,file.fdf; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/Forms_Data_Format; classtype:misc-activity; sid:28572; rev:5;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY FDF file attachment detected"; flow:to_client,established; content:".fdf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2efdf/i"; flowbits:set,file.fdf; flowbits:noalert; metadata:service imap, service pop3; reference:url,en.wikipedia.org/wiki/Forms_Data_Format; classtype:misc-activity; sid:28571; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY FDF file magic detected"; flow:to_client,established; file_data; content:"%FDF-"; nocase; flowbits:set,file.fdf; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/Forms_Data_Format; classtype:misc-activity; sid:28570; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XWD image file download request"; flow:to_server,established; content:".xwd"; fast_pattern:only; http_uri; pcre:"/\x2exwd([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xwd; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:29008; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY XWD image file attachment detected"; flow:to_server,established; content:".xwd"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exwd/i"; flowbits:set,file.xwd; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:29007; rev:3;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XWD image file attachment detected"; flow:to_client,established; content:".xwd"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exwd/i"; flowbits:set,file.xwd; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:29006; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY CIS file download request"; flow:to_server,established; content:".cis"; fast_pattern:only; http_uri; pcre:"/\x2ecis([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.cis; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:29162; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY ABC Music Notation file download request"; flow:to_server,established; content:".abc"; fast_pattern:only; http_uri; pcre:"/\x2eabc([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.abc; flowbits:noalert; metadata:service http; reference:url,abcnotation.com/wiki/abc:standard:v2.1.1; classtype:misc-activity; sid:30760; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY ABC Music Notation file attachment detected"; flow:to_server,established; content:".abc"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eabc/i"; flowbits:set,file.abc; flowbits:noalert; metadata:service smtp; reference:url,abcnotation.com/wiki/abc:standard:v2.1.1; classtype:misc-activity; sid:30759; rev:3;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY ABC Music Notation file attachment detected"; flow:to_client,established; content:".abc"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eabc/i"; flowbits:set,file.abc; flowbits:noalert; metadata:service imap, service pop3; reference:url,abcnotation.com/wiki/abc:standard:v2.1.1; classtype:misc-activity; sid:30758; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ABC Music Notation file attachment detected"; flow:to_server,established; file_data; content:"%abc"; depth:4; flowbits:set,file.abc; flowbits:noalert; metadata:service smtp; reference:url,abcnotation.com/wiki/abc:standard:v2.1.1; classtype:misc-activity; sid:30757; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY ABC Music Notation file attachment detected"; flow:to_client,established; file_data; content:"%abc"; depth:4; flowbits:set,file.abc; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,abcnotation.com/wiki/abc:standard:v2.1.1; classtype:misc-activity; sid:30756; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Basic Control Engine file download request"; flow:to_server,established; content:".bcl"; fast_pattern:only; http_uri; pcre:"/\x2ebcl([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.bcl; flowbits:noalert; metadata:service http; reference:url,www.ge-ip.com/products/proficy-hmi-scada-cimplicity/p2819; classtype:misc-activity; sid:32253; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY Basic Control Engine file attachment detected"; flow:to_server,established; content:".bcl"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ebcl/i"; flowbits:set,file.bcl; flowbits:noalert; metadata:service smtp; reference:url,www.ge-ip.com/products/proficy-hmi-scada-cimplicity/p2819; classtype:misc-activity; sid:32252; rev:6;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Basic Control Engine file attachment detected"; flow:to_client,established; content:".bcl"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ebcl/i"; flowbits:set,file.bcl; flowbits:noalert; metadata:service imap, service pop3; reference:url,www.ge-ip.com/products/proficy-hmi-scada-cimplicity/p2819; classtype:misc-activity; sid:32251; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Registry file download request"; flow:to_server,established; content:".reg"; fast_pattern:only; http_uri; pcre:"/\x2ereg([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.reg; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Windows_Registry#.REG_files; classtype:misc-activity; sid:32618; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY Microsoft Windows Registry file attachment detected"; flow:to_server,established; content:".reg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ereg/i"; flowbits:set,file.reg; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/Windows_Registry#.REG_files; classtype:misc-activity; sid:32617; rev:2;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows Registry file attachment detected"; flow:to_client,established; content:".reg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ereg/i"; flowbits:set,file.reg; flowbits:noalert; metadata:service imap, service pop3; reference:url,en.wikipedia.org/wiki/Windows_Registry#.REG_files; classtype:misc-activity; sid:32616; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY .scr executable screensaver file download request"; flow:to_server,established; content:".scr"; fast_pattern:only; http_uri; pcre:"/\x2escr([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.screensaver; flowbits:noalert; metadata:service http; reference:url,attack.mitre.org/techniques/T1180; classtype:misc-activity; sid:32947; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY .scr executable screensaver file attachment detected"; flow:to_server,established; content:".scr"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2escr/i"; flowbits:set,file.screensaver; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1180; classtype:misc-activity; sid:32946; rev:3;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY .scr executable screensaver file attachment detected"; flow:to_client,established; content:".scr"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2escr/i"; flowbits:set,file.screensaver; flowbits:noalert; metadata:service imap, service pop3; reference:url,attack.mitre.org/techniques/T1180; classtype:misc-activity; sid:32945; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY Apple Motion file attachment detected"; flow:to_server,established; content:".motn"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emotn/i"; flowbits:set,file.motn; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:33642; rev:1;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Apple Motion file attachment detected"; flow:to_client,established; content:".motn"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2emotn[\x22\x27\s]/si"; flowbits:set,file.motn; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:33641; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Apple Motion file download request"; flow:to_server,established; content:".motn"; fast_pattern:only; http_uri; pcre:"/\x2emotn([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.motn; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:33640; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY PIF Program Information File file attachment detected"; flow:to_server,established; content:".pif"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2epif[\x22\x27\s]/si"; flowbits:set,file.pif; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:33668; rev:1;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY PIF Program Information File file attachment detected"; flow:to_client,established; content:".pif"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2epif[\x22\x27\s]/si"; flowbits:set,file.pif; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:33667; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY PIF Program Information File file download request"; flow:to_server,established; content:".pif"; nocase; http_uri; pcre:"/\x2epif([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.pif; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:33666; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Journal file download attempt"; flow:to_client,established; file_data; content:"NB|2A 00|"; depth:4; nocase; flowbits:set,file.jnt; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:34398; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Journal file download request"; flow:to_server,established; content:".jnt"; fast_pattern:only; http_uri; pcre:"/\x2ejnt([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jnt; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:34397; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY Microsoft Journal file attachment detected"; flow:to_server,established; content:".jnt"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2ejnt[\x22\x27\s]/si"; flowbits:set,file.jnt; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:34396; rev:2;)
|
|
# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Journal file attachment detected"; flow:to_client,established; content:".jnt"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2ejnt[\x22\x27\s]/si"; flowbits:set,file.jnt; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:34395; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Publish-iT PUI file download request"; flow:to_server,established; content:".pui"; fast_pattern:only; http_uri; pcre:"/\x2epui([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.pui; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:33028; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY Publish-iT PUI file attachment detected"; flow:to_server,established; content:".pui"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epui/i"; flowbits:set,file.pui; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:33027; rev:6;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Publish-iT PUI file attachment detected"; flow:to_client,established; content:".pui"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epui/i"; flowbits:set,file.pui; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:33026; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY dib file attachment detected"; flow:to_server,established; content:".dib"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edib/i"; flowbits:set,file.bmp; flowbits:noalert; metadata:ruleset community, service smtp; reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity; sid:32380; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY bmp file attachment detected"; flow:to_server,established; content:".bmp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ebmp/i"; flowbits:set,file.bmp; flowbits:noalert; metadata:ruleset community, service smtp; reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity; sid:32378; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY SVG file magic detected"; flow:to_client,established; file_data; content:"<svg "; depth:5; flowbits:set,file.svg; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/.svg; classtype:misc-activity; sid:32165; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY XBM file attachment detected"; flow:to_server,established; content:".xbm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exbm/i"; flowbits:set,file.xbm; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/XBM; classtype:misc-activity; sid:32135; rev:6;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XBM file attachment detected"; flow:to_client,established; content:".xbm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exbm/i"; flowbits:set,file.xbm; flowbits:noalert; metadata:service imap, service pop3; reference:url,en.wikipedia.org/wiki/XBM; classtype:misc-activity; sid:32134; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic detection"; flow:to_server,established; file_data; content:"|FF D8 FF|"; depth:3; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:31871; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY BitTorrent torrent file attachment detected"; flow:to_server,established; file_data; content:"6:infod"; fast_pattern:only; flowbits:set,file.torrent; flowbits:noalert; metadata:service smtp; reference:url,wiki.theory.org/BitTorrentSpecification; classtype:misc-activity; sid:31776; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY BitTorrent torrent file attachment detected"; flow:to_client,established; file_data; content:"6:infod"; fast_pattern:only; flowbits:set,file.torrent; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,wiki.theory.org/BitTorrentSpecification; classtype:misc-activity; sid:31775; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY BitTorrent torrent file attachment detected"; flow:to_server,established; file_data; content:"d8:announce"; fast_pattern:only; flowbits:set,file.torrent; flowbits:noalert; metadata:service smtp; reference:url,wiki.theory.org/BitTorrentSpecification; classtype:misc-activity; sid:31774; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY BitTorrent torrent file attachment detected"; flow:to_client,established; file_data; content:"d8:announce"; fast_pattern:only; flowbits:set,file.torrent; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,wiki.theory.org/BitTorrentSpecification; classtype:misc-activity; sid:31773; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY Microsoft Silverlight application file magic detected"; flow:to_server,established; file_data; content:"PK"; content:"AppManifest.xaml"; distance:0; content:".dll"; distance:0; flowbits:set,file.silverlight; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:31703; rev:7;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Silverlight application file magic detected"; flow:to_client,established; file_data; content:"PK"; content:"AppManifest.xaml"; distance:0; content:".dll"; distance:0; flowbits:set,file.silverlight; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:31702; rev:7;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY OS/2 Metafile file download request"; flow:to_server,established; content:".met"; fast_pattern:only; http_uri; pcre:"/\x2emet([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.met; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Comparison_of_graphics_file_formats; classtype:misc-activity; sid:30018; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY OS/2 Metafile file magic detected"; flow:to_server,established; file_data; content:"|D3 A8 A8|"; depth:3; offset:2; flowbits:set,file.met; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/Comparison_of_graphics_file_formats; classtype:misc-activity; sid:30017; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY OS/2 Metafile file attachment detected"; flow:to_server,established; content:".met"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emet/i"; flowbits:set,file.met; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/Comparison_of_graphics_file_formats; classtype:misc-activity; sid:30016; rev:7;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY OS/2 Metafile file attachment detected"; flow:to_client,established; content:".met"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emet/i"; flowbits:set,file.met; flowbits:noalert; metadata:service imap, service pop3; reference:url,en.wikipedia.org/wiki/Comparison_of_graphics_file_formats; classtype:misc-activity; sid:30015; rev:7;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY OS/2 Metafile file magic detected"; flow:to_client,established; file_data; content:"|D3 A8 A8|"; depth:3; offset:2; flowbits:set,file.met; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/Comparison_of_graphics_file_formats; classtype:misc-activity; sid:30014; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XPS file download request"; flow:to_server,established; content:".xps"; fast_pattern:only; http_uri; pcre:"/\x2exps([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xps; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:29614; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY XPS file attachment detected"; flow:to_server,established; content:".xps"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exps/i"; flowbits:set,file.xps; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:29613; rev:9;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XPS file attachment detected"; flow:to_client,established; content:".xps"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exps/i"; flowbits:set,file.xps; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:29612; rev:9;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY MSI file download request"; flow:to_server,established; content:".msi"; fast_pattern:only; http_uri; pcre:"/\x2emsi([\?\x5c\x2f]|$)/miU"; flowbits:set,file.msi; flowbits:noalert; metadata:policy max-detect-ips alert, service http; classtype:misc-activity; sid:29439; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Internet Shortcut file download request"; flow:to_server,established; content:".url"; fast_pattern:only; http_uri; pcre:"/\x2eurl([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.url; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:29407; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY Microsoft Internet Shortcut file attachment detected"; flow:to_server,established; content:".url"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eurl/i"; flowbits:set,file.url; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:29406; rev:6;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Internet Shortcut file attachment detected"; flow:to_client,established; content:".url"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eurl/i"; flowbits:set,file.url; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:29405; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY Adobe AIR file attachment detected"; flow:to_server,established; content:".air"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eair/i"; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:29386; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe AIR file attachment detected"; flow:to_client,established; content:".air"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eair/i"; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:29385; rev:12;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Adobe AIR file download request"; flow:to_server,established; content:".air"; fast_pattern:only; http_uri; pcre:"/\x2eair([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:29384; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XFDL file download request"; flow:to_server,established; content:".xfdl"; fast_pattern:only; http_uri; pcre:"/\x2exfdl([\?\x5c\x2f]|$)/miU"; flowbits:set,file.xfdl; flowbits:noalert; metadata:service http; reference:url,wikipedia.org/wiki/Extensible_Forms_Description_Language; classtype:misc-activity; sid:29276; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY XFDL file attachment detected"; flow:to_server,established; content:".xfdl"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exfdl/i"; flowbits:set,file.xfdl; flowbits:noalert; metadata:service smtp; reference:url,wikipedia.org/wiki/Extensible_Forms_Description_Language; classtype:misc-activity; sid:29275; rev:6;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XFDL file attachment detected"; flow:to_client,established; content:".xfdl"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exfdl/i"; flowbits:set,file.xfdl; flowbits:noalert; metadata:service imap, service pop3; reference:url,wikipedia.org/wiki/Extensible_Forms_Description_Language; classtype:misc-activity; sid:29274; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY eSignal .ets file download request"; flow:to_server,established; content:".ets"; fast_pattern:only; http_uri; pcre:"/\x2eets([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.esignal; flowbits:noalert; metadata:service http; reference:url,www.file-extensions.org/ets-file-extension; classtype:misc-activity; sid:28901; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY eSignal .sum file attachment detected"; flow:to_server,established; content:".sum"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esum/i"; flowbits:set,file.esignal; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:28900; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY eSignal .por file attachment detected"; flow:to_server,established; content:".por"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epor/i"; flowbits:set,file.esignal; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:28899; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY eSignal .ets file attachment detected"; flow:to_server,established; content:".ets"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eets/i"; flowbits:set,file.esignal; flowbits:noalert; metadata:service smtp; reference:url,www.file-extensions.org/ets-file-extension; classtype:misc-activity; sid:28898; rev:6;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY eSignal .sum file attachment detected"; flow:to_client,established; content:".sum"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esum/i"; flowbits:set,file.esignal; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:28897; rev:6;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY eSignal .quo file attachment detected"; flow:to_client,established; content:".quo"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2equo/i"; flowbits:set,file.esignal; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:28896; rev:6;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY eSignal .por file attachment detected"; flow:to_client,established; content:".por"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epor/i"; flowbits:set,file.esignal; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:28895; rev:6;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY eSignal .ets file attachment detected"; flow:to_client,established; content:".ets"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eets/i"; flowbits:set,file.esignal; flowbits:noalert; metadata:service imap, service pop3; reference:url,www.file-extensions.org/ets-file-extension; classtype:misc-activity; sid:28894; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY KingView KingMessage log file attachment detected"; flow:to_server,established; content:".kvl"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ekvl/i"; flowbits:set,file.kvl; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:26494; rev:9;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY KingView KingMessage log file attachment detected"; flow:to_client,established; content:".kvl"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ekvl/i"; flowbits:set,file.kvl; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:26493; rev:8;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY KingView KingMessage log file download request"; flow:to_server,established; content:".kvl"; fast_pattern:only; http_uri; pcre:"/\x2ekvl([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.kvl; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:26492; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XUL file attachment detected"; flow:to_server,established; content:".xul"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exul/i"; flowbits:set,file.xul; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:26466; rev:9;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XUL file attachment detected"; flow:to_client,established; content:".xul"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exul/i"; flowbits:set,file.xul; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:26465; rev:8;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Stream redirector file download request"; flow:to_server,established; content:".asx"; fast_pattern:only; pcre:"/\x2easx([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; reference:url,msdn.microsoft.com/en-us/library/dd562372%28v=vs.85%29.aspx; classtype:misc-activity; sid:26458; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Stream redirector file attachment detected"; flow:to_server,established; content:".asx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2easx/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service smtp; reference:url,msdn.microsoft.com/en-us/library/dd562372%28v=vs.85%29.aspx; classtype:misc-activity; sid:26457; rev:7;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Stream redirector file attachment detected"; flow:to_client,established; content:".asx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2easx/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap, service pop3; reference:url,msdn.microsoft.com/en-us/library/dd562372%28v=vs.85%29.aspx; classtype:misc-activity; sid:26456; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|00 10|JFIF"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:26251; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ZIP file attachment detected"; flow:to_server,established; file_data; content:"PK|03 04 14 00 06 00|"; depth:8; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:26058; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY ZIP file download detected"; flow:to_client,established; file_data; content:"PK|03 04 14 00 06 00|"; depth:8; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:26057; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Adobe Flash Player embedded compact font detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"CFF"; content:"DEF"; within:3; distance:14; content:"GSUB"; within:4; distance:12; flowbits:set,file.swf.cff; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service smtp; reference:url,en.wikipedia.org/wiki/PostScript_fonts#Compact_Font_Format; classtype:misc-activity; sid:25682; rev:8;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe Flash Player embedded compact font detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"CFF"; content:"DEF"; within:3; distance:14; content:"GSUB"; within:4; distance:12; flowbits:set,file.swf.cff; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/PostScript_fonts#Compact_Font_Format; classtype:misc-activity; sid:25680; rev:8;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Armadillo v1.71 packer file magic detected"; flow:to_client,established; flowbits:isnotset,file.msi; flowbits:isset,file.exe; file_data; isdataat:17; content:"|55 8B EC 6A FF 68|"; content:"|68|"; within:1; distance:4; content:"|64 A1|"; within:2; distance:4; flowbits:set,file.packed; flowbits:noalert; metadata:policy max-detect-ips alert, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:25517; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected"; flow:to_client,established; flowbits:isset,file.ole; flowbits:isset,file.exe; file_data; content:"This program cannot be run in DOS"; fast_pattern:only; flowbits:set,file.msi; flowbits:noalert; metadata:policy max-detect-ips alert, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:25516; rev:10;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Portable Executable binary file magic detected"; flow:to_client,established; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:25515; rev:11;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Portable Executable download detected"; flow:to_client,established; content:"application/x-msdos-program"; fast_pattern:only; http_header; pcre:"/^Content-Type\x3a[\x20\x09]+application\/x-msdos-program/smiH"; file_data; content:"MZ"; within:2; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:25514; rev:12;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Portable Executable download detected"; flow:to_client,established; content:"application/octet-stream"; fast_pattern:only; http_header; pcre:"/^Content-Type\x3a[\x20\x09]+application\/octet-stream/smiH"; file_data; content:"MZ"; within:2; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:25513; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Adobe Audition Session file attachment detected"; flow:to_server,established; content:".ses"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eses/i"; flowbits:set,file.ses; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:25308; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe Audition Session file attachment detected"; flow:to_client,established; content:".ses"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eses/i"; flowbits:set,file.ses; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:25307; rev:8;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Adobe Audition Session file download request"; flow:to_server,established; content:".ses"; fast_pattern:only; http_uri; pcre:"/\x2eses([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.ses; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25306; rev:8;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe Audition Session file magic detected"; flow:to_client,established; file_data; content:"|43 4F 4F 4C 4E 45 53 53|"; depth:8; flowbits:set,file.ses; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:25305; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected"; flow:to_server,established; flowbits:isset,file.ole; flowbits:isset,file.exe; file_data; content:"This program cannot be run in DOS"; fast_pattern:only; flowbits:set,file.msi; metadata:policy max-detect-ips drop, service smtp; classtype:misc-activity; sid:25062; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Silverlight application file attachment detected"; flow:to_server,established; content:".xap"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exap/i"; flowbits:set,file.silverlight; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:25034; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Silverlight application file attachment detected"; flow:to_client,established; content:".xap"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exap/i"; flowbits:set,file.silverlight; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:25033; rev:10;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Silverlight application file download request"; flow:to_server,established; content:".xap"; fast_pattern:only; http_uri; pcre:"/\x2exap([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.silverlight; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25032; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JNLP file attachment detected"; flow:to_server,established; content:".jnlp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejnlp/i"; flowbits:set,file.jnlp; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24903; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JNLP file attachment detected"; flow:to_client,established; content:".jnlp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejnlp/i"; flowbits:set,file.jnlp; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:24902; rev:9;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JNLP file download request"; flow:to_server,established; content:".jnlp"; fast_pattern:only; http_uri; pcre:"/\x2ejnlp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jnlp; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:24901; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RealPlayer skin file attachment detected"; flow:to_server,established; content:".rjs"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2erjs/i"; flowbits:set,file.rjs; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24826; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY RealPlayer skin file attachment detected"; flow:to_client,established; content:".rjs"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2erjs/i"; flowbits:set,file.rjs; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:24825; rev:9;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RealPlayer skin file download request"; flow:to_server,established; content:".rjs"; fast_pattern:only; http_uri; pcre:"/\x2erjs([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.rjs; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:24824; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Computer Graphics Metafile file attachment detected"; flow:to_server,established; content:".cgm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecgm/i"; flowbits:set,file.cgm; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24822; rev:7;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Computer Graphics Metafile file attachment detected"; flow:to_client,established; content:".cgm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecgm/i"; flowbits:set,file.cgm; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:24821; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Computer Graphics Metafile file download request"; flow:to_server,established; content:".cgm"; fast_pattern:only; http_uri; pcre:"/\x2ecgm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.cgm; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:24820; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY M4V file magic detected"; flow:to_server,established; file_data; content:"ftypM4V"; depth:7; offset:4; nocase; flowbits:set,file.m4v; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24819; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY M4V file magic detected"; flow:to_client,established; file_data; content:"ftypM4V"; depth:7; offset:4; nocase; flowbits:set,file.m4v; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24818; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MP4 file magic detected"; flow:to_server,established; file_data; content:"ftypiso"; depth:7; offset:4; content:"mp4"; within:3; distance:5; flowbits:set,file.mp4; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24817; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MP4 file magic detected"; flow:to_client,established; file_data; content:"ftypiso"; depth:7; offset:4; content:"mp4"; within:3; distance:5; flowbits:set,file.mp4; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24816; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Netop Remote Control file attachment detected"; flow:to_server,established; content:".dws"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edws/i"; flowbits:set,file.dws; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24710; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Netop Remote Control file attachment detected"; flow:to_client,established; content:".dws"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edws/i"; flowbits:set,file.dws; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:24709; rev:9;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Netop Remote Control file download request"; flow:to_server,established; content:".dws"; fast_pattern:only; http_uri; pcre:"/\x2edws([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.dws; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:24708; rev:9;)
|
|
alert tcp $HOME_NET 143 -> $EXTERNAL_NET any (msg:"FILE-IDENTIFY Alt-N MDaemon IMAP Server"; flow:to_client,established; content:"MDaemon"; fast_pattern:only; flowbits:set,server.mdaemon; flowbits:noalert; metadata:policy max-detect-ips drop, service imap; reference:bugtraq,28245; reference:cve,2008-1358; reference:url,files.altn.com/MDaemon/Release/RelNotes_en.txt; classtype:attempted-admin; sid:24599; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Apple QuickTime PICT v2.0 Image header"; flow:to_server,established; file_data; content:"|00 11 02 FF|"; depth:4; offset:522; flowbits:set,file.pictmov; flowbits:noalert; metadata:service smtp; reference:bugtraq,49144; reference:cve,2011-0257; classtype:attempted-user; sid:24555; rev:10;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Apple QuickTime PICT v2.0 Image header"; flow:to_client,established; file_data; content:"|00 11 02 FF|"; depth:4; offset:522; flowbits:set,file.pictmov; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,49144; reference:cve,2011-0257; classtype:attempted-user; sid:24554; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Embedded Open Type Font file magic detected"; flow:to_server,established; file_data; content:"|90 01 00 00 00 00 4C 50|"; depth:8; offset:28; content:"|00|"; within:1; distance:49; flowbits:set,file.eot; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/Embedded_OpenType; classtype:misc-activity; sid:24484; rev:10;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Embedded Open Type Font file magic detected"; flow:to_client,established; file_data; content:"|90 01 00 00 00 00 4C 50|"; depth:8; offset:28; content:"|00|"; within:1; distance:49; flowbits:set,file.eot; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/Embedded_OpenType; classtype:misc-activity; sid:24483; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY FLV file attachment detected"; flow:to_server,established; content:".flv"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eflv/i"; flowbits:set,file.flv; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24473; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY FLV file attachment detected"; flow:to_client,established; content:".flv"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eflv/i"; flowbits:set,file.flv; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:24472; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Windows WMF file magic detected"; flow:to_server,established; file_data; content:"|00 09 00 00|"; depth:4; offset:1; byte_test:1,<=,2,0; flowbits:set,file.wmf; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:24465; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY TIFF file attachment detected"; flow:to_server,established; content:".tif"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2etif/i"; flowbits:set,file.tiff; flowbits:set,file.tiff.big; flowbits:set,file.tiff.little; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24464; rev:15;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY TIFF file attachment detected"; flow:to_client,established; content:".tif"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2etif/i"; flowbits:set,file.tiff; flowbits:set,file.tiff.big; flowbits:set,file.tiff.little; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:24463; rev:14;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF EE|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:24458; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF E1|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:24457; rev:8;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF EE|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24456; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF E1|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24455; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY SMIL file magic detected"; flow:to_server,established; file_data; content:"SMILtext"; depth:8; flowbits:set,file.smil; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/.smil; classtype:misc-activity; sid:24219; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY SMIL file magic detected"; flow:to_client,established; file_data; content:"SMILtext"; depth:8; flowbits:set,file.smil; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/.smil; classtype:misc-activity; sid:24218; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MP4 file magic detected"; flow:to_client,established; file_data; content:"ftypmp4"; depth:7; offset:4; flowbits:set,file.mp4; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24213; rev:10;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY LZH archive file magic detected"; flow:to_client,established; file_data; content:"-lh"; content:"-"; within:1; distance:1; pcre:"/-lh[014567d]-/"; flowbits:set,file.lzh; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,48018; reference:cve,2011-1213; classtype:misc-activity; sid:24206; rev:12;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY X PixMap file magic detected"; flow:to_client,established; file_data; content:"/* XPM */"; depth:9; flowbits:set,file.xpm; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24190; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Works file attachment detected"; flow:to_server,established; content:".wps"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewps/i"; flowbits:set,file.works; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24081; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Works file attachment detected"; flow:to_client,established; content:".wps"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewps/i"; flowbits:set,file.works; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:24080; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RMF file attachment detected"; flow:to_server,established; content:".rmf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ermf/i"; flowbits:set,file.rmf; flowbits:set,file.realplayer; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24079; rev:9;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY RMF file attachment detected"; flow:to_client,established; content:".rmf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ermf/i"; flowbits:set,file.rmf; flowbits:set,file.realplayer; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:24078; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MP3 file attachment detected"; flow:to_server,established; content:".mp3"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emp3/i"; flowbits:set,file.mp3; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:24076; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY MP3 file attachment detected"; flow:to_client,established; content:".mp3"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emp3/i"; flowbits:set,file.mp3; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:24075; rev:9;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY MP3 file download request"; flow:to_server,established; content:".mp3"; fast_pattern:only; http_uri; pcre:"/\x2emp3([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.mp3; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:24074; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG2000 file magic detected"; flow:to_server,established; file_data; content:"|00 00 00 0C 6A 50 20 20|"; depth:8; flowbits:set,file.jp2; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23823; rev:11;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG2000 file magic detected"; flow:to_client,established; file_data; content:"|00 00 00 0C 6A 50 20 20|"; depth:8; flowbits:set,file.jp2; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:23822; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG2000 file attachment detected"; flow:to_server,established; content:".jpm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpm/i"; flowbits:set,file.jp2; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23821; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG2000 file attachment detected"; flow:to_client,established; content:".jpm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpm/i"; flowbits:set,file.jp2; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:23820; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG2000 file download request"; flow:to_server,established; content:".jpm"; nocase; http_uri; pcre:"/\x2ejpm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jp2; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23819; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG2000 file attachment detected"; flow:to_server,established; content:".jpx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpx/i"; flowbits:set,file.jp2; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23818; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG2000 file attachment detected"; flow:to_client,established; content:".jpx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpx/i"; flowbits:set,file.jp2; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:23817; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG2000 file download request"; flow:to_server,established; content:".jpx"; nocase; http_uri; pcre:"/\x2ejpx([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jp2; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23816; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG2000 file attachment detected"; flow:to_server,established; content:".jpf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpf/i"; flowbits:set,file.jp2; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23815; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG2000 file attachment detected"; flow:to_client,established; content:".jpf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpf/i"; flowbits:set,file.jp2; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:23814; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG2000 file download request"; flow:to_server,established; content:".jpf"; nocase; http_uri; pcre:"/\x2ejpf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jp2; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23813; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG2000 file attachment detected"; flow:to_server,established; content:".j2k"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ej2k/i"; flowbits:set,file.jp2; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23812; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG2000 file attachment detected"; flow:to_client,established; content:".j2k"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ej2k/i"; flowbits:set,file.jp2; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:23811; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG2000 file download request"; flow:to_server,established; content:".j2k"; nocase; http_uri; pcre:"/\x2ej2k([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jp2; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23810; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG2000 file attachment detected"; flow:to_server,established; content:".jp2"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejp2/i"; flowbits:set,file.jp2; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23809; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG2000 file attachment detected"; flow:to_client,established; content:".jp2"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejp2/i"; flowbits:set,file.jp2; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:23808; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG2000 file download request"; flow:to_server,established; content:".jp2"; nocase; http_uri; pcre:"/\x2ejp2([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jp2; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23807; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10 85 F6|"; fast_pattern:only; flowbits:set,file.packed; metadata:policy max-detect-ips drop, service smtp; classtype:misc-activity; sid:23777; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Armadillo v1.71 packer file magic detected"; flow:to_server,established; flowbits:isset,file.exe; file_data; isdataat:17; content:"|55 8B EC 6A FF 68|"; content:"|68|"; within:1; distance:4; content:"|64 A1|"; within:2; distance:4; flowbits:set,file.packed; metadata:policy max-detect-ips drop, service smtp; classtype:misc-activity; sid:23775; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY NAB file magic detected"; flow:to_server,established; file_data; content:"|EF BB BF|"; depth:3; flowbits:set,file.nab; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23774; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Apple Quicktime FLIC file magic detected"; flow:to_server,established; file_data; content:"|11 AF|"; depth:2; offset:4; content:"|08 00|"; within:2; distance:6; content:"|00 00 00 00|"; within:4; distance:5; flowbits:set,file.fli; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23765; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Adobe Download Manager aom file magic detected"; flow:to_server,established; file_data; content:"<?aom"; fast_pattern:only; flowbits:set,file.aom; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23764; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY HPJ file magic detected"; flow:to_server,established; file_data; content:"[OPTIONS]"; flowbits:set,file.hpj; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23763; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PFA file magic detected"; flow:to_server,established; file_data; content:"%!PS-AdobeFont-1.0"; flowbits:set,file.psfont; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23762; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY AVI file magic detected"; flow:to_server,established; file_data; content:"RIFF"; depth:4; content:"AVI "; within:4; distance:4; flowbits:set,file.avi; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23761; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY WAV file magic detected"; flow:to_server,established; file_data; content:"RIFF"; depth:4; content:"WAVE"; within:4; distance:4; flowbits:set,file.wav; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23760; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XML file magic detected"; flow:to_server,established; file_data; content:"<?xml"; depth:50; nocase; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23759; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XML file magic detected"; flow:to_server,established; file_data; content:"<xml>"; depth:50; nocase; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23758; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Windows CHM file magic detected"; flow:to_server,established; file_data; content:"ITSF"; depth:4; content:"ITSP"; within:200; flowbits:set,file.chm; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,13953; reference:cve,2005-1208; reference:nessus,18482; reference:url,attack.mitre.org/techniques/T1223; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-026; classtype:attempted-user; sid:23757; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Cisco Webex Player .wrf file magic detected"; flow:to_server,established; file_data; content:"|57 4F 54 46|"; fast_pattern:only; flowbits:set,file.wrf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23755; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY AVI Video file magic detected"; flow:to_server,established; file_data; content:"RIFF"; depth:4; content:"AVI LIST"; within:8; distance:4; flowbits:set,file.avi.video; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23754; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Visio file magic detected"; flow:established,to_server; file_data; content:"Visio |28|TM|29| Drawing|0D 0A|"; fast_pattern:only; flowbits:set,file.visio; flowbits:noalert; metadata:service smtp; reference:url,office.microsoft.com/en-us/visio/default.aspx; classtype:policy-violation; sid:23753; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY SAMI file magic detected"; flow:to_server,established; file_data; content:"|3C|SAMI"; flowbits:set,file.smi; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23749; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY TTF file magic detected"; flow:to_server,established; file_data; content:"|00 01 00 00|"; content:"cmap"; distance:0; flowbits:set,file.ttf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23748; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"uuid"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23747; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"meco"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23746; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"meta"; depth:4; offset:4; content:"hdlr"; distance:0; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23745; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"pict"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23744; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"pnot"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23743; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"wide"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23742; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"junk"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23741; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"skip"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23740; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"mfra"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23739; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"moof"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23738; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY SMIL file magic detected"; flow:to_server,established; file_data; content:"<smil>"; depth:6; flowbits:set,file.smil; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/.smil; classtype:misc-activity; sid:23737; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PLS file magic detected"; flow:to_server,established; file_data; content:"[playlist]"; depth:11; flowbits:set,file.pls; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23736; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MIDI file magic detected"; flow:to_server,established; file_data; content:"MThd"; depth:4; flowbits:set,file.mid; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23735; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Media Player .asf file magic detected"; flow:to_server,established; file_data; content:"|01 CD 87 F4 51 A9 CF 11 8E E6 00 C0 0C| Se"; content:" |DB FE FC F6 55 CF 11 9C 0F 00 A0 C9 03 49 CB|"; within:16; distance:8; flowbits:set,file.asf; flowbits:set,file.wmv; flowbits:set,file.wma; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23732; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PICT file magic detected"; flow:to_server,established; file_data; content:"PICT"; depth:4; flowbits:set,file.pct; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23729; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY matroska file magic detected"; flow:to_server,established; file_data; content:"|1A 45 DF A3|"; content:"matroska"; within:50; nocase; flowbits:set,file.mkv; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23728; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Adobe Flash Video file magic detected"; flow:to_server,established; file_data; content:"FLV|01|"; content:"|00 00 00 09|"; within:4; distance:1; flowbits:set,file.swf; flowbits:set,file.flv; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/.flv; classtype:misc-activity; sid:23727; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Portable Executable binary file magic detected"; flow:to_server,established; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; flowbits:set,file.exe; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips drop, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23725; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Adobe Director Movie file magic detected"; flow:to_server,established; file_data; content:"Shockwave 3D"; fast_pattern:only; content:"XFIR"; depth:4; flowbits:set,file.dir; flowbits:noalert; metadata:service smtp; reference:url,www.fileinfo.com/extension/dir; classtype:misc-activity; sid:23724; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY M3U file magic detected"; flow:to_server,established; file_data; content:"|23|EXTM3U"; depth:7; flowbits:set,file.m3u; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/.m3u; classtype:misc-activity; sid:23723; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RealNetworks Realplayer .r1m file magic detected"; flow:to_server,established; file_data; content:".r1m"; depth:4; flowbits:set,file.realplayer; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/Realplayer; classtype:misc-activity; sid:23721; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RealNetworks Realplayer REC file magic detected"; flow:to_server,established; file_data; content:".rec|00|"; depth:5; flowbits:set,file.realplayer; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/Realplayer; classtype:misc-activity; sid:23720; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Office Publisher file magic detected"; flow:to_server,established; file_data; content:"CHNKINK "; flowbits:set,file.pub; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-0001; reference:url,en.wikipedia.org/wiki/Microsoft_publisher; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-054; classtype:misc-activity; sid:23714; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Office Excel file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0|"; depth:4; content:"W|00|o|00|r|00|k|00|b|00|o|00|o|00|k|00|"; distance:0; fast_pattern; flowbits:set,file.xls; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23712; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY OLE Document file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; flowbits:set,file.ole; flowbits:set,file.fpx; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23711; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Tiff big endian file magic detected"; flow:to_server,established; file_data; content:"MM|00 2A|"; depth:4; flowbits:set,file.tiff.big; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/Tagged_Image_File_Format; classtype:misc-activity; sid:23710; rev:16;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Tiff little endian file magic detected"; flow:to_server,established; file_data; content:"II|2A 00|"; depth:4; flowbits:set,file.tiff.little; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/Tagged_Image_File_Format; classtype:misc-activity; sid:23709; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 03 00|"; within:4; distance:16; flowbits:set,file.ole; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23707; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft asf file magic detected"; flow:to_server,established; file_data; content:"0&|B2|u"; depth:4; flowbits:set,file.asf; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/Advanced_Systems_Format; classtype:misc-activity; sid:23703; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft SYmbolic LinK file magic detected"; flow:to_server,established; file_data; content:"ID|3B|P"; depth:4; nocase; content:"|0A|"; within:3; byte_test:1,>=,0x41,0,relative; byte_test:1,<=,0x7A,0,relative; content:"|3B|"; within:4; flowbits:set,file.slk; flowbits:noalert; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-0112; reference:url,en.wikipedia.org/wiki/SYmbolic_LinK_(SYLK); reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:misc-activity; sid:23701; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Windows Media ASF file magic detected"; flow:to_server,established; file_data; content:"|30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|"; depth:16; flowbits:set,file.asf; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/Advanced_Systems_Format; classtype:misc-activity; sid:23698; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Office Excel xlw file magic detected"; flow:to_server,established; file_data; content:"|09 04 06 00 00 04 00 01|"; depth:8; flowbits:set,file.xls; flowbits:noalert; metadata:service smtp; reference:url,sc.openoffice.org/excelfileformat.pdf; classtype:misc-activity; sid:23697; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY VideoLAN VLC file magic detected"; flow:to_server,established; file_data; content:"SCRM"; depth:4; offset:44; flowbits:set,file.s3m; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/.s3m; classtype:misc-activity; sid:23696; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Flac file magic detected"; flow:to_server,established; file_data; content:"fLaC"; depth:4; flowbits:set,file.flac; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/.flac; classtype:misc-activity; sid:23695; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY dmg file magic detected"; flow:to_server,established; file_data; content:"ER|02 00|"; depth:4; flowbits:set,file.dmg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23691; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Adobe Shockwave Flash file magic detected"; flow:to_server,established; file_data; content:"XFIR"; depth:4; flowbits:set,file.swf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23687; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"free"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23685; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"mdat"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23684; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"ftyp"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23683; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"moov"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23682; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Adobe Shockwave Flash file magic detected"; flow:to_server,established; file_data; content:"FLV|01|"; flowbits:set,file.swf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23681; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Adobe Shockwave Flash file magic detected"; flow:to_server,established; file_data; content:"FWS"; byte_test:1,<,0x20,0,relative; isdataat:5,relative; content:!"|00 00 00 00|"; within:4; distance:1; flowbits:set,file.swf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23680; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PDF file magic detected"; flow:to_server,established; file_data; content:"%PDF-"; nocase; flowbits:set,file.pdf; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23678; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY jarpack file magic detected"; flow:to_server,established; file_data; content:"|CA FE D0 0D|"; depth:4; flowbits:set,file.class; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23677; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Universal Binary/Java Bytecode file magic detected"; flow:to_server,established; file_data; content:"|CA FE BA BE|"; depth:4; flowbits:set,file.universalbinary; flowbits:set,file.class; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23676; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RTF file magic detected"; flow:to_server,established; file_data; content:"{|5C|rt"; fast_pattern:only; flowbits:set,file.rtf; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23670; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF E0|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23667; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MP3 file magic detected"; flow:to_server,established; file_data; content:"|FF FB|"; depth:2; flowbits:set,file.mp3; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23666; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PNG file magic detected"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; flowbits:set,file.png; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23664; rev:14;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RAR file magic detected"; flow:to_server,established; file_data; content:"Rar|21 1A 07 00|"; depth:7; flowbits:set,file.rar; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23659; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RIFX file magic detected"; flow:to_server,established; file_data; content:"RIFX"; depth:4; flowbits:set,file.dir; flowbits:set,file.swf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23658; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 06|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23657; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 07|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23656; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 08|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23655; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|05 06|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23654; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|01 02|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23653; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK00PK|03 04|"; depth:8; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23652; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|03 04|"; depth:4; content:!"|14 00 06 00|"; within:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23651; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MP3 file magic detected"; flow:to_server,established; file_data; content:"ID3"; depth:3; flowbits:set,file.mp3; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23648; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY GIF file magic detected"; flow:to_server,established; file_data; content:"GIF8"; depth:4; fast_pattern; content:"a"; within:1; distance:1; flowbits:set,file.gif; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23647; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RealNetworks Real Media file magic detected"; flow:to_server,established; file_data; content:".RMF"; depth:4; flowbits:set,file.realplayer; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23645; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MPEG sys stream file magic detected"; flow:to_server,established; file_data; content:"|00 00 01 BA|"; depth:4; flowbits:set,file.mpeg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23640; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MPEG video stream file magic detected"; flow:to_server,established; file_data; content:"|00 00 01 B3|"; depth:4; flowbits:set,file.mpeg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23639; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Java .class file attachment detected"; flow:to_server,established; content:".class"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eclass/i"; flowbits:set,file.class; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23638; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Java .class file attachment detected"; flow:to_client,established; content:".class"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eclass/i"; flowbits:set,file.class; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:23637; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected"; flow:to_client,established; flowbits:isnotset,file.msi; flowbits:isset,file.exe; file_data; content:"|55 8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10 85 F6|"; fast_pattern:only; flowbits:set,file.packed; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:23605; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Lotus file attachment detected"; flow:to_server,established; content:".wk"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewk[1234]/i"; flowbits:set,file.wk; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23349; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Lotus file attachment detected"; flow:to_client,established; content:".wk"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewk[1234]/i"; flowbits:set,file.wk; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:23348; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Lotus file download request"; flow:to_server,established; content:".wk"; nocase; http_uri; pcre:"/\x2ewk[1234]([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.wk; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23347; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_server,established; content:".wmx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewmx/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23207; rev:8;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wmx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewmx/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:23206; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; content:".wmx"; nocase; http_uri; pcre:"/\x2ewmx([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23205; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_server,established; content:".asx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2easx/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23204; rev:7;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".asx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2easx/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:23203; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; content:".asx"; nocase; http_uri; pcre:"/\x2easx([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23202; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_server,established; content:".wvx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewvx/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23201; rev:7;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wvx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewvx/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:23200; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; content:".wvx"; nocase; http_uri; pcre:"/\x2ewvx([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23199; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_server,established; content:".wax"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewax/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23198; rev:7;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wax"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewax/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:23197; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; content:".wax"; nocase; http_uri; pcre:"/\x2ewax([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23196; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_server,established; content:".wm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewm/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23195; rev:7;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewm/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:23194; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; content:".wm"; nocase; http_uri; pcre:"/\x2ewm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23193; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_server,established; content:".wmv"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewmv/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23192; rev:7;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wmv"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewmv/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:23191; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; content:".wmv"; nocase; http_uri; pcre:"/\x2ewmv([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23190; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_server,established; content:".wma"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewma/i"; flowbits:set,file.asx&file.wma; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23189; rev:9;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wma"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewma/i"; flowbits:set,file.asx&file.wma; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:23188; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MPG video stream file attachment detected"; flow:to_server,established; content:".mpg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2empg/i"; flowbits:set,file.mpeg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23169; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY MPG video stream file attachment detected"; flow:to_client,established; content:".mpg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2empg/i"; flowbits:set,file.mpeg; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:23168; rev:10;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY MPG video stream file download request"; flow:to_server,established; content:".mpg"; nocase; http_uri; pcre:"/\x2empg([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.mpeg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23167; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Collada file attachment detected"; flow:to_server,established; content:".dae"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edae/i"; flowbits:set,file.collada; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23013; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Collada file attachment detected"; flow:to_client,established; content:".dae"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edae/i"; flowbits:set,file.collada; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:23012; rev:12;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Collada file download request"; flow:to_server,established; content:".dae"; nocase; http_uri; pcre:"/\x2edae([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.collada; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23011; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Windows Media Player DVR file attachment detected"; flow:to_server,established; content:".dvr-ms"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edvr-ms/i"; flowbits:set,file.dvr-ms; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:23001; rev:9;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows Media Player DVR file attachment detected"; flow:to_client,established; content:".dvr-ms"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edvr-ms/i"; flowbits:set,file.dvr-ms; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:23000; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows WMF file magic detected"; flow:to_client,established; file_data; content:"|00 09 00 00|"; depth:4; offset:1; byte_test:1,<=,2,0; flowbits:set,file.wmf; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:22999; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY Apple QuickTime Movie file attachment detected"; flow:to_server,established; content:".mov"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emov/i"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22996; rev:13;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Apple QuickTime Movie file attachment detected"; flow:to_client,established; content:".mov"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emov/i"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:22995; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MP4 file attachment detected"; flow:to_server,established; content:".mp4"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emp4/i"; flowbits:set,file.mp4; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22994; rev:9;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY MP4 file attachment detected"; flow:to_client,established; content:".mp4"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emp4/i"; flowbits:set,file.mp4; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:22993; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY M4V file attachment detected"; flow:to_server,established; content:".m4v"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2em4v/i"; flowbits:set,file.m4v; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22980; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY M4V file attachment detected"; flow:to_client,established; content:".m4v"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2em4v/i"; flowbits:set,file.m4v; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:22979; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY m3u playlist file file attachment detected"; flow:to_server,established; content:".m3u"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2em3u/i"; flowbits:set,file.m3u; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22972; rev:8;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY MPEG Layer 3 playlist file attachment detected"; flow:to_client,established; content:".m3u"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2em3u/i"; flowbits:set,file.m3u; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:22971; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RealNetworks RealPlayer RT file attachment detected"; flow:to_server,established; content:".rt"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ert/i"; flowbits:set,file.rt; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22966; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY RealNetworks RealPlayer RT file attachment detected"; flow:to_client,established; content:".rt"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ert/i"; flowbits:set,file.rt; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:22965; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RealNetworks RealPlayer RAM file attachment detected"; flow:to_server,established; content:".ram"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eram/i"; flowbits:set,file.ram; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22962; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY RealNetworks RealPlayer RAM file attachment detected"; flow:to_client,established; content:".ram"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eram/i"; flowbits:set,file.ram; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:22961; rev:10;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY NAB file magic detected"; flow:to_client,established; file_data; content:"|EF BB BF|"; depth:3; flowbits:set,file.nab; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:22946; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY NAB file attachment detected"; flow:to_server,established; content:".nab"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2enab/i"; flowbits:set,file.nab; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:22945; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY NAB file attachment detected"; flow:to_client,established; content:".nab"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2enab/i"; flowbits:set,file.nab; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:22944; rev:10;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY NAB file download request"; flow:to_server,established; content:".nab"; fast_pattern:only; http_uri; pcre:"/\x2enab([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.nab; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:22943; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY OpenType Font file magic detection"; flow:to_client,established; file_data; content:"OTTO"; depth:4; flowbits:set,file.otf; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21999; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Portable Executable file attachment detected"; flow:to_server,established; content:".exe"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eexe/i"; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21909; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Portable Executable file attachment detected"; flow:to_client,established; content:".exe"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eexe/i"; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21908; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY SVG file attachment detected"; flow:to_server,established; content:".svg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esvg/i"; flowbits:set,file.svg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21895; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY SVG file attachment detected"; flow:to_client,established; content:".svg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esvg/i"; flowbits:set,file.svg; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21894; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Adobe Director Movie file attachment detected"; flow:to_server,established; content:".dir"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edir/i"; flowbits:set,file.dir; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21893; rev:7;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe Director Movie file attachment detected"; flow:to_client,established; content:".dir"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edir/i"; flowbits:set,file.dir; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21892; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Adobe Director Movie file attachment detected"; flow:to_server,established; content:".dcr"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edcr/i"; flowbits:set,file.dir; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21891; rev:7;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe Director Movie file attachment detected"; flow:to_client,established; content:".dcr"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edcr/i"; flowbits:set,file.dir; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21890; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Windows Movie Maker file attachment detected"; flow:to_server,established; content:".mswmm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emswmm/i"; flowbits:set,file.mswmm; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21889; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows Movie Maker file attachment detected"; flow:to_client,established; content:".mswmm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emswmm/i"; flowbits:set,file.mswmm; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21888; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY OpenType Font file attachment detected"; flow:to_server,established; content:".otf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eotf/i"; flowbits:set,file.otf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21887; rev:9;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY OpenType Font file attachment detected"; flow:to_client,established; content:".otf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eotf/i"; flowbits:set,file.otf; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21886; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Office Publisher file attachment detected"; flow:to_server,established; content:".pub"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epub/i"; flowbits:set,file.pub; flowbits:noalert; metadata:policy max-detect-ips alert, service smtp; classtype:misc-activity; sid:21885; rev:8;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office Publisher file attachment detected"; flow:to_client,established; content:".pub"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epub/i"; flowbits:set,file.pub; flowbits:noalert; metadata:policy max-detect-ips alert, service imap, service pop3; classtype:misc-activity; sid:21884; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft search file attachment detected"; flow:to_server,established; content:".search-ms"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esearch-ms/i"; flowbits:set,file.search-ms; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-4268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-075; classtype:misc-activity; sid:21880; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft search file attachment detected"; flow:to_client,established; content:".search-ms"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esearch-ms/i"; flowbits:set,file.search-ms; metadata:policy max-detect-ips drop, service imap, service pop3; reference:cve,2008-4268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-075; classtype:misc-activity; sid:21879; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY GIF file attachment detected"; flow:to_server,established; content:".gif"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2egif/i"; flowbits:set,file.gif; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21873; rev:7;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY GIF file attachment detected"; flow:to_client,established; content:".gif"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2egif/i"; flowbits:set,file.gif; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21872; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY CNT file attachment detected"; flow:to_server,established; content:".cnt"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecnt/i"; flowbits:set,file.cnt; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21871; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY CNT file attachment detected"; flow:to_client,established; content:".cnt"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecnt/i"; flowbits:set,file.cnt; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21870; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Windows Fax Cover page document file attachment detected"; flow:to_server,established; content:".cpe"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecpe/i"; flowbits:set,file.cov; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21868; rev:13;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows Fax Cover page document file attachment detected"; flow:to_client,established; content:".cpe"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecpe/i"; flowbits:set,file.cov; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21867; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Windows Fax Cover page document file attachment detected"; flow:to_server,established; content:".cov"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecov/i"; flowbits:set,file.cov; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21866; rev:13;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows Fax Cover page document file attachment detected"; flow:to_client,established; content:".cov"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ecov/i"; flowbits:set,file.cov; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21865; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY WRF file attachment detected"; flow:to_server,established; content:".wrf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewrf/i"; flowbits:set,file.wrf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21862; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY WRF file attachment detected"; flow:to_client,established; content:".wrf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewrf/i"; flowbits:set,file.wrf; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21861; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ZIP file attachment detected"; flow:to_server,established; content:".zip"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ezip/i"; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21857; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY ZIP file attachment detected"; flow:to_client,established; content:".zip"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ezip/i"; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21856; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY LNK file attachment detected"; flow:to_server,established; content:".lnk"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2elnk/i"; flowbits:set,file.lnk; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21855; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY LNK file attachment detected"; flow:to_client,established; content:".lnk"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2elnk/i"; flowbits:set,file.lnk; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21854; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY LZH file attachment detected"; flow:to_server,established; content:".lzh"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2elzh/i"; flowbits:set,file.lzh; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21816; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY LZH file attachment detected"; flow:to_client,established; content:".lzh"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2elzh/i"; flowbits:set,file.lzh; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21815; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Apple Quicktime FLIC file magic detected"; flow:to_client,established; file_data; content:"|11 AF|"; depth:2; offset:4; content:"|08 00|"; within:2; distance:6; content:"|00 00 00 00|"; within:4; distance:5; flowbits:set,file.fli; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21814; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Apple Quicktime FLIC animation file file attachment detected"; flow:to_server,established; content:".fli"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2efli/i"; flowbits:set,file.fli; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21813; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Apple Quicktime FLIC animation file file attachment detected"; flow:to_client,established; content:".fli"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2efli/i"; flowbits:set,file.fli; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21812; rev:10;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Apple Quicktime FLIC animation file file download request"; flow:to_server,established; content:".fli"; fast_pattern:only; http_uri; pcre:"/\x2efli([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.fli; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21811; rev:10;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe Download Manager aom file magic detected"; flow:to_client,established; file_data; content:"<?aom"; fast_pattern:only; flowbits:set,file.aom; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21810; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Adobe Download Manager aom file attachment detected"; flow:to_server,established; content:".aom"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eaom/i"; flowbits:set,file.aom; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21809; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe Download Manager aom file attachment detected"; flow:to_client,established; content:".aom"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eaom/i"; flowbits:set,file.aom; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21808; rev:10;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Adobe Download Manager aom file download request"; flow:to_server,established; content:".aom"; fast_pattern:only; http_uri; pcre:"/\x2eaom([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.aom; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21807; rev:10;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY HPJ file magic detected"; flow:to_client,established; file_data; content:"[OPTIONS]"; flowbits:set,file.hpj; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21751; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY HPJ file attachment detected"; flow:to_server,established; content:".hpj"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ehpj/i"; flowbits:set,file.hpj; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21750; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY HPJ file attachment detected"; flow:to_client,established; content:".hpj"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ehpj/i"; flowbits:set,file.hpj; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21749; rev:9;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY HPJ file download request"; flow:to_server,established; content:".hpj"; fast_pattern:only; http_uri; pcre:"/\x2ehpj([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.hpj; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21748; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RTF file attachment detected"; flow:to_server,established; content:".rtf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ertf/i"; flowbits:set,file.rtf; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21747; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY RTF file attachment detected"; flow:to_client,established; content:".rtf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ertf/i"; flowbits:set,file.rtf; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21746; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY AVI file attachment detected"; flow:to_server,established; content:".avi"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eavi/i"; flowbits:set,file.avi; flowbits:set,file.avi.video; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21745; rev:7;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY AVI file attachment detected"; flow:to_client,established; content:".avi"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eavi/i"; flowbits:set,file.avi; flowbits:set,file.avi.video; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21744; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Embedded Open Type Font file attachment detected"; flow:to_server,established; content:".eot"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eeot/i"; flowbits:set,file.eot; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21743; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Embedded Open Type Font file attachment detected"; flow:to_client,established; content:".eot"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eeot/i"; flowbits:set,file.eot; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21742; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Windows Media asx file attachment detected"; flow:to_server,established; content:".asx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2easx/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21741; rev:8;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows Media asx file attachment detected"; flow:to_client,established; content:".asx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2easx/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21740; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jfi"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejfi/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21739; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jfi"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejfi/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21738; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jif"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejif/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21737; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jif"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejif/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21736; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jpe"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpe/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21735; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpe"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpe/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21734; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".pjpeg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epjpeg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21733; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".pjpeg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epjpeg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21732; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jpeg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpeg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21731; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpeg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpeg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21730; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jpg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21729; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21728; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY ANI file magic detection"; flow:to_client,established; file_data; content:"RIFF"; depth:4; content:"ACON"; within:4; distance:4; flowbits:set,file.ani; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21727; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ANI file attachment detected"; flow:to_server,established; content:".ani"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eani/i"; flowbits:set,file.ani; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21726; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY ANI file attachment detected"; flow:to_client,established; content:".ani"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eani/i"; flowbits:set,file.ani; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21725; rev:10;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY ANI file download request"; flow:to_server,established; content:".ani"; fast_pattern:only; http_uri; pcre:"/\x2eani([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.ani; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:21724; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY AFM file attachment detected"; flow:to_server,established; content:".afm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eafm/i"; flowbits:set,file.psfont; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21723; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY AFM file attachment detected"; flow:to_client,established; content:".afm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eafm/i"; flowbits:set,file.psfont; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21722; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY AFM file download request"; flow:to_server,established; content:".afm"; fast_pattern:only; http_uri; pcre:"/\x2eafm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.psfont; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21721; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PFM file attachment detected"; flow:to_server,established; content:".pfm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epfm/i"; flowbits:set,file.psfont; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21720; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY PFM file attachment detected"; flow:to_client,established; content:".pfm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epfm/i"; flowbits:set,file.psfont; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21719; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY PFM file download request"; flow:to_server,established; content:".pfm"; fast_pattern:only; http_uri; pcre:"/\x2epfm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.psfont; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21718; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PFB file attachment detected"; flow:to_server,established; content:".pfb"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epfb/i"; flowbits:set,file.psfont; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21717; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY PFB file attachment detected"; flow:to_client,established; content:".pfb"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epfb/i"; flowbits:set,file.psfont; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21716; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY PFB file download request"; flow:to_server,established; content:".pfb"; fast_pattern:only; http_uri; pcre:"/\x2epfb([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.psfont; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21715; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PFA file attachment detected"; flow:to_server,established; content:".pfa"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epfa/i"; flowbits:set,file.psfont; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21714; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY PFA file attachment detected"; flow:to_client,established; content:".pfa"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epfa/i"; flowbits:set,file.psfont; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21713; rev:11;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY PFA file magic detected"; flow:to_client,established; file_data; content:"%!PS-AdobeFont-1.0"; flowbits:set,file.psfont; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21712; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY PFA file download request"; flow:to_server,established; content:".pfa"; fast_pattern:only; http_uri; pcre:"/\x2epfa([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.psfont; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21711; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY AIFF file attachment detected"; flow:to_server,established; content:".aif"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eaif/i"; flowbits:set,file.aiff; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21710; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY AIFF file attachment detected"; flow:to_client,established; content:".aif"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eaif/i"; flowbits:set,file.aiff; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21709; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY BitTorrent torrent file attachment detected"; flow:to_server,established; content:".torrent"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2etorrent/i"; flowbits:set,file.torrent; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21706; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY BitTorrent torrent file attachment detected"; flow:to_client,established; content:".torrent"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2etorrent/i"; flowbits:set,file.torrent; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21705; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY 4XM file attachment detected"; flow:to_server,established; content:".4xm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2e4xm/i"; flowbits:set,file.4xm; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21704; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY 4XM file attachment detected"; flow:to_client,established; content:".4xm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2e4xm/i"; flowbits:set,file.4xm; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21703; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY FlashPix file attachment detected"; flow:to_server,established; content:".fpx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2efpx/i"; flowbits:set,file.fpx; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21702; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY FlashPix file attachment detected"; flow:to_client,established; content:".fpx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2efpx/i"; flowbits:set,file.fpx; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21701; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Office Excel xlw file attachment detected"; flow:to_server,established; content:".xlw"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exlw/i"; flowbits:set,file.xls; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21700; rev:13;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office Excel xlw file attachment detected"; flow:to_client,established; content:".xlw"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exlw/i"; flowbits:set,file.xls; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21699; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY SAMI file attachment detected"; flow:to_server,established; content:".sami"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esami/i"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21698; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY SAMI file attachment detected"; flow:to_client,established; content:".sami"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esami/i"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21697; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY SMI file attachment detected"; flow:to_server,established; content:".smi"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esmi/i"; flowbits:set,file.realplayer.playlist; flowbits:set,file.dmg; flowbits:set,file.smi; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21696; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY SMI file attachment detected"; flow:to_client,established; content:".smi"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esmi/i"; flowbits:set,file.realplayer.playlist; flowbits:set,file.dmg; flowbits:set,file.smi; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21695; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY FLAC file attachment detected"; flow:to_server,established; content:".flac"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eflac/i"; flowbits:set,file.flac; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21694; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY FLAC file attachment detected"; flow:to_client,established; content:".flac"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eflac/i"; flowbits:set,file.flac; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21693; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY SMIL file attachment detected"; flow:to_server,established; content:".smil"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esmil/i"; flowbits:set,file.smil; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21692; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY SMIL file attachment detected"; flow:to_client,established; content:".smil"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esmil/i"; flowbits:set,file.smil; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21691; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PLS file attachment detected"; flow:to_server,established; content:".pls"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epls/i"; flowbits:set,file.pls; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21688; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY PLS file attachment detected"; flow:to_client,established; content:".pls"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epls/i"; flowbits:set,file.pls; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21687; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY QuickDraw/PICT file attachment detected"; flow:to_server,established; content:".pict"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epict/i"; flowbits:set,file.pct; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21652; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY QuickDraw/PICT file attachment detected"; flow:to_client,established; content:".pict"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epict/i"; flowbits:set,file.pct; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21651; rev:10;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY QuickDraw/PICT file download request"; flow:to_server,established; content:".pict"; fast_pattern:only; http_uri; pcre:"/\x2epict([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.pct; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21650; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY QuickDraw/PICT file attachment detected"; flow:to_server,established; content:".pct"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epct/i"; flowbits:set,file.pct; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21649; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY QuickDraw/PICT file attachment detected"; flow:to_client,established; content:".pct"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epct/i"; flowbits:set,file.pct; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21648; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY SUM file attachment detected"; flow:to_server,established; content:".sum"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esum/i"; flowbits:set,file.esignal; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21628; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY SUM file attachment detected"; flow:to_client,established; content:".sum"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esum/i"; flowbits:set,file.esignal; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21627; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY POR file attachment detected"; flow:to_server,established; content:".por"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epor/i"; flowbits:set,file.esignal; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21626; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY POR file attachment detected"; flow:to_client,established; content:".por"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epor/i"; flowbits:set,file.esignal; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21625; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY QUO file attachment detected"; flow:to_server,established; content:".quo"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2equo/i"; flowbits:set,file.esignal; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21624; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY QUO file attachment detected"; flow:to_client,established; content:".quo"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2equo/i"; flowbits:set,file.esignal; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21623; rev:10;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY AVI file magic detected"; flow:to_client,established; file_data; content:"RIFF"; depth:4; content:"AVI "; within:4; distance:4; flowbits:set,file.avi; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21621; rev:8;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY WAV file magic detected"; flow:to_client,established; file_data; content:"RIFF"; depth:4; content:"WAVE"; within:4; distance:4; flowbits:set,file.wav; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21620; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RT file attachment detected"; flow:to_server,established; content:".rt"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ert/i"; flowbits:set,file.rt; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21618; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY RT file attachment detected"; flow:to_client,established; content:".rt"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ert/i"; flowbits:set,file.rt; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21617; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY WMF file attachment detected"; flow:to_server,established; content:".wmf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewmf/i"; flowbits:set,file.wmf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21616; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY WMF file attachment detected"; flow:to_client,established; content:".wmf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewmf/i"; flowbits:set,file.wmf; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21615; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PNG file attachment detected"; flow:to_server,established; content:".png"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epng/i"; flowbits:set,file.png; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21614; rev:14;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY PNG file attachment detected"; flow:to_client,established; content:".png"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epng/i"; flowbits:set,file.png; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21613; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RAT file attachment detected"; flow:to_server,established; content:".rat"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2erat/i"; flowbits:set,file.rat; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21612; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY RAT file attachment detected"; flow:to_client,established; content:".rat"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2erat/i"; flowbits:set,file.rat; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21611; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XML file attachment detected"; flow:to_server,established; content:".xml"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exml/i"; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21500; rev:9;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XML file attachment detected"; flow:to_client,established; content:".xml"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exml/i"; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21499; rev:8;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XML file magic detected"; flow:to_client,established; file_data; content:"<?xml"; depth:50; nocase; flowbits:set,file.xml; flowbits:set,file.xul; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21498; rev:13;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XML file magic detected"; flow:to_client,established; file_data; content:"<xml>"; depth:50; nocase; flowbits:set,file.xml; flowbits:set,file.xul; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21480; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY CHM file attachment detected"; flow:to_server,established; content:".chm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2echm/i"; flowbits:set,file.chm; flowbits:noalert; metadata:policy max-detect-ips alert, service smtp; reference:url,attack.mitre.org/techniques/T1223; classtype:misc-activity; sid:21479; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY CHM file attachment detected"; flow:to_client,established; content:".chm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2echm/i"; flowbits:set,file.chm; flowbits:noalert; metadata:policy max-detect-ips alert, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1223; classtype:misc-activity; sid:21478; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY paq8o file attachment detected"; flow:to_server,established; content:".paq8o"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epaq8o/i"; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21412; rev:14;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY paq8o file attachment detected"; flow:to_client,established; content:".paq8o"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epaq8o/i"; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21411; rev:13;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY paq8o file download request"; flow:to_server,established; content:".paq8o"; fast_pattern:only; http_uri; pcre:"/\x2epaq8o([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:21410; rev:12;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XML download detected"; flow:to_client,established; content:"Content-Type|3A|"; nocase; http_header; content:"text/xml"; within:20; fast_pattern; nocase; http_header; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:21288; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XSLT file attachment detected"; flow:to_server,established; content:".xslt"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exslt/i"; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21287; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XSLT file attachment detected"; flow:to_client,established; content:".xslt"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exslt/i"; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21286; rev:10;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XSLT file download request"; flow:to_server,established; content:".xslt"; fast_pattern:only; http_uri; pcre:"/\x2exslt([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21285; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XSL file attachment detected"; flow:to_server,established; content:".xsl"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exsl/i"; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21284; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XSL file attachment detected"; flow:to_client,established; content:".xsl"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exsl/i"; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21283; rev:10;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XSL file download request"; flow:to_server,established; content:".xsl"; fast_pattern:only; http_uri; pcre:"/\x2exsl([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21282; rev:9;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RealNetworks RealPlayer realtext file download request"; flow:to_server,established; content:".rt"; fast_pattern:only; http_uri; pcre:"/\x2ert([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.rt; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21174; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY S3M file attachment detected"; flow:to_server,established; content:".s3m"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2es3m/i"; flowbits:set,file.s3m; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21153; rev:13;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY S3M file attachment detected"; flow:to_client,established; content:".s3m"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2es3m/i"; flowbits:set,file.s3m; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21152; rev:12;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Cisco Webex Player .wrf file magic detected"; flow:to_client,established; file_data; content:"|57 4F 54 46|"; fast_pattern:only; flowbits:set,file.wrf; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21113; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MPEG video stream file attachment detected"; flow:to_server,established; content:".mpeg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2empeg/i"; flowbits:set,file.mpeg; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21111; rev:14;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY MPEG video stream file attachment detected"; flow:to_client,established; content:".mpeg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2empeg/i"; flowbits:set,file.mpeg; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21110; rev:13;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY MPEG video stream file download request"; flow:to_server,established; content:".mpeg"; fast_pattern:only; http_uri; pcre:"/\x2empeg([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.mpeg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21109; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY AVI file attachment detected"; flow:to_server,established; content:".avi"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eavi/i"; flowbits:set,file.avi; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:21062; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY AVI file attachment detected"; flow:to_client,established; content:".avi"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eavi/i"; flowbits:set,file.avi; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:21061; rev:10;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY AVI Video file magic detected"; flow:to_client,established; file_data; content:"RIFF"; depth:4; content:"AVI LIST"; within:8; distance:4; flowbits:set,file.avi.video; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21059; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PDF file attachment detected"; flow:to_server,established; content:".pdf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epdf/i"; flowbits:set,file.pdf; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21036; rev:15;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY PDF file attachment detected"; flow:to_client,established; content:".pdf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epdf/i"; flowbits:set,file.pdf; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21035; rev:14;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY SAMI file magic detected"; flow:to_client,established; file_data; content:"|3C|SAMI"; flowbits:set,file.smi; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20992; rev:11;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY TTF file magic detected"; flow:to_client,established; file_data; content:"|00 01 00 00|"; content:"cmap"; distance:0; fast_pattern; flowbits:set,file.ttf; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20991; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Office Word docx file attachment detected"; flow:to_server,established; content:".docx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edocx/i"; flowbits:set,file.docx; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20987; rev:17;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office Word docx file attachment detected"; flow:to_client,established; content:".docx"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edocx/i"; flowbits:set,file.docx; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20986; rev:16;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Office PowerPoint file attachment detected"; flow:to_server,established; content:".ppt"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eppt/i"; flowbits:set,file.ppt; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20983; rev:13;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office PowerPoint file attachment detected"; flow:to_client,established; content:".ppt"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eppt/i"; flowbits:set,file.ppt; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20982; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY OTF file attachment detected"; flow:to_server,established; content:".otf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eotf/i"; flowbits:set,file.ttf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20981; rev:14;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY OTF file attachment detected"; flow:to_client,established; content:".otf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eotf/i"; flowbits:set,file.ttf; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20980; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY TTE file attachment detected"; flow:to_server,established; content:".tte"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ette/i"; flowbits:set,file.ttf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20979; rev:14;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY TTE file attachment detected"; flow:to_client,established; content:".tte"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ette/i"; flowbits:set,file.ttf; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20978; rev:13;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY SKM file download request"; flow:to_server,established; content:".skm"; fast_pattern:only; http_uri; pcre:"/\x2eskm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20977; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY K3G file download request"; flow:to_server,established; content:".k3g"; fast_pattern:only; http_uri; pcre:"/\x2ek3g([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20976; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY 3G2 file download request"; flow:to_server,established; content:".3g2"; fast_pattern:only; http_uri; pcre:"/\x2e3g2([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20975; rev:12;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY 3GP file download request"; flow:to_server,established; content:".3gp"; fast_pattern:only; http_uri; pcre:"/\x2e3gp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20974; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY M4B file download request"; flow:to_server,established; content:".m4b"; fast_pattern:only; http_uri; pcre:"/\x2em4b([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20973; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY M4V file magic request"; flow:to_server,established; content:".m4v"; fast_pattern:only; http_uri; pcre:"/\x2em4v([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.quicktime; flowbits:set,file.m4v; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20972; rev:15;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY M4R file download request"; flow:to_server,established; content:".m4r"; fast_pattern:only; http_uri; pcre:"/\x2em4r([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20971; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY M4P file download request"; flow:to_server,established; content:".m4p"; fast_pattern:only; http_uri; pcre:"/\x2em4p([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20970; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY M4A file download request"; flow:to_server,established; content:".m4a"; fast_pattern:only; http_uri; pcre:"/\x2em4a([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20969; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Apple disk image file download request"; flow:to_server, established; content:".img"; fast_pattern:only; http_uri; pcre:"/\x2eimg([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.dmg; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Apple_Disk_Image; classtype:misc-activity; sid:20968; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".jfi"; fast_pattern:only; http_uri; pcre:"/\x2ejfif?([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20967; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".jif"; fast_pattern:only; http_uri; pcre:"/\x2ejif([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20966; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".jpe"; fast_pattern:only; http_uri; pcre:"/\x2ejpe([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20965; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY SAMI file download request"; flow:to_server,established; content:".sami"; fast_pattern:only; http_uri; pcre:"/\x2esami([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/SAMI; classtype:misc-activity; sid:20964; rev:13;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY DIB file download request"; flow:to_server,established; content:".dib"; fast_pattern:only; http_uri; pcre:"/\x2edib([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.bmp; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity; sid:20963; rev:13;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY OTF file download request"; flow:to_server,established; content:".otf"; fast_pattern:only; http_uri; pcre:"/\x2eotf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.ttf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/TrueType; classtype:misc-activity; sid:20962; rev:12;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY TTE file download request"; flow:to_server,established; content:".tte"; fast_pattern:only; http_uri; pcre:"/\x2ette([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.ttf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/TrueType; classtype:misc-activity; sid:20961; rev:12;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Flac file download request"; flow:to_server,established; content:".flac"; fast_pattern:only; http_uri; pcre:"/\x2eflac([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.flac; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.flac; classtype:misc-activity; sid:20960; rev:13;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"uuid"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20959; rev:13;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"meco"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20958; rev:13;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"meta"; depth:4; offset:4; content:"hdlr"; distance:0; flowbits:set,file.quicktime; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20957; rev:14;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"pict"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20956; rev:13;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"pnot"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20955; rev:13;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"wide"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20954; rev:13;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"junk"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20953; rev:13;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"skip"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20952; rev:13;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"mfra"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20951; rev:13;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"moof"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20950; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_server,established; content:".f4b"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ef4b/i"; flowbits:set,file.swf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20948; rev:14;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_client,established; content:".f4b"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ef4b/i"; flowbits:set,file.swf; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20947; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_server,established; content:".f4a"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ef4a/i"; flowbits:set,file.swf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20946; rev:14;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_client,established; content:".f4a"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ef4a/i"; flowbits:set,file.swf; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20945; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_server,established; content:".f4p"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ef4p/i"; flowbits:set,file.swf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20944; rev:14;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_client,established; content:".f4p"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ef4p/i"; flowbits:set,file.swf; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20943; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_server,established; content:".f4v"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ef4v/i"; flowbits:set,file.swf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20942; rev:14;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_client,established; content:".f4v"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ef4v/i"; flowbits:set,file.swf; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20941; rev:13;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Adobe Shockwave Flash file download request"; flow:to_server,established; content:".f4b"; fast_pattern:only; http_uri; pcre:"/\x2ef4b([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.swf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.swf; classtype:misc-activity; sid:20940; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Adobe Shockwave Flash file download request"; flow:to_server,established; content:".f4a"; fast_pattern:only; http_uri; pcre:"/\x2ef4a([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.swf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.swf; classtype:misc-activity; sid:20939; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Adobe Shockwave Flash file download request"; flow:to_server,established; content:".f4p"; fast_pattern:only; http_uri; pcre:"/\x2ef4p([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.swf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.swf; classtype:misc-activity; sid:20938; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Adobe Shockwave Flash file download request"; flow:to_server,established; content:".f4v"; fast_pattern:only; http_uri; pcre:"/\x2ef4v([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.swf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.swf; classtype:misc-activity; sid:20937; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY QCP file attachment detected"; flow:to_server,established; content:".qcp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eqcp/i"; flowbits:set,file.qcp; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20936; rev:11;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY QCP file attachment detected"; flow:to_client,established; content:".qcp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eqcp/i"; flowbits:set,file.qcp; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20935; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MKA file attachment detected"; flow:to_server,established; content:".mka"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emka/i"; flowbits:set,file.mkv; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20934; rev:16;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY MKA file attachment detected"; flow:to_client,established; content:".mka"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emka/i"; flowbits:set,file.mkv; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20933; rev:15;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MKS file attachment detected"; flow:to_server,established; content:".mks"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emks/i"; flowbits:set,file.mkv; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20932; rev:16;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY MKS file attachment detected"; flow:to_client,established; content:".mks"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emks/i"; flowbits:set,file.mkv; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20931; rev:15;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MKV file attachment detected"; flow:to_server,established; content:".mkv"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emkv/i"; flowbits:set,file.mkv; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20930; rev:16;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY MKV file attachment detected"; flow:to_client,established; content:".mkv"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emkv/i"; flowbits:set,file.mkv; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20929; rev:15;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY SMIL file magic detected"; flow:to_client,established; file_data; content:"<smil>"; depth:6; flowbits:set,file.smil; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/.smil; classtype:misc-activity; sid:20928; rev:14;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Adobe Pagemaker file attachment detected"; flow:to_server,established; content:".pmd"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epmd/i"; flowbits:set,file.pmd; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20926; rev:14;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe Pagemaker file attachment detected"; flow:to_client,established; content:".pmd"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epmd/i"; flowbits:set,file.pmd; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20925; rev:13;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY PLS file magic detected"; flow:to_client,established; file_data; content:"[playlist]"; depth:11; flowbits:set,file.pls; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20924; rev:14;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XML Shareable Playlist Format file attachment detected"; flow:to_server,established; content:".xspf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exspf/i"; flowbits:set,file.xspf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20914; rev:13;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XML Shareable Playlist Format file attachment detected"; flow:to_client,established; content:".xspf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exspf/i"; flowbits:set,file.xspf; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20913; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Windows Media ASF file attachment detected"; flow:to_server,established; content:".asf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2easf/i"; flowbits:set,file.asf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20910; rev:14;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows Media ASF file attachment detected"; flow:to_client,established; content:".asf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2easf/i"; flowbits:set,file.asf; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20909; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY DXF file attachment detected"; flow:to_server,established; content:".dxf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edxf/i"; flowbits:set,file.dxf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20908; rev:10;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY DXF file attachment detected"; flow:to_client,established; content:".dxf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edxf/i"; flowbits:set,file.dxf; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20907; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY X PixMap file attachment detected"; flow:to_server,established; content:".xpm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2expm/i"; flowbits:set,file.xpm; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20906; rev:14;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY X PixMap file attachment detected"; flow:to_client,established; content:".xpm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2expm/i"; flowbits:set,file.xpm; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20905; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MIDI file attachment detected"; flow:to_server,established; content:".mid"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emid/i"; flowbits:set,file.mid; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20899; rev:15;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY MIDI file attachment detected"; flow:to_client,established; content:".mid"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emid/i"; flowbits:set,file.mid; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20898; rev:14;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MIDI file magic detected"; flow:to_client,established; file_data; content:"MThd"; depth:4; flowbits:set,file.mid; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20897; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY TwinVQ file attachment detected"; flow:to_server,established; content:".vqf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2evqf/i"; flowbits:set,file.vqf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20857; rev:15;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY TwinVQ file attachment detected"; flow:to_client,established; content:".vqf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2evqf/i"; flowbits:set,file.vqf; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20856; rev:14;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Office Visio file attachment detected"; flow:to_server,established; content:".vsd"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2evsd/i"; flowbits:set,file.visio; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20855; rev:13;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office Visio file attachment detected"; flow:to_client,established; content:".vsd"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2evsd/i"; flowbits:set,file.visio; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20854; rev:12;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY eSignal .sum file download request"; flow:to_server,established; content:".sum"; fast_pattern:only; http_uri; pcre:"/\x2Esum([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.esignal; flowbits:noalert; metadata:service http; reference:url,www.file-extensions.org/sum-file-extension; classtype:misc-activity; sid:20841; rev:13;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY eSignal .por file download request"; flow:to_server,established; content:".por"; fast_pattern:only; http_uri; pcre:"/\x2Epor([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.esignal; flowbits:noalert; metadata:service http; reference:url,www.file-extensions.org/por-file-extension; classtype:misc-activity; sid:20840; rev:13;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY eSignal .quo file download request"; flow:to_server,established; content:".quo"; fast_pattern:only; http_uri; pcre:"/\x2Equo([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.esignal; flowbits:noalert; metadata:service http; reference:url,www.file-extensions.org/quo-file-extension; classtype:misc-activity; sid:20839; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY MIME file type file attachment detected"; flow:to_server,established; content:".mim"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emim/i"; flowbits:set,file.mime; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20801; rev:19;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY MIME file type file attachment detected"; flow:to_client,established; content:".mim"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2emim/i"; flowbits:set,file.mime; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20800; rev:18;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_server,established; content:".swf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eswf/i"; flowbits:set,file.swf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20799; rev:16;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_client,established; content:".swf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eswf/i"; flowbits:set,file.swf; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20798; rev:15;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Office Word file attachment detected"; flow:to_server,established; content:".doc"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edoc/i"; flowbits:set,file.doc; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20796; rev:14;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office Word file attachment detected"; flow:to_client,established; content:".doc"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edoc/i"; flowbits:set,file.doc; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20795; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Office Excel file attachment detected"; flow:to_server,established; content:".xls"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exls/i"; flowbits:set,file.xls; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:20793; rev:16;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office Excel file attachment detected"; flow:to_client,established; content:".xls"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exls/i"; flowbits:set,file.xls; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:20792; rev:15;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Media Player DVR file download request"; flow:to_server,established; content:".dvr-ms"; fast_pattern:only; http_uri; pcre:"/\x2edvr-ms([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.dvr-ms; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:20733; rev:14;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office Word docx file download request"; flow:to_server,established; content:".docx"; fast_pattern:only; http_uri; pcre:"/\x2edocx([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.docx; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Microsoft_word; classtype:misc-activity; sid:20723; rev:16;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JAR file download request"; flow:to_server,established; content:".jar"; fast_pattern:only; http_uri; pcre:"/\x2ejar([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:20621; rev:15;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Adobe Flash Player FLV file download request"; flow:to_server,established; content:".flv"; fast_pattern:only; http_uri; pcre:"/\x2eflv([\?\x5c\x2f]|$)/Umsi"; flowbits:set,file.swf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.flv; classtype:misc-activity; sid:20544; rev:14;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY VideoLAN VLC file magic detected"; flow:to_client,established; file_data; content:"SCRM"; depth:4; offset:44; flowbits:set,file.s3m; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/.s3m; classtype:misc-activity; sid:20522; rev:16;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Flac file magic detected"; flow:to_client,established; file_data; content:"fLaC"; depth:4; flowbits:set,file.flac; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/.flac; classtype:misc-activity; sid:20521; rev:17;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY rmf file download request"; flow:to_server,established; content:".rmf"; nocase; http_uri; pcre:"/\x2Ermf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.rmf; flowbits:set,file.realplayer; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:20518; rev:15;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY dmg file magic detected"; flow:to_client,established; file_data; content:"ER|02 00|"; depth:4; flowbits:set,file.dmg; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20514; rev:17;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe Shockwave Flash file magic detected"; flow:to_client,established; file_data; content:"XFIR"; depth:4; flowbits:set,file.swf; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20507; rev:19;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"free"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20503; rev:17;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"mdat"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20502; rev:17;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"ftyp"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20501; rev:17;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"moov"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20500; rev:17;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe Shockwave Flash file magic detected"; flow:to_client,established; file_data; content:"FLV|01|"; flowbits:set,file.swf; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20497; rev:17;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe Shockwave Flash file magic detected"; flow:to_client,established; file_data; content:"FWS"; depth:3; byte_test:1,<,0x20,0,relative; isdataat:5,relative; content:!"|00 00 00 00|"; within:4; distance:1; flowbits:set,file.swf; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20496; rev:23;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY PDF file magic detected"; flow:to_client,established; file_data; content:"%PDF-"; nocase; flowbits:set,file.pdf; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20494; rev:16;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY jarpack file magic detected"; flow:to_client,established; file_data; content:"|CA FE D0 0D|"; depth:4; flowbits:set,file.class; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20493; rev:18;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Universal Binary/Java Bytecode file magic detected"; flow:to_client,established; file_data; content:"|CA FE BA BE|"; depth:4; flowbits:set,file.universalbinary; flowbits:set,file.class; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20492; rev:16;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY RTF file magic detected"; flow:to_client,established; file_data; content:"{|5C|rt"; fast_pattern:only; flowbits:set,file.rtf; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20486; rev:20;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF E0|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20483; rev:19;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MP3 file magic detected"; flow:to_client,established; file_data; content:"|FF FB|"; depth:2; flowbits:set,file.mp3; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20481; rev:19;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG file magic detection"; flow:to_client,established; file_data; content:"|FF D8 FF|"; depth:3; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20480; rev:18;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY PNG file magic detected"; flow:to_client,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; flowbits:set,file.png; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20478; rev:19;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY RAR file magic detected"; flow:to_client,established; file_data; content:"Rar|21 1A 07 00|"; depth:7; flowbits:set,file.rar; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20472; rev:21;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY RIFX file magic detected"; flow:to_client,established; file_data; content:"RIFX"; depth:4; flowbits:set,file.dir; flowbits:set,file.swf; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20471; rev:19;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 06|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20469; rev:22;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 07|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20468; rev:22;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 08|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20467; rev:22;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|05 06|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20466; rev:22;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|01 02|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20465; rev:22;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK00PK|03 04|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20464; rev:22;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|03 04|"; content:!"|14 00 06 00|"; within:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20463; rev:23;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MP3 file magic detected"; flow:to_client,established; file_data; content:"ID3"; depth:3; flowbits:set,file.mp3; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20460; rev:17;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY GIF file magic detected"; flow:to_client,established; file_data; content:"GIF8"; depth:4; fast_pattern; content:"a"; within:1; distance:1; flowbits:set,file.gif; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20459; rev:13;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY RealNetworks Real Media file magic detected"; flow:to_client,established; file_data; content:".RMF"; depth:4; flowbits:set,file.realplayer; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20456; rev:17;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MPEG sys stream file magic detected"; flow:to_client,established; file_data; content:"|00 00 01 BA|"; depth:4; flowbits:set,file.mpeg; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20451; rev:19;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY MPEG video stream file magic detected"; flow:to_client,established; file_data; content:"|00 00 01 B3|"; depth:4; flowbits:set,file.mpeg; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20450; rev:19;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY QCP file download request"; flow:to_server,established; content:".qcp"; fast_pattern:only; http_uri; pcre:"/\x2eqcp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.qcp; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.qcp; classtype:misc-activity; sid:20287; rev:12;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY S3M file download request"; flow:to_server,established; content:".s3m"; fast_pattern:only; http_uri; pcre:"/\x2es3m([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.s3m; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.s3m; classtype:misc-activity; sid:20282; rev:18;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY FON font file download request"; flow:to_server,established; content:".fon"; fast_pattern:only; http_uri; pcre:"/\x2efon([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.fon; flowbits:noalert; metadata:service http; reference:cve,2011-2003; reference:url,en.wikipedia.org/wiki/.fon; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-077; classtype:misc-activity; sid:20269; rev:18;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY SMI file download request"; flow:to_server,established; content:".smi"; fast_pattern:only; http_uri; pcre:"/\x2esmi([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:set,file.dmg; flowbits:noalert; metadata:ruleset community, service http; reference:bugtraq,49149; reference:url,en.wikipedia.org/wiki/SAMI; classtype:misc-activity; sid:20223; rev:22;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY MIME file type file download request"; flow:to_server,established; content:".mim"; fast_pattern:only; http_uri; pcre:"/\x2emim([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.mime; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:20032; rev:20;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY PICT file magic detected"; flow:to_client,established; file_data; content:"PICT"; depth:4; flowbits:set,file.pct; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:19907; rev:16;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY MIDI file download request"; flow:to_server,established; content:".mid"; fast_pattern:only; http_uri; pcre:"/\x2emid([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.mid; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:19430; rev:16;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY MKS file download request"; flow:to_server,established; content:".mks"; fast_pattern:only; http_uri; pcre:"/\x2emks([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.mkv; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Matroska; classtype:misc-activity; sid:19425; rev:17;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY MKA file download request"; flow:to_server,established; content:".mka"; fast_pattern:only; http_uri; pcre:"/\x2emka([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.mkv; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Matroska; classtype:misc-activity; sid:19424; rev:17;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY MKV file download request"; flow:to_server,established; content:".mkv"; fast_pattern:only; http_uri; pcre:"/\x2emkv([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.mkv; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Matroska; classtype:misc-activity; sid:19423; rev:17;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY matroska file magic detected"; flow:to_client,established; file_data; content:"|1A 45 DF A3|"; content:"matroska"; within:50; nocase; flowbits:set,file.mkv; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:19422; rev:20;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Cisco Webex wrf file download request"; flow:to_server,established; content:".wrf"; fast_pattern:only; http_uri; pcre:"/\x2ewrf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.wrf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Webex; classtype:misc-activity; sid:19224; rev:16;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Fax Cover page document file download request"; flow:to_server,established; content:".cov"; fast_pattern:only; http_uri; pcre:"/\x2ecov([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.cov; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:19218; rev:21;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Google Chrome extension file download request"; flow:to_server,established; content:".crx"; fast_pattern:only; http_uri; pcre:"/\x2ecrx([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.crx; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Google_Chrome; classtype:misc-activity; sid:19215; rev:16;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY ZIP archive file download request"; flow:to_server,established; content:".zip"; fast_pattern:only; http_uri; pcre:"/\x2ezip([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:19211; rev:20;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office Excel file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0|"; depth:4; content:"W|00|o|00|r|00|k|00|b|00|o|00|o|00|k|00|"; fast_pattern:only; flowbits:set,file.xls; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:19166; rev:20;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY RealNetworks Realplayer .r1m file magic detected"; flow:to_client,established; file_data; content:".r1m"; depth:4; flowbits:set,file.realplayer; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/Realplayer; classtype:misc-activity; sid:19129; rev:19;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY RealNetworks Realplayer REC file magic detected"; flow:to_client,established; file_data; content:".rec|00|"; depth:5; flowbits:set,file.realplayer; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/Realplayer; classtype:misc-activity; sid:19128; rev:19;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Fax Cover page document file download request"; flow:to_server,established; content:".cpe"; fast_pattern:only; http_uri; pcre:"/\x2ecpe([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.cov; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:18675; rev:21;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY BitTorrent torrent file download request"; flow:to_server,established; content:".torrent"; fast_pattern:only; http_uri; pcre:"/\x2etorrent([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.torrent; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:18593; rev:15;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office Word file download request"; flow:to_server,established; content:".wri"; fast_pattern:only; http_uri; pcre:"/\x2ewri([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.doc; flowbits:set,file.wri; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:18516; rev:16;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY QuickDraw/PICT file download request"; flow:to_server,established; content:".pct"; nocase; http_uri; pcre:"/\x2epct([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.pct; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:18234; rev:13;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Apple Quicktime qt file download request"; flow:to_server,established; content:".qt"; fast_pattern:only; http_uri; pcre:"/\x2eqt([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.mov; classtype:misc-activity; sid:17809; rev:18;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Adobe Director Movie file download request"; flow:to_server,established; content:".dcr"; fast_pattern:only; http_uri; pcre:"/\x2edcr([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.dir; flowbits:noalert; metadata:service http; reference:url,www.fileinfo.com/extension/dcr; classtype:misc-activity; sid:17802; rev:13;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe Director Movie file magic detected"; flow:to_client,established; file_data; content:"Shockwave 3D"; fast_pattern:only; content:"XFIR"; depth:4; flowbits:set,file.dir; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.fileinfo.com/extension/dir; classtype:misc-activity; sid:17801; rev:19;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY OpenType Font file download request"; flow:to_server,established; content:".otf"; fast_pattern:only; http_uri; pcre:"/\x2eotf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.otf; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:17751; rev:15;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY FlashPix file download request"; flow:to_server, established; content:".fpx"; fast_pattern:only; http_uri; pcre:"/\x2efpx([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.fpx; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Fpx; classtype:misc-activity; sid:17739; rev:15;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XML file download request"; flow:to_server,established; content:".xml"; fast_pattern:only; http_uri; pcre:"/\x2exml([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:17733; rev:15;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY TIFF file download request"; flow:to_server,established; content:".tif"; fast_pattern:only; http_uri; pcre:"/\x2etif(f)?([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.tiff; flowbits:set,file.tiff.big; flowbits:set,file.tiff.little; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.tiff; classtype:misc-activity; sid:17732; rev:23;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Apple disk image file download request"; flow:to_server, established; content:".dmg"; fast_pattern:only; http_uri; pcre:"/\x2edmg([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.dmg; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Apple_Disk_Image; classtype:misc-activity; sid:17679; rev:15;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XUL file download request"; flow:to_server,established; content:".xul"; fast_pattern:only; http_uri; pcre:"/\x2exul([\?\x5c\x2f]|$)/Umsi"; flowbits:set,file.xul; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.xul; classtype:misc-activity; sid:17600; rev:17;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Adobe Pagemaker file download request"; flow:to_server,established; content:".pmd"; fast_pattern:only; http_uri; pcre:"/\x2epmd([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.pmd; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.pmd; classtype:misc-activity; sid:17552; rev:16;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY SMIL file download request"; flow:to_server,established; content:".smil"; fast_pattern:only; http_uri; pcre:"/\x2esmil([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.smil; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.smil; classtype:misc-activity; sid:17547; rev:17;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY LZH file download request"; flow:to_server,established; content:".lzh"; fast_pattern:only; http_uri; pcre:"/\x2elzh([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.lzh; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:17540; rev:16;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows .NET Deploy file download request"; flow:to_server,established; flowbits:isset,file.manifest; content:".deploy"; fast_pattern:only; http_uri; pcre:"/\x2edeploy([\?\x5c\x2f]|$)/smiU"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,21688; reference:cve,2006-6696; reference:url,en.wikipedia.org/wiki/ASP.NET; classtype:misc-activity; sid:17510; rev:19;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows .NET Manifest file download request"; flow:to_server,established; content:".manifest"; fast_pattern:only; http_uri; pcre:"/\x2emanifest([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.manifest; flowbits:noalert; metadata:policy max-detect-ips drop, service http; reference:bugtraq,21688; reference:cve,2006-6696; reference:url,en.wikipedia.org/wiki/ASP.NET; classtype:misc-activity; sid:17509; rev:16;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY LNK file download request"; flow:to_server,established; content:".lnk"; fast_pattern:only; http_uri; pcre:"/\x2elnk([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.lnk; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:17441; rev:14;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RAT file download request"; flow:to_server,established; content:".rat"; fast_pattern:only; http_uri; pcre:"/\x2erat([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.rat; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:17426; rev:17;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows help file download request"; flow:to_server,established; content:".hlp"; fast_pattern:only; http_uri; pcre:"/\x2ehlp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.hlp; metadata:policy max-detect-ips drop, service http; reference:cve,2004-1306; reference:cve,2006-3357; reference:cve,2006-4138; classtype:misc-activity; sid:17407; rev:22;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY GIF file download request"; flow:to_server,established; content:".gif"; fast_pattern:only; http_uri; pcre:"/\x2egif([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.gif; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:17394; rev:14;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY PNG file download request"; flow:to_server,established; content:".png"; fast_pattern:only; http_uri; pcre:"/\x2epng([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.png; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:17380; rev:20;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Help Workshop CNT Help file download request"; flow:to_server,established; content:".cnt"; fast_pattern:only; http_uri; pcre:"/\x2ecnt([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.cnt; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.cnt; classtype:misc-activity; sid:17364; rev:18;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XBM image file download request"; flow:to_server,established; content:".xbm"; fast_pattern:only; http_uri; pcre:"/\x2exbm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xbm; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/XBM; classtype:misc-activity; sid:17359; rev:16;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY OLE document file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; flowbits:set,file.ole; flowbits:set,file.fpx; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:17314; rev:24;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY MOV file download request"; flow:to_server,established; content:".mov"; fast_pattern:only; http_uri; pcre:"/\x2emov([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.mov; classtype:misc-activity; sid:17259; rev:17;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Media wmv file download request"; flow:to_server,established; content:".wmv"; fast_pattern:only; http_uri; pcre:"/\x2ewmv([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.wmv; flowbits:set,file.asf; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:17241; rev:19;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Tiff big endian file magic detected"; flow:to_client,established; file_data; content:"MM|00 2A|"; depth:4; flowbits:set,file.tiff.big; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/Tagged_Image_File_Format; classtype:misc-activity; sid:17230; rev:28;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Tiff little endian file magic detected"; flow:to_client,established; file_data; content:"II|2A 00|"; depth:4; flowbits:set,file.tiff.little; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/Tagged_Image_File_Format; classtype:misc-activity; sid:17229; rev:23;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Media ASX file download request"; flow:to_server,established; content:".asx"; fast_pattern:only; http_uri; pcre:"/\x2easx([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Advanced_Stream_Redirector; classtype:misc-activity; sid:17116; rev:13;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".pjpeg"; fast_pattern:only; http_uri; pcre:"/\x2epjpeg([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16529; rev:17;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 03 00|"; within:4; distance:16; flowbits:set,file.ole; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:16474; rev:24;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Movie Maker project file download request"; flow:to_server,established; content:".mswmm"; fast_pattern:only; http_uri; pcre:"/\x2emswmm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.mswmm; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Windows_Movie_Maker; classtype:misc-activity; sid:16473; rev:18;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Ultimate Packer for Executables/UPX v0.62-v1.22 packed file magic detected"; flow:to_client,established; file_data; content:"|8A 06|F|88 07|G|01 DB|u|07 8B 1E 83 EE FC 11 DB|"; pcre:"/^(\x72\xED\xB8\x01.{3}|\x8A\x07\x72\xEB\xB8\x01\x00\x00\x00)\x01\xDB\x75\x07\x8B\x1E\x83\xEE\xFC\x11\xDB\x11\xC0\x01\xDB[\x73\x77].{3}\x8B\x1E\x83\xEE\xFC/R"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,upx.sourceforge.net; reference:url,www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx; classtype:misc-activity; sid:16435; rev:18;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Portable Executable binary file download request"; flow:to_server,established; content:".exe"; fast_pattern:only; http_uri; pcre:"/\x2eexe([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/.exe; classtype:misc-activity; sid:16425; rev:24;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".jpeg"; fast_pattern:only; http_uri; pcre:"/\x2ejpeg([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16407; rev:17;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".jpg"; fast_pattern:only; http_uri; pcre:"/\x2ejpg([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16406; rev:17;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY TrueType font file download request"; flow:to_server,established; content:".ttf"; fast_pattern:only; http_uri; pcre:"/\x2ettf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.ttf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/TrueType; classtype:misc-activity; sid:16286; rev:18;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Adobe Director Movie file download request"; flow:to_server,established; content:".dir"; fast_pattern:only; http_uri; pcre:"/\x2edir([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.dir; flowbits:noalert; metadata:service http; reference:url,www.fileinfo.com/extension/dir; classtype:misc-activity; sid:16219; rev:16;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY BMP file download request"; flow:to_server,established; content:".bmp"; fast_pattern:only; http_uri; pcre:"/\x2ebmp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.bmp; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity; sid:16205; rev:20;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft asf file magic detected"; flow:to_client,established; file_data; content:"0&|B2|u"; depth:4; flowbits:set,file.asf; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/Advanced_Systems_Format; classtype:misc-activity; sid:16143; rev:25;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY X PixMap file download request"; flow:to_server,established; content:".xpm"; fast_pattern:only; http_uri; pcre:"/\x2expm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xpm; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/X_PixMap; classtype:misc-activity; sid:16061; rev:20;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY DXF file download request"; flow:to_server,established; content:".dxf"; fast_pattern:only; http_uri; pcre:"/\x2edxf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.dxf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Dxf; classtype:misc-activity; sid:15987; rev:16;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RSS file download request"; flow:to_server,established; content:".rss"; fast_pattern:only; http_uri; pcre:"/\x2erss([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.rss; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Rss; classtype:misc-activity; sid:15945; rev:19;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY MP3 file download request"; flow:to_server,established; content:".mp3"; fast_pattern:only; http_uri; pcre:"/\x2emp3([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.mp3; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp3; classtype:misc-activity; sid:15922; rev:20;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft multimedia format file download request"; flow:to_server,established; content:".wma"; fast_pattern:only; http_uri; pcre:"/\x2ewma([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.wma&file.asx; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Windows_Media_Audio; classtype:misc-activity; sid:15921; rev:20;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Audio Interchange file download request"; flow:to_server,established; content:".aif"; fast_pattern:only; http_uri; pcre:"/\x2eaif[cf]?([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.aiff; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:15900; rev:16;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY 4XM file download request"; flow:to_server,established; content:".4xm"; fast_pattern:only; http_uri; pcre:"/\x2e4xm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.4xm; flowbits:noalert; metadata:service http; reference:url,wiki.multimedia.cx/index.php?title=4xm_Format; classtype:misc-activity; sid:15870; rev:18;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY MP4 file download request"; flow:to_server,established; content:".mp4"; fast_pattern:only; http_uri; pcre:"/\x2emp4([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.quicktime; flowbits:set,file.mp4; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:15865; rev:20;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office Word file download request"; flow:to_server,established; content:".doc"; fast_pattern:only; http_uri; pcre:"/\x2edoc([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.doc; flowbits:set,file.rtf; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/Microsoft_word; classtype:misc-activity; sid:15587; rev:22;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office PowerPoint file download request"; flow:to_server,established; content:".ppt"; fast_pattern:only; http_uri; pcre:"/\x2eppt([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.ppt; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Microsoft_PowerPoint; classtype:misc-activity; sid:15586; rev:19;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY WordPerfect file magic detected"; flow:to_client,established; file_data; content:"|FF|WPC"; depth:4; fast_pattern; content:"|01 0A 02 01|"; within:4; distance:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.corelconnected.com/html/files/WPFF_%21DocumentStructure.htm; classtype:misc-activity; sid:15575; rev:18;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Embedded Open Type Font file download request"; flow:to_server,established; content:".eot"; fast_pattern:only; http_uri; pcre:"/\x2eeot([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.eot; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Embedded_OpenType; classtype:misc-activity; sid:15518; rev:18;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY AVI multimedia file download request"; flow:to_server,established; content:".avi"; fast_pattern:only; http_uri; pcre:"/\x2eavi([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.avi; flowbits:set,file.avi.video; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.avi; classtype:misc-activity; sid:15516; rev:17;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Adobe Shockwave Flash file download request"; flow:to_server,established; content:".swf"; fast_pattern:only; http_uri; pcre:"/\x2eswf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.swf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.swf; classtype:misc-activity; sid:15483; rev:20;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office Excel file download request"; flow:to_server,established; content:".xlw"; fast_pattern:only; http_uri; pcre:"/\x2exlw([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xls; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.xlsFile_formats; classtype:misc-activity; sid:15464; rev:25;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office Excel file download request"; flow:to_server,established; content:".xls"; fast_pattern:only; http_uri; pcre:"/\x2exls([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xls; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.xlsFile_formats; classtype:misc-activity; sid:15463; rev:23;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY SVG file download request"; flow:to_server,established; content:".svg"; fast_pattern:only; http_uri; pcre:"/\x2esvgz?([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.svg; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.svg; classtype:misc-activity; sid:15427; rev:21;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY TwinVQ file download request"; flow:to_server,established; content:".vqf"; fast_pattern:only; http_uri; pcre:"/\x2evqf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.vqf; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:15385; rev:20;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office Visio file download request"; flow:to_server,established; content:".vsd"; fast_pattern:only; http_uri; pcre:"/\x2evsd([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.visio; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:15294; rev:20;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RealNetworks RealMedia format file download request"; flow:to_server,established; content:".rv"; fast_pattern:only; http_uri; pcre:"/\x2erv([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realmedia; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Realmedia; classtype:misc-activity; sid:15240; rev:18;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RealNetworks RealMedia format file download request"; flow:to_server,established; content:".rm"; fast_pattern:only; http_uri; pcre:"/\x2erm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realmedia; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Realmedia; classtype:misc-activity; sid:15239; rev:18;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Java .class file download request"; flow:to_server,established; content:".class"; fast_pattern:only; http_uri; pcre:"/\x2eclass([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.class; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Java_class_file; classtype:misc-activity; sid:15237; rev:17;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XML Shareable Playlist Format file download request"; flow:to_server,established; content:".xspf"; fast_pattern:only; http_uri; pcre:"/\x2exspf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xspf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Xspf; classtype:misc-activity; sid:15158; rev:17;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY WAV file download request"; flow:to_server,established; content:".wav"; fast_pattern:only; http_uri; pcre:"/\x2ewav([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.wav; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Wav; classtype:misc-activity; sid:15079; rev:16;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY PDF file download request"; flow:to_server,established; content:".pdf"; fast_pattern:only; http_uri; pcre:"/\x2epdf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.pdf; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/Pdf; classtype:misc-activity; sid:15013; rev:20;)
|
|
alert tcp $EXTERNAL_NET 554 -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows Media Player playlist download"; flow:to_client,established; content:"WMS_CONTENT_DESCRIPTION_PLAYLIST_ENTRY_START_OFFSET"; fast_pattern:only; flowbits:set,file.wmp_playlist; flowbits:noalert; classtype:misc-activity; sid:14264; rev:17;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY PLS multimedia playlist file download request"; flow:to_server,established; content:".pls"; fast_pattern:only; http_uri; pcre:"/\x2epls([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.pls; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.pls; classtype:misc-activity; sid:14018; rev:20;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY MPEG Layer 3 playlist file download request"; flow:to_server,established; content:".m3u"; fast_pattern:only; http_uri; pcre:"/\x2em3u([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.m3u; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.m3u; classtype:misc-activity; sid:14017; rev:17;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft search file download request"; flow:to_server,established; content:".search-ms"; fast_pattern:only; http_uri; pcre:"/\x2esearch\x2dms([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.search-ms; metadata:policy max-detect-ips drop, service http; reference:cve,2008-4268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-075; classtype:misc-activity; sid:13911; rev:22;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RTF file download request"; flow:to_server,established; content:".rtf"; fast_pattern:only; http_uri; pcre:"/\x2ertf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.rtf; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/Rich_Text_Format; classtype:misc-activity; sid:13801; rev:23;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office Access file magic detected"; flow:to_client,established; file_data; content:"|00 01 00 00|Standard Jet DB|00|"; depth:20; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26468; reference:cve,2005-0944; reference:cve,2007-6026; reference:cve,2008-1092; reference:url,en.wikipedia.org/wiki/Microsoft_access; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-028; classtype:misc-activity; sid:13626; rev:22;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft SYmbolic LinK file magic detected"; flow:to_client,established; file_data; content:"ID|3B|P"; depth:4; nocase; content:"|0A|"; within:3; byte_test:1,>=,0x41,0,relative; byte_test:1,<=,0x7A,0,relative; content:"|3B|"; within:4; flowbits:set,file.slk; flowbits:noalert; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0112; reference:url,en.wikipedia.org/wiki/SYmbolic_LinK_(SYLK); reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:misc-activity; sid:13585; rev:20;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft SYmbolic LinK file download request"; flow:to_server,established; content:".slk"; fast_pattern:only; http_uri; pcre:"/\x2eslk([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.slk; flowbits:noalert; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0112; reference:url,en.wikipedia.org/wiki/SYmbolic_LinK_(SYLK); reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:misc-activity; sid:13583; rev:23;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office Publisher file download request"; flow:to_server,established; content:".pub"; fast_pattern:only; http_uri; pcre:"/\x2epub([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.pub; flowbits:noalert; metadata:policy max-detect-ips alert, service http; reference:url,en.wikipedia.org/wiki/Microsoft_publisher; classtype:misc-activity; sid:13473; rev:21;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Works file download request"; flow:to_server,established; content:".wps"; fast_pattern:only; http_uri; pcre:"/\x2ewps([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.works; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Microsoft_works; classtype:misc-activity; sid:13465; rev:20;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Media Player asf/wmv/wma file magic detected"; flow:to_client,established; file_data; content:"|01 CD 87 F4 51 A9 CF 11 8E E6 00 C0 0C| Se"; content:" |DB FE 4C F6 55 CF 11 9C 0F 00 A0 C9 03 49 CB|"; within:16; distance:8; flowbits:set,file.asf; flowbits:set,file.wmv; flowbits:set,file.wma; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:12972; rev:21;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Lotus 123 file attachment"; flow:to_server,established; content:".123"; fast_pattern:only; content:"Content-Disposition|3A| attachment|3B|"; pcre:"/filename\s*=[^\n]*\.123/si"; flowbits:set,file.123; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26200; reference:bugtraq,27835; reference:cve,2007-4222; reference:cve,2007-6593; reference:url,www-1.ibm.com/support/docview.wss?uid=swg21285600; reference:url,www.coresecurity.com/index.php5?action=item&id=2008; classtype:suspicious-filename-detect; sid:12807; rev:16;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Word for Mac 5 file magic detected"; flow:to_client,established; file_data; content:"|FE|7|00 23|"; depth:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,25906; reference:cve,2007-3899; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-060; classtype:misc-activity; sid:12641; rev:19;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY SAP Crystal Reports file magic detected"; flow:to_client,established; flowbits:isset,file.rpt; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1 00|"; depth:9; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,21261; reference:cve,2006-6133; reference:url,en.wikipedia.org/wiki/Crystal_Report; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-052; classtype:misc-activity; sid:12456; rev:24;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY SAP Crystal Reports file download request"; flow:to_server,established; content:".rpt"; fast_pattern:only; http_uri; pcre:"/\x2erpt([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.rpt; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Crystal_Report; classtype:misc-activity; sid:12455; rev:25;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows Media ASF file magic detected"; flow:to_client,established; file_data; content:"|30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|"; depth:16; flowbits:set,file.asf; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/Advanced_Systems_Format; classtype:misc-activity; sid:12454; rev:21;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office Excel xlw file magic detected"; flow:to_client,established; file_data; content:"|09 04 06 00 00 04 00 01|"; depth:8; flowbits:set,file.xls; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,sc.openoffice.org/excelfileformat.pdf; classtype:misc-activity; sid:12283; rev:23;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Media Player compressed skin download request"; flow:established,to_server; content:".wmz"; nocase; http_uri; pcre:"/\x2ewmz([\?\x5c\x2f]|$)/smiU"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25305; reference:cve,2007-3037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-047; classtype:misc-activity; sid:12278; rev:17;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe Flash Video file magic detected"; flow:to_client,established; file_data; content:"FLV|01|"; content:"|00 00 00 09|"; within:4; distance:1; flowbits:set,file.swf; flowbits:set,file.flv; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/.flv; classtype:misc-activity; sid:12182; rev:22;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Visio file magic detected"; flow:established,to_client; file_data; content:"Visio |28|TM|29| Drawing|0D 0A|"; fast_pattern:only; flowbits:set,file.visio; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,office.microsoft.com/en-us/visio/default.aspx; classtype:policy-violation; sid:11835; rev:13;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY M3U file magic detected"; flow:to_client,established; file_data; content:"|23|EXTM3U"; depth:7; flowbits:set,file.m3u; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/.m3u; classtype:misc-activity; sid:9845; rev:20;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office Publisher file magic detected"; flow:to_client,established; file_data; content:"CHNKINK "; flowbits:set,file.pub; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0001; reference:url,en.wikipedia.org/wiki/Microsoft_publisher; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-054; classtype:misc-activity; sid:8478; rev:19;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY CBO CBL CBM file transfer attempt"; flow:to_client,established; file_data; content:"Interactive Training]"; pcre:"/\[(Microsoft |Microsoft Press )?Interactive Training\]/"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13944; reference:cve,2005-1212; reference:cve,2006-3448; reference:nessus,18492; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-031; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-005; classtype:attempted-user; sid:4196; rev:18;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows CHM file magic detected"; flow:to_client,established; file_data; content:"ITSF"; depth:4; content:"ITSP"; within:112; flowbits:set,file.chm; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13953; reference:cve,2005-1208; reference:nessus,18482; reference:url,attack.mitre.org/techniques/T1223; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-026; classtype:attempted-user; sid:3820; rev:26;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY CHM file download request"; flow:to_server,established; content:".chm"; fast_pattern:only; http_uri; pcre:"/\x2echm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.chm; flowbits:noalert; metadata:policy max-detect-ips alert, service http; reference:url,attack.mitre.org/techniques/T1223; reference:url,en.wikipedia.org/wiki/Microsoft_Compiled_HTML_Help; classtype:misc-activity; sid:3819; rev:24;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY HTA file download request"; flow:to_server,established; content:".hta"; fast_pattern:only; http_uri; pcre:"/\x2ehta([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.hta; flowbits:noalert; metadata:service http; reference:url,attack.mitre.org/techniques/T1170; reference:url,en.wikipedia.org/wiki/HTML_Application; classtype:misc-activity; sid:3551; rev:20;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file download request"; flow:to_server,established; content:".wmf"; fast_pattern:only; http_uri; pcre:"/\x2ewmf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.wmf; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:2436; rev:29;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft emf file download request"; flow:to_server,established; content:".emf"; fast_pattern:only; http_uri; pcre:"/\x2eemf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.emf; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, ruleset community, service http; reference:bugtraq,10120; reference:bugtraq,28819; reference:bugtraq,9707; reference:cve,2003-0906; reference:cve,2007-5746; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-001; classtype:misc-activity; sid:2435; rev:33;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download request"; flow:to_server,established; content:".rp"; fast_pattern:only; http_uri; pcre:"/\x2erp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2423; rev:28;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download request"; flow:to_server,established; content:".rt"; fast_pattern:only; http_uri; pcre:"/\x2ert([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2422; rev:29;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download request"; flow:to_server,established; content:".rmp"; fast_pattern:only; http_uri; pcre:"/\x2ermp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.rmp; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2420; rev:30;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request"; flow:to_server,established; content:".ra"; fast_pattern:only; http_uri; pcre:"/\x2eram?([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2419; rev:28;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY WordPerfect file download request"; flow:to_server,established; content:".wpd"; fast_pattern:only; http_uri; pcre:"/\x2ewpd([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.wpd; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:34631; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY WordPerfect file attachment detected"; flow:to_server,established; content:".wpd"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2ewpd[\x22\x27\s]/si"; flowbits:set,file.wpd; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:34630; rev:1;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY WordPerfect file attachment detected"; flow:to_client,established; content:".wpd"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2ewpd[\x22\x27\s]/si"; flowbits:set,file.wpd; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:34629; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY GNI file magic detected"; flow:to_client,established; file_data; content:"AGNI"; depth:4; flowbits:set,file.gni; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:35250; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY GNI file attachment detected"; flow:to_server,established; content:".gni"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2egni[\x22\x27\s]/si"; flowbits:set,file.gni; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:35249; rev:1;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY GNI file attachment detected"; flow:to_client,established; content:".gni"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2egni[\x22\x27\s]/si"; flowbits:set,file.gni; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:35248; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY GNI file download request"; flow:to_server,established; content:".gni"; fast_pattern:only; http_uri; pcre:"/\x2egni([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.gni; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:35247; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Adobe LZMA compressed Flash file download request"; flow:to_server,established; content:".swf"; fast_pattern:only; http_uri; pcre:"/\x2eswf([\x3f\x2f]|$)/Uim"; flowbits:set,file.swf; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:35459; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Adobe LZMA compressed Flash file magic detected"; flow:to_server,established; file_data; content:"ZWS"; depth:3; flowbits:set,file.swf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:35458; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Adobe LZMA compressed Flash file attachment detected"; flow:to_server,established; content:".swf"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2eswf[\x22\x27\x3b\s\r\n]/i"; flowbits:set,file.swf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:35457; rev:6;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe LZMA compressed Flash file attachment detected"; flow:to_client,established; content:".swf"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2eswf[\x22\x27\x3b\s\r\n]/i"; flowbits:set,file.swf; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:35456; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe LZMA compressed Flash file magic detected"; flow:to_client,established; file_data; content:"ZWS"; depth:3; flowbits:set,file.swf; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:35455; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY M4A file magic detected"; flow:to_server,established; file_data; content:"ftypM4A"; depth:7; offset:4; flowbits:set,file.mp4; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:35433; rev:7;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY M4A file magic detected"; flow:to_client,established; file_data; content:"ftypM4A"; depth:7; offset:4; flowbits:set,file.mp4; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:35432; rev:7;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY ZSoft PCX file download request"; flow:to_server,established; content:".pcx"; fast_pattern:only; http_uri; pcre:"/\x2epcx([\x3f\x2f]|$)/Uim"; flowbits:set,file.pcx; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:35797; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ZSoft PCX file attachment detected"; flow:to_server,established; content:".pcx"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2epcx[\x22\x27\x3b\s\r\n]/i"; flowbits:set,file.pcx; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:35796; rev:1;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY ZSoft PCX file attachment detected"; flow:to_client,established; content:".pcx"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2epcx[\x22\x27\x3b\s\r\n]/i"; flowbits:set,file.pcx; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:35795; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file upload detected"; flow:to_server,established; file_data; content:"|FF D8 FF E1|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:35852; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Windows Media Center link file attachment detected"; flow:to_server,established; content:".mcl"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2emcl[\x22\x27\x3b\s\r\n]/i"; flowbits:set,file.mcl; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:35981; rev:1;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Windows Media Center link file attachment detected"; flow:to_client,established; content:".mcl"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2emcl[\x22\x27\x3b\s\r\n]/i"; flowbits:set,file.mcl; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:35980; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Windows Media Center link file download request"; flow:to_server,established; content:".mcl"; fast_pattern:only; http_uri; pcre:"/\x2emcl([\x3f\x2f]|$)/Uim"; flowbits:set,file.mcl; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:35979; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"FILE-IDENTIFY OLE Document upload detected"; flow:to_server,established; file_data; content:"Content-Disposition|3A|"; nocase; content:"Form-data|3B|"; within:20; nocase; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:200; fast_pattern; flowbits:set,file.ole; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:36058; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-IDENTIFY Oracle Java JMX management loading mlet detected"; flow:to_server,established; file_data; content:"javax.management.loading.MLet"; fast_pattern:only; flowbits:set,file.jmx; flowbits:noalert; metadata:service java_rmi; classtype:misc-activity; sid:36531; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY TTF file attachment detected"; flow:to_server,established; content:".ttf"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2ettf[\x22\x27\x3b\s\r\n]/i"; flowbits:set,file.ttf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:36748; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Windows .NET Application file attachment detected"; flow:to_server,established; content:".application"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2eapplication[\x22\x27\x3b\s\r\n]/i"; flowbits:set,file.application; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:36711; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Obfuscated .wsf download attempt"; flow:established,to_server; content:".wsf"; fast_pattern:only; http_uri; pcre:"/\x2E(doc|xls|docx|ppt|pptx|docm|rtf)[\x20\x5F]+\x2Ewsf/iU"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:37132; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY .wsf attachment file type blocked by Outlook detected"; flow:established,to_server; flowbits:isset,file.zip; file_data; content:".wsf"; fast_pattern:only; pcre:"/\x2E(doc|xls|docx|ppt|pptx|docm|rtf)[\x20\x5F]+\x2Ewsf/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:policy-violation; sid:37131; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Obfuscated .wsf download attempt"; flow:established,to_client; flowbits:isset,file.zip; file_data; content:".wsf"; fast_pattern:only; pcre:"/\x2E(doc|xls|docx|ppt|pptx|docm|rtf)[\x20\x5F]+\x2Ewsf/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:37130; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY PESpin v0.3 packer file magic detected"; flow:to_client,established; flowbits:isnotset,file.msi; flowbits:isnotset,file.packed; flowbits:isset,file.exe; file_data; isdataat:17; content:"|EB 01 68 60 E8|"; content:"|8B 1C 24 83|"; within:4; distance:4; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:37452; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Adobe Texture Format file download request"; flow:to_server,established; content:".atf"; fast_pattern:only; http_uri; pcre:"/\x2eatf([\x3f\x2f]|$)/Uim"; flowbits:set,file.atf; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:37788; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Adobe Texture Format file magic detected"; flow:to_server,established; file_data; content:"ATF"; fast_pattern:only; flowbits:set,file.atf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:37787; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Adobe Texture Format file attachment detected"; flow:to_server,established; content:".atf"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2eatf[\x22\x27\x3b\s\r\n]/i"; flowbits:set,file.atf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:37786; rev:4;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe Texture Format file attachment detected"; flow:to_client,established; content:".atf"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2eatf[\x22\x27\x3b\s\r\n]/i"; flowbits:set,file.atf; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:37785; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe Texture Format file magic detected"; flow:to_client,established; file_data; content:"ATF"; fast_pattern:only; flowbits:set,file.atf; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:37784; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY DMG com.apple.decmpfs file magic detected"; flow:to_server,established; file_data; content:"c|00|o|00|m|00|.|00|a|00|p|00|p|00|l|00|e|00|.|00|d|00|e|00|c|00|m|00|p|00|f|00|s"; fast_pattern:only; flowbits:set,file.decmpfs; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/HFS_Plus; classtype:misc-activity; sid:38307; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY DMG com.apple.decmpfs file magic detected"; flow:to_client,established; file_data; content:"c|00|o|00|m|00|.|00|a|00|p|00|p|00|l|00|e|00|.|00|d|00|e|00|c|00|m|00|p|00|f|00|s"; fast_pattern:only; flowbits:set,file.decmpfs; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/HFS_Plus; classtype:misc-activity; sid:38306; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY UDF file magic detected"; flow:to_server,established; file_data; content:"|00|NSR0"; fast_pattern:only; flowbits:set,file.udf; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/Universal_Disk_Format; classtype:misc-activity; sid:38292; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY UDF file magic detected"; flow:to_client,established; file_data; content:"|00|NSR0"; fast_pattern:only; flowbits:set,file.udf; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/Universal_Disk_Format; classtype:misc-activity; sid:38291; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Hancom Hangul Office Document file magic detected"; flow:to_server,established; file_data; content:"Robus Data File"; fast_pattern:only; flowbits:set,file.hpt; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:38866; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Hancom Hangul Office Document file magic detected"; flow:to_client,established; file_data; content:"Robus Data File"; fast_pattern:only; flowbits:set,file.hpt; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:38865; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Hancom Hangul Office Document file attachment detected"; flow:to_server,established; content:".hpt"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2ehpt[\x22\x27\x3b\s\r\n]/i"; flowbits:set,file.hpt; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:38864; rev:4;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Hancom Hangul Office Document file attachment detected"; flow:to_client,established; content:".hpt"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2ehpt[\x22\x27\x3b\s\r\n]/i"; flowbits:set,file.hpt; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:38863; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Hancom Hangul Office Document file download request"; flow:to_server,established; content:".hpt"; fast_pattern:only; http_uri; pcre:"/\x2ehpt([\x3f\x2f]|$)/Uim"; flowbits:set,file.hpt; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:38862; rev:4;)
|
|
alert tcp $HOME_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Hancom Hangul HCell file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; fast_pattern:only; flowbits:set,file.cell; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:38855; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Hancom Hangul HCell file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; fast_pattern:only; flowbits:set,file.cell; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:38854; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY Hancom Hangul HCell file attachment detected"; flow:to_server,established; content:".cell"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename"; nocase; pcre:"/filename(\*\d*)?=[\x22\x27]?[^\n]*\x2ecell[\x22\x27\s]/si"; flowbits:set,file.cell; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:38853; rev:1;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Hancom Hangul HCell file attachment detected"; flow:to_client,established; content:".cell"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename"; nocase; pcre:"/filename(\*\d*)?=[\x22\x27]?[^\n]*\x2ecell[\x22\x27\s]/si"; flowbits:set,file.cell; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:38852; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Hancom Hangul HCell file download request"; flow:to_server,established; content:".cell"; fast_pattern:only; nocase; http_uri; pcre:"/\x2ecell([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.cell; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:38851; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Heroes of Might and Magic III map file download request"; flow:to_server,established; content:".h3m"; fast_pattern:only; http_uri; pcre:"/\x2eh3m([\x3f\x2f]|$)/Uim"; flowbits:set,file.h3m; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:39778; rev:1;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Heroes of Might and Magic III map file attachment detected"; flow:to_client,established; content:".h3m"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2eh3m[\x22\x27\x3b\s\r\n]/i"; flowbits:set,file.h3m; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:39777; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Heroes of Might and Magic III map file attachment detected"; flow:to_server,established; content:".h3m"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2eh3m[\x22\x27\x3b\s\r\n]/i"; flowbits:set,file.h3m; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:39776; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Hierarchal Data Format file magic detected"; flow:to_server,established; file_data; content:"|89|HDF"; fast_pattern:only; flowbits:set,file.hdf; flowbits:noalert; metadata:service smtp; reference:url,www.talosintel.com/vulnerability-reports; classtype:misc-activity; sid:40021; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Hierarchal Data Format file magic detected"; flow:to_client,established; file_data; content:"|89|HDF"; fast_pattern:only; flowbits:set,file.hdf; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.talosintel.com/vulnerability-reports; classtype:misc-activity; sid:40020; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Hierarchal Data Format file attachment detected"; flow:to_server,established; content:".hdf"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filenames*=\s*[^\r\n]*?\x2ehdf[\x22\x27\x3b\s\r\n]/i"; flowbits:set,file.hdf; flowbits:noalert; metadata:service smtp; reference:url,www.talosintel.com/vulnerability-reports; classtype:misc-activity; sid:40019; rev:4;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Hierarchal Data Format file attachment detected"; flow:to_client,established; content:".hdf"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filenames*=\s*[^\r\n]*?\x2ehdf[\x22\x27\x3b\s\r\n]/i"; flowbits:set,file.hdf; flowbits:noalert; metadata:service imap, service pop3; reference:url,www.talosintel.com/vulnerability-reports; classtype:misc-activity; sid:40018; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Hierarchal Data Format file download request"; flow:to_server,established; content:".hdf"; fast_pattern:only; http_uri; pcre:"/\x2ehdf([\x3f\x2f]|$)/Uim"; flowbits:set,file.hdf; flowbits:noalert; metadata:service http; reference:url,www.talosintel.com/vulnerability-reports; classtype:misc-activity; sid:40017; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XLSB file magic detected"; flow:to_server,established; file_data; content:"PK|03 04|"; depth:4; flowbits:set,file.zip; flowbits:set,file.xlsb; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:40036; rev:7;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XLSB file magic detected"; flow:to_client,established; file_data; content:"PK|03 04|"; depth:4; flowbits:set,file.zip; flowbits:set,file.xlsb; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:40035; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Excel XLSB file attachment detected"; flow:to_server,established; content:".xlsb"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2exlsb[\x22\x27\x3b\s\r\n]/i"; flowbits:set,file.xlsb; flowbits:noalert; metadata:policy max-detect-ips alert, service smtp; classtype:misc-activity; sid:40120; rev:5;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Excel XLSB file attachment detected"; flow:to_client,established; content:".xlsb"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2exlsb[\x22\x27\x3b\s\r\n]/i"; flowbits:set,file.xlsb; flowbits:noalert; metadata:policy max-detect-ips alert, service imap, service pop3; classtype:misc-activity; sid:40119; rev:5;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Excel XLSB file download request"; flow:to_server,established; content:".xlsb"; fast_pattern:only; http_uri; pcre:"/\x2exlsb([\x3f\x2f]|$)/Uim"; flowbits:set,file.xlsb; flowbits:noalert; metadata:policy max-detect-ips alert, service http; classtype:misc-activity; sid:40118; rev:5;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Windows registry hive file download request"; flow:to_server,established; content:".dat"; fast_pattern:only; http_uri; pcre:"/\x2edat([\x3f\x2f]|$)/Uim"; flowbits:set,file.regf; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:40391; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Windows registry hive file magic detected"; flow:to_server,established; file_data; content:"regf"; depth:4; flowbits:set,file.regf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:40390; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Windows registry hive file attachment detected"; flow:to_server,established; content:".dat"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2edat[\x22\x27\x3b\s\r\n]/i"; flowbits:set,file.regf; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:40389; rev:1;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Windows registry hive file attachment detected"; flow:to_client,established; content:".dat"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2edat[\x22\x27\x3b\s\r\n]/i"; flowbits:set,file.regf; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:40388; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Windows registry hive file magic detected"; flow:to_client,established; file_data; content:"regf"; depth:4; flowbits:set,file.regf; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:40387; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY R Programming Language source file file attachment detected"; flow:to_server,established; content:".r"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename"; nocase; pcre:"/filename(\*\d*)?=[\x22\x27]?[^\n]*\x2er[\x22\x27\s]/si"; flowbits:set,file.r; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:40893; rev:1;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY R Programming Language source file file attachment detected"; flow:to_client,established; content:".r"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename"; nocase; pcre:"/filename(\*\d*)?=[\x22\x27]?[^\n]*\x2er[\x22\x27\s]/si"; flowbits:set,file.r; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:40892; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY R Programming Language source file file download request"; flow:to_server,established; content:".r"; fast_pattern:only; nocase; http_uri; pcre:"/\x2er([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.r; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:40891; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ico file attachment detected"; flow:to_server,established; content:".ico"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2eico[\x22\x27\x3b\s\r\n]/i"; flowbits:set,file.ico; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:40981; rev:5;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY ico file attachment detected"; flow:to_client,established; content:".ico"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2eico[\x22\x27\x3b\s\r\n]/i"; flowbits:set,file.ico; flowbits:noalert; metadata:service imap, service pop3; classtype:misc-activity; sid:40980; rev:5;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY ico file download request"; flow:to_server,established; content:".ico"; fast_pattern:only; http_uri; pcre:"/\x2eico([\x3f\x2f]|$)/Uim"; flowbits:set,file.ico; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:40979; rev:5;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY AOP file download request"; flow:to_server,established; content:".aop"; fast_pattern:only; http_uri; flowbits:set,file.aop; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:42223; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY ISO file download request"; flow:to_server,established; content:".iso"; fast_pattern:only; http_uri; pcre:"/\x2eiso([\x3f\x2f]|$)/Uim"; flowbits:set,file.iso; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/ISO_9660; classtype:misc-activity; sid:42262; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ISO file magic detected"; flow:to_server,established; file_data; content:"CD001|01|"; fast_pattern:only; flowbits:set,file.iso; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/ISO_9660; classtype:misc-activity; sid:42261; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ISO file attachment detected"; flow:to_server,established; content:"|0D 0A|Encoding|3A| "; nocase; content:"uuencode"; distance:0; fast_pattern; nocase; content:"|0D 0A|begin "; nocase; content:".iso"; distance:0; nocase; pcre:"/^begin [^\n]*?\x2eiso/mi"; flowbits:set,file.iso; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/ISO_9660; classtype:misc-activity; sid:42260; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ISO file attachment detected"; flow:to_server,established; content:".iso"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2eiso[\x22\x27\x3b\s]/i"; flowbits:set,file.iso; flowbits:noalert; metadata:service smtp; reference:url,en.wikipedia.org/wiki/ISO_9660; classtype:misc-activity; sid:42259; rev:1;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY ISO file attachment detected"; flow:to_client,established; content:".iso"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2eiso[\x22\x27\x3b\s]/i"; flowbits:set,file.iso; flowbits:noalert; metadata:service imap, service pop3; reference:url,en.wikipedia.org/wiki/ISO_9660; classtype:misc-activity; sid:42258; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY ISO file magic detected"; flow:to_client,established; file_data; content:"CD001|01|"; fast_pattern:only; flowbits:set,file.iso; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/ISO_9660; classtype:misc-activity; sid:42257; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY gzip compressed file detected"; flow:to_server,established; file_data; content:"|1F 8B|"; depth:2; byte_test:1,<=,8,0,relative; flowbits:set,file.gz; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:42371; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-IDENTIFY gzip compressed file detected"; flow:to_server,established; file_data; content:"|1F 8B|"; depth:2; byte_test:1,<=,8,0,relative; flowbits:set,file.gz; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:42370; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY gzip compressed file detected"; flow:to_client,established; file_data; content:"|1F 8B|"; depth:2; byte_test:1,<=,8,0,relative; flowbits:set,file.gz; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:42369; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XZ compressed file detected"; flow:to_server,established; file_data; content:"|FD|7zXZ|00|"; depth:6; flowbits:set,file.xz; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:42368; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XZ compressed file detected"; flow:to_server,established; file_data; content:"|FD|7zXZ|00|"; depth:6; flowbits:set,file.xz; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:42367; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XZ compressed file detected"; flow:to_client,established; file_data; content:"|FD|7zXZ|00|"; depth:6; flowbits:set,file.xz; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:42366; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY bzip2 compressed file detected"; flow:to_server,established; file_data; content:"BZh"; depth:3; byte_test:1,<,10,0,relative,string,dec; flowbits:set,file.bz2; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:42365; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-IDENTIFY bzip2 compressed file detected"; flow:to_server,established; file_data; content:"BZh"; depth:3; byte_test:1,<,10,0,relative,string,dec; flowbits:set,file.bz2; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:42364; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY bzip2 compressed file detected"; flow:to_client,established; file_data; content:"BZh"; depth:3; byte_test:1,<,10,0,relative,string,dec; flowbits:set,file.bz2; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:42363; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ISO file attachment with executable detected"; flow:to_server,established; flowbits:isset,file.iso; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:service smtp; classtype:misc-activity; sid:42919; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ISO file attachment detected"; flow:to_server,established; content:".iso"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2eiso[\x22\x27\x3b\s\r\n]/i"; flowbits:set,file.iso; metadata:service smtp; classtype:misc-activity; sid:42918; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file magic detected"; flow:to_server,established; file_data; content:"POST"; http_method; content:"|00 09 00 00|"; depth:5; offset:1; fast_pattern; content:!"|00|"; depth:1; byte_test:1,<=,2,0; flowbits:set,file.wmf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:43364; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file magic detected"; flow:to_client,established; file_data; content:"|00 09 00 00|"; depth:5; offset:1; fast_pattern; content:!"|00|"; depth:1; byte_test:1,<=,2,0; flowbits:set,file.wmf; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:43363; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY FLIC animation file attachment detected"; flow:to_server,established; content:"|0D 0A|Encoding|3A| "; nocase; content:"uuencode"; distance:0; fast_pattern; nocase; content:"|0D 0A|begin "; nocase; content:".flc"; distance:0; nocase; pcre:"/^begin [^\n]*?\x2eflc/mi"; flowbits:set,file.flc; metadata:policy max-detect-ips drop, service smtp; classtype:misc-activity; sid:43090; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY FLIC animation file attachment detected"; flow:to_server,established; content:".flc"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2eflc[\x22\x27\x3b\s]/i"; flowbits:set,file.flc; metadata:policy max-detect-ips drop, service smtp; classtype:misc-activity; sid:43089; rev:1;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY FLIC animation file attachment detected"; flow:to_client,established; content:".flc"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2eflc[\x22\x27\x3b\s]/i"; flowbits:set,file.flc; metadata:policy max-detect-ips drop, service imap, service pop3; classtype:misc-activity; sid:43088; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY FLIC animation file download request"; flow:to_server,established; content:".flc"; fast_pattern:only; http_uri; pcre:"/\x2eflc([\x3f\x2f]|$)/Uim"; flowbits:set,file.flc; metadata:policy max-detect-ips drop, service http; classtype:misc-activity; sid:43087; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Rhinoceros 3D 3dm file attachment detected"; flow:to_server,established; content:"|0D 0A|Encoding|3A| "; nocase; content:"uuencode"; distance:0; fast_pattern; nocase; content:"|0D 0A|begin "; nocase; content:".3dm"; distance:0; nocase; pcre:"/^begin [^\n]*?\x2e3dm/mi"; flowbits:set,file.3dm; metadata:policy max-detect-ips drop, service smtp; classtype:misc-activity; sid:43086; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Rhinoceros 3D 3dm file attachment detected"; flow:to_server,established; content:".3dm"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2e3dm[\x22\x27\x3b\s]/i"; flowbits:set,file.3dm; metadata:policy max-detect-ips drop, service smtp; classtype:misc-activity; sid:43085; rev:1;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Rhinoceros 3D 3dm file attachment detected"; flow:to_client,established; content:".3dm"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2e3dm[\x22\x27\x3b\s]/i"; flowbits:set,file.3dm; metadata:policy max-detect-ips drop, service imap, service pop3; classtype:misc-activity; sid:43084; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Rhinoceros 3D 3dm file download request"; flow:to_server,established; content:".3dm"; fast_pattern:only; http_uri; pcre:"/\x2e3dm([\x3f\x2f]|$)/Uim"; flowbits:set,file.3dm; metadata:policy max-detect-ips drop, service http; classtype:misc-activity; sid:43083; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Office PowerPoint ppt file attachment detected file attachment detected"; flow:to_server,established; content:"|0D 0A|Encoding|3A| "; nocase; content:"uuencode"; distance:0; fast_pattern; nocase; content:"|0D 0A|begin "; nocase; content:".ppt"; distance:0; nocase; pcre:"/^begin [^\n]*?\x2eppt/mi"; flowbits:set,file.ppt; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:44030; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Office Excel file attachment detected"; flow:to_server,established; content:"|0D 0A|Encoding|3A| "; nocase; content:"uuencode"; distance:0; fast_pattern; nocase; content:"|0D 0A|begin "; nocase; content:".xls"; distance:0; nocase; pcre:"/^begin [^\n]*?\x2exls/mi"; flowbits:set,file.xls; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:44275; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Office Word doc file attachment detected"; flow:to_server,established; content:"|0D 0A|Encoding|3A| "; nocase; content:"uuencode"; distance:0; fast_pattern; nocase; content:"|0D 0A|begin "; nocase; content:".doc"; distance:0; nocase; pcre:"/^begin [^\n]*?\x2edoc/mi"; flowbits:set,file.doc; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:44231; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Blender blend file magic detected"; flow:to_server,established; file_data; content:"BLENDER_v"; depth:9; flowbits:set,file.blend.little.32; flowbits:noalert; metadata:service smtp; classtype:misc-activity; sid:44442; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Blender blend file magic detected"; flow:to_client,established; file_data; content:"BLENDER_v"; depth:9; flowbits:set,file.blend.little.32; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:44441; rev:1;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt"; flow:to_client,established; content:".usk"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2eusk[\x22\x27\x3b\s]/i"; flowbits:set,file.usk; metadata:service imap, service pop3; classtype:misc-activity; sid:44786; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt"; flow:to_server,established; content:".usk"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2eusk[\x22\x27\x3b\s]/i"; flowbits:set,file.usk; metadata:service smtp; classtype:misc-activity; sid:44785; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt"; flow:to_server,established; content:".usk"; fast_pattern:only; http_uri; pcre:"/\x2eusk([\x3f\x2f]|$)/Uim"; flowbits:set,file.usk; metadata:service http; classtype:misc-activity; sid:44784; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt"; flow:to_server,established; content:"|0D 0A|Encoding|3A| "; nocase; content:"uuencode"; distance:0; fast_pattern; nocase; content:"|0D 0A|begin "; nocase; content:".usk"; distance:0; nocase; pcre:"/^begin [^\n]*?\x2eusk/mi"; flowbits:set,file.usk; metadata:service smtp; classtype:misc-activity; sid:44783; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY WebAssembly file attachment detected"; flow:to_server,established; content:".wasm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ewasm/i"; flowbits:set,file.wasm; flowbits:noalert; metadata:service smtp; reference:url,github.com/WebAssembly/design/blob/master/BinaryEncoding.md; classtype:misc-activity; sid:46394; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY WebAssembly file detected"; flow:to_server,established; file_data; content:"|00|asm|01 00 00 00|"; depth:8; flowbits:set,file.wasm; flowbits:noalert; metadata:service smtp; reference:url,github.com/WebAssembly/design/blob/master/BinaryEncoding.md; classtype:misc-attack; sid:46393; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY WebAssembly file download detected"; flow:to_client,established; file_data; content:"|00|asm|01 00 00 00|"; depth:8; flowbits:set,file.wasm; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,github.com/WebAssembly/design/blob/master/BinaryEncoding.md; classtype:misc-attack; sid:46367; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Omron CX-Supervisor project file file attachment detected"; flow:to_server,established; content:"|0D 0A|Encoding|3A| "; nocase; content:"uuencode"; distance:0; fast_pattern; nocase; content:"|0D 0A|begin "; nocase; content:".SR3"; distance:0; nocase; pcre:"/^begin [^\n]*?\x2eSR3/mi"; flowbits:set,file.sr3; flowbits:noalert; metadata:service smtp; reference:url,industrial.omron.eu/en/products/cx-supervisor; classtype:misc-activity; sid:48556; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Omron CX-Supervisor project file file attachment detected"; flow:to_server,established; content:".SR3"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2eSR3[\x22\x27\x3b\s]/i"; flowbits:set,file.sr3; flowbits:noalert; metadata:service smtp; reference:url,industrial.omron.eu/en/products/cx-supervisor; classtype:misc-activity; sid:48555; rev:1;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Omron CX-Supervisor project file file attachment detected"; flow:to_client,established; content:".SR3"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"attachment"; nocase; content:"filename"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?\x2eSR3[\x22\x27\x3b\s]/i"; flowbits:set,file.sr3; flowbits:noalert; metadata:service imap, service pop3; reference:url,industrial.omron.eu/en/products/cx-supervisor; classtype:misc-activity; sid:48554; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Omron CX-Supervisor project file file download request"; flow:to_server,established; content:".SR3"; fast_pattern:only; http_uri; pcre:"/\x2eSR3([\x3f\x2f]|$)/Uim"; flowbits:set,file.sr3; flowbits:noalert; metadata:service http; reference:url,industrial.omron.eu/en/products/cx-supervisor; classtype:misc-activity; sid:48553; rev:1;)
|