237 lines
117 KiB
Plaintext
237 lines
117 KiB
Plaintext
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
|
|
#
|
|
# This file contains (i) proprietary rules that were created, tested and certified by
|
|
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
|
|
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
|
|
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
|
|
# GNU General Public License (GPL), v2.
|
|
#
|
|
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
|
|
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
|
|
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
|
|
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
|
|
# list of third party owners and their respective copyrights.
|
|
#
|
|
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
|
|
# to the VRT Certified Rules License Agreement (v2.0).
|
|
#
|
|
#-----------------
|
|
# FILE-JAVA RULES
|
|
#-----------------
|
|
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java trusted method chaining attempt"; flow:to_client,established; file_data; content:"|50 4B 03 04|"; depth:4; content:"vuln/Link"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-0840; classtype:attempted-user; sid:20529; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java attempt to write in system32"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/io/FileInputStream"; nocase; content:"|5C|system32|5C|"; metadata:service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:21056; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java Zip file directory record overflow attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"PK|05 06|"; byte_test:2,=,0,6,relative,little; byte_test:4,=,46,8,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,52013; reference:cve,2012-0501; classtype:attempted-user; sid:23560; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java runtime RMIConnectionImpl deserialization execution attempt"; flow:established,to_client; flowbits:isset,file.jar; file_data; content:"|18 00 00 00|PayloadClassLoader.class"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-0094; classtype:attempted-user; sid:21387; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java HsbParser.getSoundBank stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|01 00 2C 28|Ljava|2F|net|2F|URL|3B 29|Ljavax|2F|sound|2F|midi|2F|Soundbank"; content:"|01 00 0C|getSoundbank"; content:"file|3A 2F 2F|"; byte_test:2,>,312,-9,relative,big; content:"|01|"; within:1; distance:-10; pcre:"/^.{2}file|3A 2F 2F|[\x21-\x7E]{305}/R"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36881; reference:cve,2009-3867; classtype:attempted-user; sid:17776; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Runtime Environment Type1 Font parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|1F 8B 08 08 D4 73 61 49 00 03 65 2E 70 61 63 6B 00 ED CE 3B 4B 03 41 10 00 E0 D9 7B C7 3B 15 63 63 2D 16 8A 8F D3 68 17 11 22 E4 34 21 31 82 31|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,34240; reference:cve,2009-1099; classtype:attempted-user; sid:17624; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java runtime JPEGImageReader overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|73 65 74 53 6F 75 72 63 65 53 75 62 73 61 6D 70 6C 69 6E 67 01 00 07|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36881; reference:cve,2009-3864; reference:cve,2009-3865; reference:cve,2009-3866; reference:cve,2009-3867; reference:cve,2009-3868; reference:cve,2009-3869; reference:cve,2009-3871; reference:cve,2009-3872; reference:cve,2009-3873; reference:cve,2009-3874; reference:cve,2009-3875; reference:cve,2009-3876; reference:cve,2009-3877; classtype:attempted-user; sid:20055; rev:10;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Applet Rhino script engine remote code execution attempt"; flow:to_client,established; file_data; flowbits:isset,file.jar; content:"AgentLauncher.class"; fast_pattern:only; content:"RhinoExploit.class"; nocase; content:"agent.exe"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-3544; classtype:attempted-user; sid:20831; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Rhino script engine remote code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Exploit.class"; fast_pattern; content:"StreamConnector.class"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-3544; classtype:attempted-user; sid:23008; rev:8;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"cve2012xxxx/Gondzz"; fast_pattern:only; content:"xiaomaol"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24022; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"cve2012xxxx/Gondvv"; content:"java/security/ProtectionDomain"; content:"java/security/ProtectionDomain"; content:"java/security/AccessControlContext"; content:"xiaomaol"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24024; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"cve2012xxxx/Gondvv"; content:"java/security/AccessControlContext"; content:"xiaomaol"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24025; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"Expression"; pcre:"/Expression\x28\s*?GetClass\x28\x22sun.awt.SunToolkit\x22\x29\s*?,\s*?\x22getField\x22/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24038; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"cve2012xxxx/Gondzz"; fast_pattern:only; content:"xiaomaol"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24023; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"|D3 2D 69 D2 25 D3 76 9A A6 4D 9B A6 49 DA A4 CD D2 C9 D2 E9 B4 4D 9C 73 05 78 C3 6F DE E4 AF 9A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24056; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|D3 2D 69 D2 25 D3 76 9A A6 4D 9B A6 49 DA A4 CD D2 C9 D2 E9 B4 4D 9C 73 05 78 C3 6F DE E4 AF 9A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24055; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|6B 78 9E B5 D6 F6 FF F1 FF FC 6F FF FB 97 2F 5F EC 5F FE EF 83 2F 42 C1 97 E3 6E 8B FF 67 FD F3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24057; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"|6B 78 9E B5 D6 F6 FF F1 FF FC 6F FF FB 97 2F 5F EC 5F FE EF 83 2F 42 C1 97 E3 6E 8B FF 67 FD F3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24058; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java getSoundBank overflow Attempt malicious jar file"; flow:to_client,established; file_data; content:"|50 4B 03 04 14 00 08 00 08 00 48 5A 8E 3B 00 00 00 00 00 00 00 00 00 00 00 00 09 00 04 00 4D 45 54 41 2D 49 4E 46 2F FE CA 00 00 03 00 50 4B 07 08 00 00 00 00 02 00 00 00 00 00 00 00 50 4B 03 04 14 00 08 00 08 00 48 5A 8E 3B 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 4D 45 54 41 2D 49 4E 46 2F|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36881; reference:cve,2009-3867; classtype:attempted-user; sid:20858; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"|76 E3 66 C2 8B 9E E3 1F E1 1C 7B FC D4 AF F6 1C 4D 38 E2 F1 07 F8 53 FC 11 E2 9D 6D 08 04 A3 F5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24066; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|76 E3 66 C2 8B 9E E3 1F E1 1C 7B FC D4 AF F6 1C 4D 38 E2 F1 07 F8 53 FC 11 E2 9D 6D 08 04 A3 F5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24065; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"com/sun/beans/finder/MethodFinder"; fast_pattern:only; content:"sun.awt.SunToolkit|07 00 73 0C 00 74 00 75 01 00 08|getField"; content:"java/security/AccessControlContext"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24064; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|71 CE 4E 75 4D BD 4B 75 9C 44 B4 63 27 77 A7 84 92 2D DF 59 4E 73 E2 F4 DE AB D3 BB D3 BB F2 17|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24084; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"|71 CE 4E 75 4D BD 4B 75 9C 44 B4 63 27 77 A7 84 92 2D DF 59 4E 73 E2 F4 DE AB D3 BB D3 BB F2 17|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24085; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"|65 38 5C 78 65 61 5C 78 39 39 5C 78 31 39 5C 74 5C 78 61 35 33 5C 78 66 64 5B 5C 78 64 39 5C 78|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24126; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|65 38 5C 78 65 61 5C 78 39 39 5C 78 31 39 5C 74 5C 78 61 35 33 5C 78 66 64 5B 5C 78 64 39 5C 78|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24125; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JNLP parameter argument injection attempt"; flow:to_client,established; file_data; content:"<jnlp"; nocase; content:"property"; distance:0; nocase; content:"-Djava"; fast_pattern:only; content:"|2D|Djava.security.policy"; nocase; pcre:"/<jnlp.*?\x3C\s*?property[^\x3E]*?name[^\x3E]*?value\s*?[^\x3E]*?\-Djava\.security\.policy/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2005-0418; classtype:attempted-user; sid:20820; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Javascript document.domain attempt"; flow:to_client,established; file_data; content:"document.domain|28|"; nocase; metadata:ruleset community, service http; reference:bugtraq,5346; reference:cve,2002-0815; classtype:attempted-user; sid:1840; rev:15;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-JAVA Oracle Java Runtime Environment .hotspot_compiler file load exploit attempt"; flow:to_server,established; content:"|2F|.hotspot_compiler"; nocase; http_uri; metadata:service http; reference:url,secunia.com/advisories/45173; classtype:attempted-user; sid:19604; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-JAVA Oracle Java Runtime Environment .hotspotrc file load exploit attempt"; flow:to_server,established; content:"|2F|.hotspotrc"; nocase; http_uri; metadata:service http; reference:url,secunia.com/advisories/45173; classtype:attempted-user; sid:19603; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java GIF LZW minimum code size overflow attempt"; flow:to_client,established; file_data; content:"|F3 E1 04 30 2E 7B 0A 25 A4 58 D1 E2 45 8C 19 35 6E E4 D8 D1 E3 47 90 21 45 8E 24 59 D2 E4 49 8F|"; fast_pattern:only; metadata:service http; reference:bugtraq,34240; reference:cve,2009-1098; classtype:attempted-user; sid:20239; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java browser plugin docbase overflow attempt"; flow:to_client,established; file_data; content:"launchjnlp"; fast_pattern; nocase; content:"docbase"; within:100; nocase; isdataat:80,relative; pcre:"/^([\x22\x27]\s*value)?\s*=\s*\x27[^\x27]{70}/Rsmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,44023; reference:cve,2010-3552; classtype:attempted-user; sid:20444; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-JAVA Oracle Java Web Start BasicServiceImpl security policy bypass attempt"; flow:to_server,established; content:"java.security.policy"; fast_pattern:only; http_uri; pcre:"/jnlp\x22\x09\x22-J-Djava\.security\.policy/Ui"; metadata:service http; reference:bugtraq,43999; reference:cve,2010-3563; classtype:attempted-user; sid:20430; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle JavaScript file upload keystroke hijack attempt"; flow:to_client,established; file_data; content:"onKeyPress"; fast_pattern:only; pcre:"/<INPUT[^>]+type\s*=\s*[\x22\x27]?file[\x22\x27]?[^>]+OnKey(Down|Up|Press)\s*=[^>]*>.*<INPUT[^>]+type\s*=\s*[\x22\x27]?text[\x22\x27]?[^>]+OnKey(Down|Up|Press)[^>]+>/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,18308; reference:cve,2006-2900; classtype:misc-activity; sid:21501; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"AccessControlContext"; fast_pattern:only; pcre:"/AccessControlContext\s*?(?P<var>\w*)\s*?=\s*?new\s*?AccessControlContext.*?SetField\x28Statement\.class,\s*?(?P<quotes1>\x22|\x27)acc(?P=quotes1),\s*?localStatement,\s*?(?P=var)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24036; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"ProtectionDomain"; content:"new Permissions|28 29|"; content:"new AllPermission|28 29|"; content:"new Expression|28|"; content:"GetClass|28 22|sun.awt.SunToolkit|22 29|, |22|getField|22|"; content:"setSecurityManager"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24020; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"ProtectionDomain"; content:"new Permissions|28 29|"; content:"new AllPermission|28 29|"; content:"new Expression|28|"; content:"GetClass|28 22|sun.awt.SunToolkit|22 29|, |22|getField|22|"; content:"setSecurityManager"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24021; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"Expression"; pcre:"/Expression\x28\s*?GetClass\x28\x22sun.awt.SunToolkit\x22\x29\s*?,\s*?\x22getField\x22/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24037; rev:5;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"AccessControlContext"; fast_pattern:only; pcre:"/AccessControlContext\s*?(?P<var>\w*)\s*?=\s*?new\s*?AccessControlContext.*?SetField\x28Statement\.class,\s*?(?P<quotes1>\x22|\x27)acc(?P=quotes1),\s*?localStatement,\s*?(?P=var)/smi"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24028; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"|51 DB 6A 4F B5 16 EF 52 DB D4 AA 15 43 BB 89 C6 AB D5 06 B5 97 D6 AA D5 D6 A3 F5 D6 DE AD F5 96|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24027; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java XGetSamplePtrFromSnd memory corruption attempt"; flow:to_client,established; flowbits:isset,file.rmf; file_data; content:"|1B 37 D6 E1 89 5F AB 9C 2E 1B 0D 49 A0 7B 89 8E C1 DE DE 86 17 22 12 1C 6F CC F1 CB AD EF 90 18|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,46394; reference:cve,2010-4462; classtype:attempted-user; sid:24510; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java JNLP parameter argument injection attempt"; flow:to_server,established; file_data; content:"<jnlp"; nocase; content:"property"; distance:0; nocase; content:"-Djava"; fast_pattern:only; content:"|2D|Djava.java2d.noddraw"; nocase; pcre:"/<jnlp.*?\x3C\s*?property[^\x3E]*?name[^\x3E]*?value\s*?[^\x3E]*?\-Djava\.java2d\.noddraw/smi"; metadata:service smtp; reference:cve,2005-0418; classtype:attempted-user; sid:24499; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java JNLP parameter argument injection attempt"; flow:to_server,established; file_data; content:"<jnlp"; nocase; content:"property"; distance:0; nocase; content:"-Djava"; fast_pattern:only; content:"|2D|Djava.security.policy"; nocase; pcre:"/<jnlp.*?\x3C\s*?property[^\x3E]*?name[^\x3E]*?value\s*?[^\x3E]*?\-Djava\.security\.policy/smi"; metadata:service smtp; reference:cve,2005-0418; classtype:attempted-user; sid:24498; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"4e34523454tS345e334545c345u5356r67i6t6y4354834M9"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24770; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Web Start JNLP j2se key value buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jnlp; file_data; content:"<j2se "; content:"initial|2D|heap|2D|"; distance:0; isdataat:1024,relative; pcre:"/size\s*?\x3d\s*?[\x22\x27][^\s\x22\x27\x3e]{1024}/smiR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30148; reference:cve,2008-3111; classtype:attempted-user; sid:24904; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java Web Start JNLP j2se key value buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jnlp; file_data; content:"<j2se "; content:"java|2D|vm|2D|"; distance:0; isdataat:1024,relative; pcre:"/args\s*?\x3d\s*?[\x22\x27][^\s\x22\x27\x3e]{1024}/smiR"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30148; reference:cve,2008-3111; classtype:attempted-user; sid:24906; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java Web Start JNLP j2se key value buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jnlp; file_data; content:"<j2se "; content:"initial|2D|heap|2D|"; distance:0; isdataat:1024,relative; pcre:"/size\s*?\x3d\s*?[\x22\x27][^\s\x22\x27\x3e]{1024}/smiR"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30148; reference:cve,2008-3111; classtype:attempted-user; sid:24905; rev:6;)
|
|
# alert tcp any any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java Runtime true type font idef opcode heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar|file.class|file.ttf; file_data; content:"|00 01 00 00|"; depth:4; content:"|89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0499; classtype:attempted-user; sid:24915; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java Applet remote code execution attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"Exploit.class"; fast_pattern:only; content:"Payload.class"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2011-3544; reference:cve,2012-5076; classtype:attempted-user; sid:24993; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"msf/x/PayloadX$StreamConnector.class"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53960; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:25121; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Rhino script engine remote code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"NewsBase.classPK"; fast_pattern; content:"NewsViewer.classPK"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-3544; classtype:attempted-user; sid:25392; rev:7;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JMX class arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"B.classPK"; fast_pattern; content:"drop"; content:".exePK"; within:6; distance:5; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25473; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java malicious class download attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"exploit"; nocase; content:".classPK"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53960; reference:bugtraq,57246; reference:cve,2012-1723; reference:cve,2013-0422; classtype:attempted-user; sid:25833; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java JMX class arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"B.classPK"; content:"PK"; distance:-800; pcre:"/^\x01\x02.{0,50}[a-zA-Z]{10}\x2fPK.{0,50}[a-zA-Z]{10}\x2f[a-zA-Z]{7}\.classPK/sR"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,57246; reference:cve,2013-0422; reference:cve,2013-0431; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25832; rev:7;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JMX class arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"sun.org.mozilla.javascript.internal.GeneratedClassLoader"; fast_pattern:only; content:"JmxMBeanServerBuilder"; content:"invokeWithArguments"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25831; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java JMX class arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"sun.org.mozilla.javascript.internal.GeneratedClassLoader"; fast_pattern:only; content:"JmxMBeanServerBuilder"; content:"invokeWithArguments"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25834; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java 2D ImagingLib ConvolveOp integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/image/Kernel|3B 29|V|01 00 06|filter|01 00|"; fast_pattern:only; content:"|00 1A 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58296; reference:cve,2013-0809; classtype:attempted-user; sid:26197; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java 2D ImagingLib LookupOp integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/RenderingHints|3B 29|V|01 00 06|filter|01 00|"; fast_pattern:only; content:"|00 18 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58296; reference:cve,2013-0809; classtype:attempted-user; sid:26196; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java Gmbal package sandbox breach attempt"; flow:to_server,established; file_data; content:"GenericConstructor"; nocase; content:"sun.invoke.anon"; nocase; content:"ManagedObjectManagerFactory"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; classtype:attempted-user; sid:26186; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java 2D ImagingLib LookupOp integer overflow attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/awt/RenderingHints|3B 29|V|01 00 06|filter|01 00|"; fast_pattern:only; content:"|00 18 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58296; reference:cve,2013-0809; classtype:attempted-user; sid:26199; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp integer overflow attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/awt/geom/AffineTransform|3B|I|29|V|01 00 06|filter|01 00|"; fast_pattern:only; content:"|00 18 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58296; reference:cve,2013-0809; classtype:attempted-user; sid:26198; rev:7;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/geom/AffineTransform|3B|I|29|V|01 00 06|filter|01 00|"; fast_pattern:only; content:"|00 18 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58296; reference:cve,2013-0809; classtype:attempted-user; sid:26195; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java 2D ImagingLib ConvolveOp integer overflow attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/awt/image/Kernel|3B 29|V|01 00 06|filter|01 00|"; fast_pattern:only; content:"|00 1A 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58296; reference:cve,2013-0809; classtype:attempted-user; sid:26200; rev:7;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Gmbal package sandbox breach attempt"; flow:to_client,established; file_data; content:"GenericConstructor"; nocase; content:"sun.invoke.anon"; nocase; content:"ManagedObjectManagerFactory"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; classtype:attempted-user; sid:26185; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Plugin security bypass"; flow:to_client,established; file_data; content:"|3C|script language=javascript"; nocase; content:"forName"; pcre:"/\x3Cscript language\x3Djavascript\x3E.*?forName\x28[\x22\x27]sun\x2E/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,11726; reference:cve,2004-1029; classtype:attempted-user; sid:21462; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java known malicious jar file download - specific structure"; flow:established,to_client; flowbits:isset,file.jar; file_data; content:"Foo.class"; content:"trash/A.class"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:26439; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_server,established; file_data; content:"disableSecurityManager"; fast_pattern:only; content:"java/lang/reflect/Field"; nocase; content:"getSecurityManager"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26487; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|DD FE 53 3A 55 5B 3E 97 24 FD 19 31 34 97 2F B2 3E BD 4E D7 AD 50 CC 1C F2 C4 A3 43 E0 2C 6F 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26484; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|DD FE 53 3A 55 5B 3E 97 24 FD 19 31 34 97 2F B2 3E BD 4E D7 AD 50 CC 1C F2 C4 A3 43 E0 2C 6F 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26485; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; file_data; content:"disableSecurityManager"; fast_pattern:only; content:"java/lang/reflect/Field"; nocase; content:"getSecurityManager"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26486; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|0A C6 07 80 C3 B8 8D 0D A9 AB 8F B8 45 25 F0 1D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26499; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|0A C6 07 80 C3 B8 8D 0D A9 AB 8F B8 45 25 F0 1D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26500; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_server,established; file_data; content:"|70 01 00 10|findStaticSetter|01 00 55 28|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26551; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; file_data; content:"|70 01 00 10|findStaticSetter|01 00 55 28|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26550; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Union1.class"; content:"Union2.class"; content:"SystemClass.class"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26549; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"Union1.class"; content:"Union2.class"; content:"SystemClass.class"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26552; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java font rendering remote code execution attempt"; flow:to_server,established; file_data; content:"single.class|6D 52 5D 53 D3 50 10 3D B7 4D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1491; reference:url,blog.accuvantlabs.com/blog/jdrake/pwn2own-2013-java-7-se-memory-corruption; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26717; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java font rendering remote code execution attempt"; flow:to_client,established; file_data; content:"single.class|6D 52 5D 53 D3 50 10 3D B7 4D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1491; reference:url,blog.accuvantlabs.com/blog/jdrake/pwn2own-2013-java-7-se-memory-corruption; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26716; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java XGetSamplePtrFromSnd memory corruption attempt"; flow:to_server,established; flowbits:isset,file.rmf; file_data; content:"|1B 37 D6 E1 89 5F AB 9C 2E 1B 0D 49 A0 7B 89 8E C1 DE DE 86 17 22 12 1C 6F CC F1 CB AD EF 90 18|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,46394; reference:cve,2010-4462; classtype:attempted-user; sid:24511; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java 2D ImagingLib BytePackedRaster signed integer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"Ljava/awt/image/MultiPixelPackedSampleModel"; fast_pattern:only; content:"Ljava/lang/StringBuilder"; content:"getSecurityManager"; within:25; content:"Ljava/lang/SecurityManager"; within:50; content:"getRuntime"; content:"Ljava/lang/Runtime"; within:25; content:"exec"; within:15; metadata:service smtp; reference:cve,2013-2549; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:27694; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java 2D ImagingLib BytePackedRaster signed integer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Ljava/awt/image/MultiPixelPackedSampleModel"; fast_pattern:only; content:"Ljava/lang/StringBuilder"; content:"getSecurityManager"; within:25; content:"Ljava/lang/SecurityManager"; within:50; content:"getRuntime"; content:"Ljava/lang/Runtime"; within:25; content:"exec"; within:15; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-2549; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:27693; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java ImagingLib buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|F5 A9 5D 36 ED 36 9D 80 85 2A A9 2A A9 FE C6 4B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-2463; classtype:attempted-user; sid:27765; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java ImagingLib buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|F5 A9 5D 36 ED 36 9D 80 85 2A A9 2A A9 FE C6 4B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2463; classtype:attempted-user; sid:27764; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java ImagingLib buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|B5 67 D2 36 4F 7F EA EF FD 13 DA 3F C0 A7 0D FD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-2463; classtype:attempted-user; sid:27787; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java ImagingLib buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|B5 67 D2 36 4F 7F EA EF FD 13 DA 3F C0 A7 0D FD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2463; classtype:attempted-user; sid:27786; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java ImagingLib buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|69 25 55 8C F5 A5 D7 E4 68 23 69 12 92 8B B4 9B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-2463; classtype:attempted-user; sid:28927; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java ImagingLib buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|69 25 55 8C F5 A5 D7 E4 68 23 69 12 92 8B B4 9B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2463; classtype:attempted-user; sid:28926; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java sun.awt.image.ImageRepresentation.setPixels integer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar; content:"|10 E6 74 CC 0A 8C BF 24 D5 C0 3C 0E 0B E8 A1 72 79 3E 0F E8 69 90 12 88 E9 6E 59 AA E6 03 6B AE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-2420; classtype:attempted-user; sid:29269; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java sun.awt.image.ImageRepresentation.setPixels integer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|10 E6 74 CC 0A 8C BF 24 D5 C0 3C 0E 0B E8 A1 72 79 3E 0F E8 69 90 12 88 E9 6E 59 AA E6 03 6B AE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2420; classtype:attempted-user; sid:29268; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java and JavaFX JPEGImageReader memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|80 F3 91 80 F2 25 98 54 C3 7B E4 24 43 12 2B 0B 09 8F E0 36 A4 7D E2 08 FD 81 9F 5C B6 8D 2B AB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-2420; classtype:attempted-user; sid:29219; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java and JavaFX JPEGImageReader memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|80 F3 91 80 F2 25 98 54 C3 7B E4 24 43 12 2B 0B 09 8F E0 36 A4 7D E2 08 FD 81 9F 5C B6 8D 2B AB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2420; classtype:attempted-user; sid:29218; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java sun.awt.image.ImageRepresentation.setPixels integer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar; content:"|5A A8 F5 C3 EE D3 D7 82 9F AC 50 72 B3 14 51 9F 84 CE BB 8B E5 3B 7D E0 7A B3 8C FB BE AE 45 9D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-2420; classtype:attempted-user; sid:29215; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JPEGImageWriter memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jar; content:"|5A A8 F5 C3 EE D3 D7 82 9F AC 50 72 B3 14 51 9F 84 CE BB 8B E5 3B 7D E0 7A B3 8C FB BE AE 45 9D|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-2429; classtype:attempted-user; sid:29214; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java ShortComponentRaster integer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:".javaPK"; nocase; content:"ColorModel.classPK"; within:100; nocase; content:"SampleModel.classPK"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60656; reference:cve,2013-2472; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:29491; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java ShortComponentRaster integer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:".javaPK"; nocase; content:"ColorModel.classPK"; within:100; nocase; content:"SampleModel.classPK"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60656; reference:cve,2013-2472; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:29490; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Rhino script engine remote code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:".toString"; content:"setSecurityManager"; content:"javax/script/ScriptException"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-3544; classtype:attempted-user; sid:29535; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp integer overflow attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/awt/geom/AffineTransform|3B|I|29|V|01 00 06|filter|01 00|"; fast_pattern:only; content:"|14 03 00|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58296; reference:cve,2013-0809; classtype:attempted-user; sid:29606; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/geom/AffineTransform|3B|I|29|V|01 00 06|filter|01 00|"; fast_pattern:only; content:"|14 03 00|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58296; reference:cve,2013-0809; classtype:attempted-user; sid:29605; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java java.util.concurrent.ConcurrentHashMap memory corruption attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"~ACED0005737200266A6176612E75746"; fast_pattern:only; metadata:service smtp; reference:bugtraq,59206; reference:cve,2013-2426; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:29972; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java java.util.concurrent.ConcurrentHashMap memory corruption attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"~ACED0005737200266A6176612E75746"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,59206; reference:cve,2013-2426; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:29971; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java java.util.concurrent.ConcurrentHashMap memory corruption attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"0245365676D656E743B7870FFFFFFFF0"; fast_pattern:only; metadata:service smtp; reference:bugtraq,59206; reference:cve,2013-2426; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:29970; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java java.util.concurrent.ConcurrentHashMap memory corruption attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"0245365676D656E743B7870FFFFFFFF0"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,59206; reference:cve,2013-2426; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:29969; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java font rendering remote code execution attempt"; flow:to_server,established; file_data; content:"class|6D 54 59 57 D3 40 14 FE 42 5B 52 E2|"; fast_pattern:only; metadata:service smtp; reference:cve,2013-1491; reference:url,blog.accuvantlabs.com/blog/jdrake/pwn2own-2013-java-7-se-memory-corruption; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:30218; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java font rendering remote code execution attempt"; flow:to_client,established; file_data; content:"class|6D 54 59 57 D3 40 14 FE 42 5B 52 E2 00 5A|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1491; reference:url,blog.accuvantlabs.com/blog/jdrake/pwn2own-2013-java-7-se-memory-corruption; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:30217; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|70 6F 69 6E 74 2E 63 6C 61 73 73 AD 56 59 57 DB 46 14 FE C4 26 10 4E 02 64|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53960; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:31512; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|70 6F 69 6E 74 2E 63 6C 61 73 73 AD 56 59 57 DB 46 14 FE C4 26 10 4E 02 64|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53960; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:31511; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java Web Start arbitrary command execution attempt"; flow:to_client,established; file_data; content:"<jnlp"; fast_pattern:only; content:"<resources>"; pcre:"/\x3cresources\x3e.*?\x2d(XXaltjvm|jar|cp|classpath)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0500; classtype:attempted-user; sid:31946; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|C5 ED 21 7C 80 0F 53 B8 83 8F 86 71 17 79 03 F7 06 B1 34 8C 7E DC 4F 61 04 1F 1B 78 90 C2 10 96 0D 14 52 18 C6 8A 81 4F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,66866; reference:cve,2014-0457; classtype:attempted-user; sid:32235; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|C5 ED 21 7C 80 0F 53 B8 83 8F 86 71 17 79 03 F7 06 B1 34 8C 7E DC 4F 61 04 1F 1B 78 90 C2 10 96 0D 14 52 18 C6 8A 81 4F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66866; reference:cve,2014-0457; classtype:attempted-user; sid:32234; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|36 10 22 09 90 87 BD 3B 73 F7 BB F7 7E 73 E7 DE BB 7F FF F3 FB 9F 00 16 F0 3C 85 61 DC 1E C0 87 F8 28 85 3B F8 78 10 77|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,66866; reference:cve,2014-0457; classtype:attempted-user; sid:32233; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|36 10 22 09 90 87 BD 3B 73 F7 BB F7 7E 73 E7 DE BB 7F FF F3 FB 9F 00 16 F0 3C 85 61 DC 1E C0 87 F8 28 85 3B F8 78 10 77|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66866; reference:cve,2014-0457; classtype:attempted-user; sid:32232; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt"; flow:to_server,established; flowbits:isset,file.class|file.jar; file_data; content:"java/awt/image/SinglePixelPackedSampleModel"; fast_pattern:only; content:"|62 90 1E 43 33 21 E5 8F 5A 02 00 00 5A 02 00 00 17|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60659; reference:cve,2013-2471; reference:cve,2013-2473; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:31541; rev:7;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class|file.jar; file_data; content:"java/awt/image/SinglePixelPackedSampleModel"; fast_pattern:only; content:"|62 90 1E 43 33 21 E5 8F 5A 02 00 00 5A 02 00 00 17|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60659; reference:cve,2013-2471; reference:cve,2013-2473; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:31540; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java sun.tracing.ProviderSkeleton sandbox bypass attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|8D 2C 4B A6 61 92 CF 38 E2 92 6E 58 F3 E4 DD B0 F2 84 53 20 A6 55 4B 13 79 9C 8F D6 0D 8A D9 A2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:31367; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java sun.tracing.ProviderSkeleton sandbox bypass attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|8D 2C 4B A6 61 92 CF 38 E2 92 6E 58 F3 E4 DD B0 F2 84 53 20 A6 55 4B 13 79 9C 8F D6 0D 8A D9 A2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:31366; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java sun.awt.image.ImagingLib.lookupByteBI memory corruption attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/awt/image/LookupOp"; fast_pattern:only; content:"|01 00 06|filter|01 00 5C 28 4C|"; content:"|3B 00 1A 00 45 00 1C 00 64 00 1D 00 83 00 1F 00 91 00 20 00 9D 00 22 00 A7 00 27 00 AA 00 24 00 AB 00 26 00 AF|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60651; reference:cve,2013-2470; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:29273; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java sun.awt.image.ImagingLib.lookupByteBI memory corruption attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/awt/image/LookupOp"; fast_pattern:only; content:"|72 61 63 65 00 21 00 40 00 42 00 00 00 03 00 01 00 45 00 46 00 00 00 11 00 47 00 46 00 01 00 48|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60651; reference:cve,2013-2470; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:29272; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java sun.awt.image.ImagingLib.lookupByteBI memory corruption attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/image/LookupOp"; fast_pattern:only; content:"|72 61 63 65 00 21 00 40 00 42 00 00 00 03 00 01 00 45 00 46 00 00 00 11 00 47 00 46 00 01 00 48|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60651; reference:cve,2013-2470; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:29271; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java sun.awt.image.ImagingLib.lookupByteBI memory corruption attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/image/LookupOp"; fast_pattern:only; content:"|01 00 06|filter|01 00 5C 28 4C|"; content:"|3B 00 1A 00 45 00 1C 00 64 00 1D 00 83 00 1F 00 91 00 20 00 9D 00 22 00 A7 00 27 00 AA 00 24 00 AB 00 26 00 AF|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60651; reference:cve,2013-2470; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:29270; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster.verify method integer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"MyJApplet.classPK"; content:"DropIt.classPK"; within:60; content:"MyJApplet$MySampleModel.classPK"; within:75; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60659; reference:cve,2013-2471; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:28916; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster.verify method integer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"MyJApplet.classPK"; content:"DropIt.classPK"; within:60; content:"MyJApplet$MySampleModel.classPK"; within:75; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60659; reference:cve,2013-2471; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:28915; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"MyColorModel.classPK"; fast_pattern:only; content:"MyColorSpace.classPK"; nocase; content:"MyJApplet.classPK"; nocase; content:"DropIt.classPK"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60657; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; reference:url,www.virustotal.com/file/b3ceede0fa73d773b4bbddda2a963e827935c61328966fc314a498080c315230/analysis/; classtype:attempted-user; sid:28277; rev:7;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"MyColorModel.classPK"; fast_pattern:only; content:"MyColorSpace.classPK"; nocase; content:"MyJApplet.classPK"; nocase; content:"DropIt.classPK"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60657; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; reference:url,www.virustotal.com/file/b3ceede0fa73d773b4bbddda2a963e827935c61328966fc314a498080c315230/analysis/; classtype:attempted-user; sid:28276; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/awt/image/SinglePixelPackedSampleModel"; fast_pattern:only; content:"poc$MyModel"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60659; reference:cve,2013-2471; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:27751; rev:7;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/image/SinglePixelPackedSampleModel"; fast_pattern:only; content:"poc$MyModel"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60659; reference:cve,2013-2471; reference:cve,2013-2473; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:27750; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"Ljava/awt/image/SinglePixelPackedSampleModel"; fast_pattern:only; content:"Ljava/lang/StringBuilder"; content:"getSecurityManager"; within:25; content:"Ljava/lang/SecurityManager"; within:50; content:"getRuntime"; content:"Ljava/lang/Runtime"; within:25; content:"exec"; within:15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60659; reference:cve,2013-2471; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:27692; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Ljava/awt/image/SinglePixelPackedSampleModel"; fast_pattern:only; content:"Ljava/lang/StringBuilder"; content:"getSecurityManager"; within:25; content:"Ljava/lang/SecurityManager"; within:50; content:"getRuntime"; content:"Ljava/lang/Runtime"; within:25; content:"exec"; within:15; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60659; reference:cve,2013-2471; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:27691; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"META-INF/MANIFEST.MFPK"; content:"$"; within:1; distance:110; content:".classPK"; within:8; distance:12; pcre:"/META-INF\/MANIFEST\.MFPK.{44}(?P<outerclass>[a-zA-Z]{7})\.classPK.{44}(?P=outerclass)\$[a-zA-Z]{12}\.classPK.{44}(?P=outerclass)\$[a-zA-Z]{12}\.classPK/sm"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60657; reference:cve,2013-2465; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27677; rev:8;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"META-INF/MANIFEST.MFPK"; content:"$"; within:1; distance:110; content:".classPK"; within:8; distance:12; pcre:"/META-INF\/MANIFEST\.MFPK.{44}(?P<outerclass>[a-zA-Z]{7})\.classPK.{44}(?P=outerclass)\$[a-zA-Z]{12}\.classPK.{44}(?P=outerclass)\$[a-zA-Z]{12}\.classPK/sm"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60657; reference:cve,2013-2465; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27676; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"MyColorModel.classPK"; fast_pattern:only; content:"MyColorSpace.classPK"; nocase; content:"DownloadExec.classPK"; nocase; content:"AccessControlClass.classPK"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60657; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; reference:url,www.virustotal.com/file/b3ceede0fa73d773b4bbddda2a963e827935c61328966fc314a498080c315230/analysis/; classtype:attempted-user; sid:27675; rev:8;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"MyColorModel.classPK"; fast_pattern:only; content:"MyColorSpace.classPK"; nocase; content:"DownloadExec.classPK"; nocase; content:"AccessControlClass.classPK"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60657; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; reference:url,www.virustotal.com/file/b3ceede0fa73d773b4bbddda2a963e827935c61328966fc314a498080c315230/analysis/; classtype:attempted-user; sid:27674; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"PocColorModel.classPK"; fast_pattern:only; content:"PocColorSpace.classPK"; nocase; content:"poc.classPK"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60657; reference:cve,2013-2465; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27673; rev:8;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"PocColorModel.classPK"; fast_pattern:only; content:"PocColorSpace.classPK"; nocase; content:"poc.classPK"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60657; reference:cve,2013-2465; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27672; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"MyColorModel.class"; fast_pattern:only; content:"java/awt/image/AffineTransformOp"; content:"getRuntime"; content:"Ljava/lang/Runtime"; within:25; content:"exec"; within:15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60657; reference:cve,2013-2465; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27622; rev:10;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"MyColorModel.class"; fast_pattern:only; content:"java/awt/image/AffineTransformOp"; content:"getRuntime"; content:"Ljava/lang/Runtime"; within:25; content:"exec"; within:15; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60657; reference:cve,2013-2465; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27621; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java Applet ProviderSkeleton sandbox bypass attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"ExploitApp.classPK"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27191; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Applet ProviderSkeleton sandbox bypass attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"ExploitApp.classPK"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27190; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java Applet ProviderSkeleton sandbox bypass attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"sun.org.mozilla.javascript.internal.GeneratedClassLoader"; fast_pattern:only; content:"sun.org.mozilla.javascript.internal.Context"; nocase; content:"com/sun/tracing/ProviderFactory"; distance:0; nocase; content:"java/lang/reflect/InvocationHandler"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27189; rev:7;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Applet ProviderSkeleton sandbox bypass attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"sun.org.mozilla.javascript.internal.GeneratedClassLoader"; fast_pattern:only; content:"sun.org.mozilla.javascript.internal.Context"; nocase; content:"com/sun/tracing/ProviderFactory"; distance:0; nocase; content:"java/lang/reflect/InvocationHandler"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27188; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java Applet disable security manager attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"DisableSecurityManagerAction.class"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27077; rev:6;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Applet disable security manager attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"DisableSecurityManagerAction.class"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27076; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java runtime JMX findclass sandbox breach attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|5B C7 59 FF 46 2B ED 9B 95 65 7B 3D EB B5 AD D8|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57563; reference:cve,2013-0431; classtype:attempted-admin; sid:26588; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java runtime JMX findclass sandbox breach attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"com/sun/jmx/mbeanserver/Introspector"; fast_pattern:only; content:"findClass"; content:"com.sun.jmx.mbeanserver.MBeanInstantiator"; content:"declaredMethods"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57563; reference:cve,2013-0431; classtype:attempted-admin; sid:26587; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java malicious class download attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:!"DB2ParserLUW"; content:"exploit"; nocase; content:".classPK"; within:20; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53960; reference:bugtraq,55213; reference:bugtraq,57246; reference:bugtraq,60659; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2471; classtype:attempted-user; sid:25830; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java obfuscated jar file download attempt"; flow:established,to_client; flowbits:isset,file.jar; file_data; content:"Obfuscation by Allatori Obfuscator"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:25562; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JMX class arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"B.classPK"; content:"PK"; distance:-800; pcre:"/^\x01\x02.{0,50}[a-zA-Z]{10}\x2fPK.{0,50}[a-zA-Z]{10}\x2f[a-zA-Z]{7}\.classPK/sR"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57246; reference:cve,2012-5088; reference:cve,2013-0422; reference:cve,2013-0431; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25472; rev:11;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"exploit/"; nocase; content:".class"; within:20; nocase; pcre:"/exploit\/(Exploit(App)?|Loader)\.class/ims"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53960; reference:cve,2012-1723; reference:cve,2012-4681; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:25123; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"poc/"; nocase; content:".class"; within:20; nocase; pcre:"/poc\/(Exploit|myClassLoader|pocMain|runCmd)\.class/ims"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53960; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:25122; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle JavaScript heap exploitation library usage attempt"; flow:to_server,established; file_data; content:"heapLib.ie.prototype.freeOleaut32"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0779; reference:cve,2012-4969; reference:url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf; classtype:attempted-user; sid:25006; rev:8;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"4e34523454tS345e334545c345u5356r67i6t6y4354834M9"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24769; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Runtime true type font idef opcode heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar|file.class|file.ttf; file_data; content:"|00 01 00 00|"; depth:4; content:"|89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0499; classtype:attempted-user; sid:24701; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"Trigger.class"; fast_pattern:only; pcre:"/(DisableSandboxAndDrop|ConfusedClass|FieldAccessVerifierExpl)\.class/ims"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:24202; rev:10;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Trigger.class"; fast_pattern:only; pcre:"/(DisableSandboxAndDrop|ConfusedClass|FieldAccessVerifierExpl)\.class/ims"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:24201; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"com/sun/beans/finder/MethodFinder"; fast_pattern:only; content:"sun.awt.SunToolkit|07 00 73 0C 00 74 00 75 01 00 08|getField"; content:"java/security/AccessControlContext"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24063; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|51 DB 6A 4F B5 16 EF 52 DB D4 AA 15 43 BB 89 C6 AB D5 06 B5 97 D6 AA D5 D6 A3 F5 D6 DE AD F5 96|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; reference:cve,2012-5076; classtype:attempted-admin; sid:24026; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle JavaScript heap exploitation library usage attempt"; flow:to_client,established; file_data; content:"heapLib.ie.prototype.freeOleaut32"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0779; reference:cve,2012-4969; reference:url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf; classtype:attempted-user; sid:23614; rev:12;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|B1 00 02 00 06 00 20 00 23 00 48 00 04 00 3E 00 45 00 48 00 00 00 09 00 16 00 4A 00 01 00 0B 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23277; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|07 02 36 0B 43 07 02 39 0B 43 07 02 3C 0B 43 07 02 3F 0B 43 07 02 42 0B 43 07 02 45 0B 43 07 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23276; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|00 01 00 0B 00 00 00 3D 00 06 00 02 00 00 00 1C 04 3C 2A B2 00 12 B2 00 18 1B 04 64 B2 00 18 BE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23275; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|00 25 B6 00 12 B8 00 2B A7 00 08 4C 2B B6 00 31 B1 00 01 00 00 00 30 00 33 00 36 00 02 00 0A 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23274; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; flowbits:isset,file.zip; file_data; content:".classPK"; nocase; pcre:"/(sIda\/sId|urua\/uru)[abcd]\.classPK/ims"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23273; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Zip file directory record overflow attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"PK|05 06|"; content:"|00 00|"; within:2; distance:6; content:"|2E 00 00 00|"; within:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52013; reference:cve,2012-0501; classtype:attempted-user; sid:23243; rev:13;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JRE sandbox Atomic breach attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"AtomicReferenceArray"; nocase; content:"getClassLoader"; distance:0; nocase; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips drop, policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52161; reference:cve,2012-0507; classtype:attempted-user; sid:21667; rev:11;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JRE sandbox Atomic breach attempt"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"atomic"; content:"AtomicReferenceArray"; within:20; distance:1; content:"getClassLoader"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips drop, policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52161; reference:cve,2012-0507; reference:cve,2015-2590; classtype:attempted-user; sid:21666; rev:11;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JRE sandbox Atomic breach attempt"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"|35 37 32 37 32 36 35 36 45 37 34 32 45 36 31 37 34 36 46 36 44 36 39 36|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52161; reference:cve,2012-0507; classtype:attempted-user; sid:21665; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JRE sandbox Atomic breach attempt"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"|33 36 35 37 30 37 34 36 39 36 46 01 00 2C 36 45 30 31 30 30 30 36 36 31|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52161; reference:cve,2012-0507; classtype:attempted-user; sid:21664; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Web Start arbitrary command execution attempt"; flow:to_client,established; file_data; content:"<jnlp"; fast_pattern:only; content:"<resources>"; pcre:"/\x3cresources\x3e.*?\x2d(XXaltjvm|jar|cp|classpath)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0500; classtype:attempted-user; sid:21481; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Applet remote code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Exploit.class"; fast_pattern:only; content:"Payload.class"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-3544; reference:cve,2012-5076; classtype:attempted-user; sid:20622; rev:18;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Runtime AWT setDiffICM stack buffer overflow attempt"; flow:to_client,established; file_data; content:"AppletX"; fast_pattern:only; pcre:"/\x3C\s*applet[^\x3E\n$]*code\s*=\s*[\x27\x22]AppletX[\x22\x27][^\x3E\n$]*archive\s*=\s*[\x22\x27][^\s\x3E\n$]{32}\x2Ejar[\x22\x27]/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36881; reference:cve,2009-3869; classtype:attempted-user; sid:19926; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Soundbank resource name overflow attempt"; flow:to_client,established; file_data; content:"snd|20 00 00|"; byte_test:1,>,0x7F,2,relative; metadata:policy max-detect-ips drop, service http; reference:bugtraq,39070; reference:cve,2010-0839; classtype:attempted-user; sid:19100; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java browser plugin docbase overflow attempt"; flow:to_client,established; file_data; content:"launchjnlp"; fast_pattern; nocase; content:"docbase"; within:100; nocase; isdataat:80,relative; pcre:"/^([\x22\x27]\s*value)?\s*=\s*\x22[^\x22]{70}/Rsmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,44023; reference:cve,2010-3552; classtype:attempted-user; sid:18244; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Web Start JNLP j2se key value buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jnlp; file_data; content:"<j2se "; content:"java|2D|vm|2D|"; distance:0; isdataat:1024,relative; pcre:"/args\s*?\x3d\s*?[\x22\x27][^\s\x22\x27\x3e]{1024}/smiR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30148; reference:cve,2008-3111; classtype:attempted-user; sid:17631; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Runtime Environment Type1 Font parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.psfont; file_data; content:"|CF F9 2A 69 CE 32 21 93 B1 0D 9E 89 77 CD DD 58 3A C0 0C 33 A1 9F A4 4C E9 D0 66 FB CD 2D F1 B8 3E F8 FF 09 7D 7E 94 CA 6C 78 5C 7E FF 42 D1 B8|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,34240; reference:cve,2009-1099; classtype:attempted-user; sid:17623; rev:16;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Web Start malicious parameter value"; flow:to_client,established; file_data; content:"<jnlp "; nocase; content:"<resources>"; distance:0; nocase; content:" -classpath"; distance:0; fast_pattern; nocase; pcre:"/<property[^>]*?value\s*=\s*(?P<q1>\x22|\x27).*? -classpath.*?(?P=q1)/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,11726; reference:cve,2004-1029; classtype:attempted-user; sid:17586; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Runtime Environment JAR File Processing Stack Buffer Overflow"; flow:to_client,established; file_data; content:"|1D 79 05 13 28 88 55 51 C2 A4 84 29 05 12 0C 19|"; content:"|F1 2B C6 40 A1 3D C6 60 81 A8 5D 28 34 30 44 06|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32608; reference:cve,2008-5354; classtype:attempted-user; sid:17563; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Runtime Environment Pack200 Decompression Integer Overflow attempt"; flow:to_client,established; content:"Content-Encoding|3A|"; nocase; http_header; content:"pack200-gzip"; within:20; nocase; http_header; file_data; content:"|CA FE D0 0D|"; content:"|C5 FC FC FC FC 00 D6|"; within:50; fast_pattern; metadata:policy max-detect-ips drop, service http; reference:bugtraq,32608; reference:cve,2008-5352; classtype:misc-attack; sid:17562; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Runtime Environment Pack200 Decompression Integer Overflow"; flow:to_client,established; content:"Content-Encoding: pack200-gz"; nocase; content:"|9A 10 3A C7 39 E2 E6 DE BE F7 71 BA 7C 22 5E D7|"; content:"|49 F4 EF C7 73 9F 9B 9C 8B 32 A7 88 58 FF 13 31|"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,34240; reference:cve,2009-1095; classtype:attempted-user; sid:17522; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Runtime AWT setDiffICM stack buffer overflow attempt"; flow:to_client,established; file_data; content:"|00 0B 28|II[B[B[B|29|V|01 00 0A|setDiffICM|01 00|S|28|II"; content:"|0A|,|10 0A 11 01 90 BB 00 17|Y|10 10 08 08 BC|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36881; reference:cve,2009-3869; classtype:attempted-user; sid:16288; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Web Start xml encoding buffer overflow attempt"; flow:to_client,established; file_data; content:"<?xml"; nocase; content:"encoding"; distance:0; nocase; pcre:"/^<\x3Fxml[^>]+?encoding\s*=\s*(\x22[^\x22]{28}|\x27[^\x27]{28})/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28083; reference:cve,2008-1188; reference:url,sunsolve.sun.com/search/document.do?assetkey=1-66-233323-1; classtype:attempted-admin; sid:15081; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Web Start JNLP attribute buffer overflow attempt"; flow:to_client,established; file_data; content:"<j2se"; nocase; pcre:"/\x3cj2se[^\x3e]*(initial|max)-heap-size\s*\x3d\s*(\x22|\x27)[^\x22\x27]{50}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30148; reference:cve,2008-3111; classtype:attempted-user; sid:13950; rev:14;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"com/sun/naming/internal/VersionHelper"; content:"loadClass"; within:50; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2014-0422; classtype:policy-violation; sid:35469; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"com/sun/naming/internal/ResourceManager"; content:"getFactory"; within:50; metadata:service http; reference:cve,2014-0422; classtype:policy-violation; sid:35468; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"com/sun/naming/internal/ResourceManager"; content:"getFactories"; within:50; metadata:service http; reference:cve,2014-0422; classtype:policy-violation; sid:35467; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java System.arraycopy race condition attempt"; flow:to_client,established; file_data; content:"|33 00 21 00 35 00 28 00 00 00 09 00 04 00 19 42 07 00 2A 03 00 02 00 2B 00 00 00 02 00 2C 00 1C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0456; classtype:attempted-user; sid:36240; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java System.arraycopy race condition attempt"; flow:to_server,established; file_data; content:"|33 00 21 00 35 00 28 00 00 00 09 00 04 00 19 42 07 00 2A 03 00 02 00 2B 00 00 00 02 00 2C 00 1C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0456; classtype:attempted-user; sid:36239; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java TrueType font parsing mort table ligature subtable buffer overflow attempt"; flow:to_server,established; file_data; content:"|44 40 00 02 44 40 00 02 44 40 00 02 44 40 00 02 44 40 00 02 44 40 00 02 44 40 00 02 44 40 00 02|"; fast_pattern:only; metadata:service smtp; reference:url,oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-dos; sid:36525; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java TrueType font parsing mort table ligature subtable buffer overflow attempt"; flow:to_client,established; file_data; content:"|44 40 00 02 44 40 00 02 44 40 00 02 44 40 00 02 44 40 00 02 44 40 00 02 44 40 00 02 44 40 00 02|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-dos; sid:36524; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|87 07 32 79 2B 0E 02 62 0A 46 C6 50 F5 B4 F0 8F FB 22 CE 68 1A 47 AD 18 2C 2F 4A 13 5F BE 56 46|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,66866; reference:cve,2014-0457; classtype:attempted-user; sid:37665; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|87 07 32 79 2B 0E 02 62 0A 46 C6 50 F5 B4 F0 8F FB 22 CE 68 1A 47 AD 18 2C 2F 4A 13 5F BE 56 46|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66866; reference:cve,2014-0457; classtype:attempted-user; sid:37664; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java sun.awt.image.ImagingLib.lookupByteBI memory corruption attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/awt/image/LookupOp"; fast_pattern:only; content:"|01 00 06|filter|01 00|"; content:"|02 00 11 02 00 07 BC 0A 59 03 12 03 4F 59 04 12|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60651; reference:cve,2013-2470; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:37821; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java sun.awt.image.ImagingLib.lookupByteBI memory corruption attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/image/LookupOp"; fast_pattern:only; content:"|01 00 06|filter|01 00|"; content:"|02 00 11 02 00 07 BC 0A 59 03 12 03 4F 59 04 12|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60651; reference:cve,2013-2470; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:37820; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java sun.awt.image.ImagingLib.lookupByteBI memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"More_work.class"; fast_pattern:only; content:"META-INF/MANIFEST.MF"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60651; reference:cve,2013-2470; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:37819; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java sun.awt.image.ImagingLib.lookupByteBI memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"More_work.class"; fast_pattern:only; content:"META-INF/MANIFEST.MF"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60651; reference:cve,2013-2470; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:37818; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|4D CC CB 4C 4B 2D 2E D1 0D 4B 2D 2A CE CC CF B3 52 30 D4 33 E0 E5 72 2E 4A 4D 2C 49 4D D1 75 AA|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,60659; reference:cve,2013-2471; reference:cve,2013-2473; reference:cve,2014-4262; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; reference:url,www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html; classtype:attempted-user; sid:37805; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|4D CC CB 4C 4B 2D 2E D1 0D 4B 2D 2A CE CC CF B3 52 30 D4 33 E0 E5 72 2E 4A 4D 2C 49 4D D1 75 AA|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60659; reference:cve,2013-2471; reference:cve,2013-2473; reference:cve,2014-4262; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; reference:url,www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html; classtype:attempted-user; sid:37804; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"Ljava/awt/image/WritableRaster|3B|"; fast_pattern:only; content:"setSecurityManager"; content:"java/awt/image/Raster"; distance:0; content:"createWritableRaster"; distance:0; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,60659; reference:cve,2013-2471; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:37803; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"Ljava/awt/image/WritableRaster|3B|"; fast_pattern:only; content:"setSecurityManager"; content:"java/awt/image/Raster"; distance:0; content:"createWritableRaster"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60659; reference:cve,2013-2471; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:37802; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java Class Loader namespace sandbox bypass attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"loadClass"; content:"findStatic"; content:"java/lang/invoke/MethodHandles$Lookup"; content:"getContext"; content:"invokeExact"; metadata:policy security-ips drop, service smtp; reference:bugtraq,63131; reference:cve,2013-5838; reference:url,www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html; classtype:attempted-user; sid:38339; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Class Loader namespace sandbox bypass attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"loadClass"; content:"findStatic"; content:"java/lang/invoke/MethodHandles$Lookup"; content:"getContext"; content:"invokeExact"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,63131; reference:cve,2013-5838; reference:url,www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html; classtype:attempted-user; sid:38338; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java RangeStatisticImpl sandbox breach attempt"; flow:to_server,established; file_data; content:"StatisticImpl"; fast_pattern:only; content:"invoke"; nocase; pcre:"/(AverageRange|Boundary|BoundedRange|Count|Range|String|Time)StatisticImpl/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,56054; reference:cve,2012-5076; classtype:attempted-user; sid:39355; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java RangeStatisticImpl sandbox breach attempt"; flow:to_client,established; file_data; content:"StatisticImpl"; fast_pattern:only; content:"invoke"; nocase; pcre:"/(AverageRange|Boundary|BoundedRange|Count|Range|String|Time)StatisticImpl/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56054; reference:cve,2012-5076; classtype:attempted-user; sid:39354; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java strlen denial of service attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"|2E 2E 07 00 19 0C 00 1A 00 1B 01 00 0C 42 43 54 65 73 74 41 70 70 6C 65 74 01 00 12 6A 61 76 61|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:url,www.oracle.com/technetwork/java/index.html; classtype:denial-of-service; sid:45259; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java strlen denial of service attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|2E 2E 07 00 19 0C 00 1A 00 1B 01 00 0C 42 43 54 65 73 74 41 70 70 6C 65 74 01 00 12 6A 61 76 61|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.oracle.com/technetwork/java/index.html; classtype:denial-of-service; sid:45258; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA IBM Java invokeWithPrivilege method call attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"com/ibm/rmi/util/ProxyUtil"; fast_pattern:only; content:"invokeWithPrivilege"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-4820; classtype:attempted-user; sid:45351; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA IBM Java invokeWithClassLoaders method call attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"com/ibm/rmi/util/ProxyUtil"; fast_pattern:only; content:"invokeWithClassLoaders"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-4820; classtype:attempted-user; sid:45350; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA IBM Java invokeWithPrivilege method call attempt"; flow:to_server,established; flowbits:isset,file.class; content:"com/ibm/rmi/util/ProxyUtil"; fast_pattern:only; content:"invokeWithPrivilege"; metadata:service smtp; reference:cve,2012-4820; classtype:attempted-user; sid:45349; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"FILE-JAVA IBM Java invokeWithClassLoaders method call attempt"; flow:to_server,established; flowbits:isset,file.class; content:"com/ibm/rmi/util/ProxyUtil"; fast_pattern:only; content:"invokeWithClassLoaders"; metadata:service smtp; reference:cve,2012-4820; classtype:attempted-user; sid:45348; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java strlen denial of service attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"|B2 00 02 12 03 B6 00 04 CA 00 00 00 01 00 0A 00 00 00 0A 00 02 00 00 00 0C 00 08 00 0D 00 01 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:url,www.oracle.com/technetwork/java/index.html; classtype:denial-of-service; sid:45347; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java strlen denial of service attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|B2 00 02 12 03 B6 00 04 CA 00 00 00 01 00 0A 00 00 00 0A 00 02 00 00 00 0C 00 08 00 0D 00 01 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.oracle.com/technetwork/java/index.html; classtype:denial-of-service; sid:45346; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JPEGImageWriter memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jar; content:"|11 01 90 A4 00 20 19 04 01 BB 00 16 59 2D 01 01 B7 00 17 BB 00 1B 59 B8|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-2429; classtype:attempted-user; sid:49117; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java JPEGImageWriter memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jar; content:"|11 01 90 A4 00 20 19 04 01 BB 00 16 59 2D 01 01 B7 00 17 BB 00 1B 59 B8|"; fast_pattern:only; metadata:service smtp; reference:cve,2013-2429; classtype:attempted-user; sid:49116; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java ImagingLib buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|F5 CD D8 30 4C 75 13 CF 30 F3 3B FC E0 F3 0E F5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-2463; classtype:attempted-user; sid:49256; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java ImagingLib buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|F5 CD D8 30 4C 75 13 CF 30 F3 3B FC E0 F3 0E F5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2463; classtype:attempted-user; sid:49255; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/security/ProtectionDomain"; fast_pattern:only; content:"file|3A 2F 2F 2F|"; content:"java/security/AccessControlContext"; content:"getField"; content:"execute|01 00 08|getValue"; content:"java/awt/Graphics"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:49846; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/security/ProtectionDomain"; fast_pattern:only; content:"file|3A 2F 2F 2F|"; content:"java/security/AccessControlContext"; content:"getField"; content:"execute|01 00 08|getValue"; content:"java/awt/Graphics"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:49845; rev:1;)
|